Remove trailing slash ability from password reset's submit_token endpoint (#6074)

Remove trailing slash ability from the password reset submit_token endpoint. Since we provide the link in an email, and have never sent it with a trailing slash, there's no point for us to accept them on the endpoint.

Remove trailing slash ability from password reset's submit_token endpoint (#6074)
7763dd3e · Andrew Morgan · GitHub · aeb40f35 · 7763dd3e · 7763dd3e
Unverified Commit 7763dd3e authored 5 years ago by Andrew Morgan Committed by GitHub 5 years ago
--- a/changelog.d/6074.feature
+++ b/changelog.d/6074.feature
+Prevent password reset's submit_token endpoint from accepting trailing slashes.
\ No newline at end of file
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@@ -200,7 +200,7 @@ class PasswordResetSubmitTokenServlet(RestServlet):
    """Handles 3PID validation token submission"""
    PATTERNS = client_patterns(
-        "/password_reset/(?P<medium>[^/]*)/submit_token/*$", releases=(), unstable=True
+        "/password_reset/(?P<medium>[^/]*)/submit_token$", releases=(), unstable=True
    )
    def __init__(self, hs):