From e6be7f05c349fafbdddfe818337a17a60c867be1 Mon Sep 17 00:00:00 2001
From: Neil Alexander <neilalexander@users.noreply.github.com>
Date: Tue, 4 Jan 2022 15:33:42 +0000
Subject: [PATCH] Enforce state key matches sender

---
 federationapi/routing/join.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/federationapi/routing/join.go b/federationapi/routing/join.go
index f0e1ae0d6..7310a3053 100644
--- a/federationapi/routing/join.go
+++ b/federationapi/routing/join.go
@@ -194,6 +194,12 @@ func SendJoin(
 			JSON: jsonerror.BadJSON("No state key was provided in the join event."),
 		}
 	}
+	if !event.StateKeyEquals(event.Sender()) {
+		return util.JSONResponse{
+			Code: http.StatusBadRequest,
+			JSON: jsonerror.BadJSON("Event state key must match the event sender."),
+		}
+	}
 
 	// Check that the room ID is correct.
 	if event.RoomID() != roomID {