1 files changed, 28 insertions, 6 deletions

diff --git a/clientapi/routing/profile.go b/clientapi/routing/profile.go
index c9647eb1..4d9e1f8a 100644
--- a/clientapi/routing/profile.go
+++ b/clientapi/routing/profile.go
@@ -113,12 +113,19 @@ func SetAvatarURL(
 		}
 	}
 
-	localpart, _, err := gomatrixserverlib.SplitID('@', userID)
+	localpart, domain, err := gomatrixserverlib.SplitID('@', userID)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("gomatrixserverlib.SplitID failed")
 		return jsonerror.InternalServerError()
 	}
 
+	if !cfg.Matrix.IsLocalServerName(domain) {
+		return util.JSONResponse{
+			Code: http.StatusForbidden,
+			JSON: jsonerror.Forbidden("userID does not belong to a locally configured domain"),
+		}
+	}
+
 	evTime, err := httputil.ParseTSParam(req)
 	if err != nil {
 		return util.JSONResponse{
@@ -129,8 +136,9 @@ func SetAvatarURL(
 
 	setRes := &userapi.PerformSetAvatarURLResponse{}
 	if err = profileAPI.SetAvatarURL(req.Context(), &userapi.PerformSetAvatarURLRequest{
-		Localpart: localpart,
-		AvatarURL: r.AvatarURL,
+		Localpart:  localpart,
+		ServerName: domain,
+		AvatarURL:  r.AvatarURL,
 	}, setRes); err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("profileAPI.SetAvatarURL failed")
 		return jsonerror.InternalServerError()
@@ -204,12 +212,19 @@ func SetDisplayName(
 		}
 	}
 
-	localpart, _, err := gomatrixserverlib.SplitID('@', userID)
+	localpart, domain, err := gomatrixserverlib.SplitID('@', userID)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("gomatrixserverlib.SplitID failed")
 		return jsonerror.InternalServerError()
 	}
 
+	if !cfg.Matrix.IsLocalServerName(domain) {
+		return util.JSONResponse{
+			Code: http.StatusForbidden,
+			JSON: jsonerror.Forbidden("userID does not belong to a locally configured domain"),
+		}
+	}
+
 	evTime, err := httputil.ParseTSParam(req)
 	if err != nil {
 		return util.JSONResponse{
@@ -221,6 +236,7 @@ func SetDisplayName(
 	profileRes := &userapi.PerformUpdateDisplayNameResponse{}
 	err = profileAPI.SetDisplayName(req.Context(), &userapi.PerformUpdateDisplayNameRequest{
 		Localpart:   localpart,
+		ServerName:  domain,
 		DisplayName: r.DisplayName,
 	}, profileRes)
 	if err != nil {
@@ -261,6 +277,12 @@ func updateProfile(
 		return jsonerror.InternalServerError(), err
 	}
 
+	_, domain, err := gomatrixserverlib.SplitID('@', userID)
+	if err != nil {
+		util.GetLogger(ctx).WithError(err).Error("gomatrixserverlib.SplitID failed")
+		return jsonerror.InternalServerError(), err
+	}
+
 	events, err := buildMembershipEvents(
 		ctx, res.RoomIDs, *profile, userID, cfg, evTime, rsAPI,
 	)
@@ -276,7 +298,7 @@ func updateProfile(
 		return jsonerror.InternalServerError(), e
 	}
 
-	if err := api.SendEvents(ctx, rsAPI, api.KindNew, events, cfg.Matrix.ServerName, cfg.Matrix.ServerName, nil, true); err != nil {
+	if err := api.SendEvents(ctx, rsAPI, api.KindNew, events, domain, domain, nil, true); err != nil {
 		util.GetLogger(ctx).WithError(err).Error("SendEvents failed")
 		return jsonerror.InternalServerError(), err
 	}
@@ -298,7 +320,7 @@ func getProfile(
 		return nil, err
 	}
 
-	if domain != cfg.Matrix.ServerName {
+	if !cfg.Matrix.IsLocalServerName(domain) {
 		profile, fedErr := federation.LookupProfile(ctx, domain, userID, "")
 		if fedErr != nil {
 			if x, ok := fedErr.(gomatrix.HTTPError); ok {