MirrorMirror
/
Signal-Server
mirror of https://github.com/signalapp/Signal-Server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Avoid reading from a stale `Account` after a contested reglock event

This commit is contained in:
Jon Chambers 2022-11-10 12:41:50 -05:00 committed by GitHub
parent d3f0ab8c6d
commit 2c9c50711f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
View File

@ -808,20 +808,22 @@ public class AccountController {
rateLimiters.getPinLimiter().validate(existingAccount.getNumber()); rateLimiters.getPinLimiter().validate(existingAccount.getNumber());
} }
final String phoneNumber = existingAccount.getNumber();
if (!existingRegistrationLock.verify(clientRegistrationLock)) { if (!existingRegistrationLock.verify(clientRegistrationLock)) {
// At this point, the client verified ownership of the phone number but doesnt have the reglock PIN. // At this point, the client verified ownership of the phone number but doesnt have the reglock PIN.
// Freezing the existing account credentials will definitively start the reglock timeout. Until the timeout, the current reglock can still be supplied, // Freezing the existing account credentials will definitively start the reglock timeout. Until the timeout, the current reglock can still be supplied,
// along with phone number verification, to restore access. // along with phone number verification, to restore access.
accounts.update(existingAccount, Account::lockAuthenticationCredentials); final Account updatedAccount = accounts.update(existingAccount, Account::lockAuthenticationCredentials);
List<Long> deviceIds = existingAccount.getDevices().stream().map(Device::getId).toList(); List<Long> deviceIds = updatedAccount.getDevices().stream().map(Device::getId).toList();
clientPresenceManager.disconnectAllPresences(existingAccount.getUuid(), deviceIds); clientPresenceManager.disconnectAllPresences(updatedAccount.getUuid(), deviceIds);
throw new WebApplicationException(Response.status(423) throw new WebApplicationException(Response.status(423)
.entity(new RegistrationLockFailure(existingRegistrationLock.getTimeRemaining(), .entity(new RegistrationLockFailure(existingRegistrationLock.getTimeRemaining(),
existingRegistrationLock.needsFailureCredentials() ? existingBackupCredentials : null)) existingRegistrationLock.needsFailureCredentials() ? existingBackupCredentials : null))
.build()); .build());
} }
rateLimiters.getPinLimiter().clear(existingAccount.getNumber()); rateLimiters.getPinLimiter().clear(phoneNumber);
} }
} }