aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSid Karunaratne <sid@karunaratne.net>2020-05-13 19:04:54 +0800
committerGitHub <noreply@github.com>2020-05-13 12:04:54 +0100
commit31e6a7f1932c11d9b5b682ad06a5b8db9d74a44f (patch)
tree835f4f66d5b9953f509701abc38900b5bff5257c
parent106a335b7d4fcef8d204dfc15c7cf19f927e75d9 (diff)
Enforce `mediaIDRegex` to be only valid `mediaIDCharacters` (#1020)
Error messages indicate that: > mediaId must be a non-empty string using only characters in `mediaIDCharacters` However the regex used only required that some characters in the filename match the restriction, not that the entire filename does. This commit ensures that the filename must entirely fullfill the `mediaIDCharacters` restriction Signed-off-by: Sid Karunaratne <sid@karunaratne.net> Co-authored-by: Kegsay <kegan@matrix.org>
-rw-r--r--mediaapi/routing/download.go2
1 files changed, 1 insertions, 1 deletions
diff --git a/mediaapi/routing/download.go b/mediaapi/routing/download.go
index 9feca90e..75df313f 100644
--- a/mediaapi/routing/download.go
+++ b/mediaapi/routing/download.go
@@ -43,7 +43,7 @@ import (
const mediaIDCharacters = "A-Za-z0-9_=-"
// Note: unfortunately regex.MustCompile() cannot be assigned to a const
-var mediaIDRegex = regexp.MustCompile("[" + mediaIDCharacters + "]+")
+var mediaIDRegex = regexp.MustCompile("^[" + mediaIDCharacters + "]+$")
// downloadRequest metadata included in or derivable from a download or thumbnail request
// https://matrix.org/docs/spec/client_server/r0.2.0.html#get-matrix-media-r0-download-servername-mediaid