crypto: Prohibit extending verification methods

Intersect the allowed methods passed from the user with the methods supported by the other party. If the user added new methods to the request, the remote party would cancel the verification.
2021-03-12 14:43:59 +01:00 · 2021-03-12 14:43:59 +01:00 · 587c09e700
commit 587c09e700
parent e9be23f853
1 changed files with 4 additions and 6 deletions
--- a/matrix_sdk_crypto/src/verification/sas/mod.rs
+++ b/matrix_sdk_crypto/src/verification/sas/mod.rs
@ -705,18 +705,16 @@ impl AcceptSettings {
            AcceptContent::ToDevice(AcceptToDeviceEventContent {
                method: AcceptMethod::MSasV1(c),
                ..
-            }) => {
-                c.short_authentication_string = self.allowed_methods;
-                content
-            }
-            AcceptContent::Room(
+            })
+            | AcceptContent::Room(
                _,
                AcceptEventContent {
                    method: AcceptMethod::MSasV1(c),
                    ..
                },
            ) => {
-                c.short_authentication_string = self.allowed_methods;
+                c.short_authentication_string
+                    .retain(|sas| self.allowed_methods.contains(sas));
                content
            }
            _ => content,