From 17ad5f0595c3b91683ef620aa8d3a400479136da Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Timo=20K=C3=B6sters?= <timo@koesters.xyz>
Date: Wed, 6 Apr 2022 19:08:23 +0200
Subject: [PATCH] fix: checks for incoming cross signing changes

---
 src/server_server.rs | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/server_server.rs b/src/server_server.rs
index d68ded82..371f2979 100644
--- a/src/server_server.rs
+++ b/src/server_server.rs
@@ -639,6 +639,11 @@ pub async fn send_transaction_message_route(
         return Err(Error::bad_config("Federation is disabled."));
     }
 
+    let sender_servername = body
+        .sender_servername
+        .as_ref()
+        .expect("server is authenticated");
+
     let mut resolved_map = BTreeMap::new();
 
     let pub_key_map = RwLock::new(BTreeMap::new());
@@ -674,7 +679,7 @@ pub async fn send_transaction_message_route(
             }
         };
 
-        acl_check(&body.origin, &room_id, &db)?;
+        acl_check(&sender_servername, &room_id, &db)?;
 
         let mutex = Arc::clone(
             db.globals
@@ -689,7 +694,7 @@ pub async fn send_transaction_message_route(
         resolved_map.insert(
             event_id.clone(),
             handle_incoming_pdu(
-                &body.origin,
+                &sender_servername,
                 &event_id,
                 &room_id,
                 value,
@@ -845,6 +850,9 @@ pub async fn send_transaction_message_route(
                 master_key,
                 self_signing_key,
             }) => {
+                if user_id.server_name() != sender_servername {
+                    continue;
+                }
                 if let Some(master_key) = master_key {
                     db.users.add_cross_signing_keys(
                         &user_id,