Update whitelist for sytest media fix (#1137)

* Update sytest-whitelist, are-we-synapse-yet.list

* Update gomatrixserverlib

* Update gomatrixserverlib

* Loop avoidance

* Return UTF-8 filenames

* Replace quotes only, instead of using strconv.Quote

* Update sytest-whitelist

* Update sytest-whitelist

1 files changed, 15 insertions, 1 deletions

diff --git a/mediaapi/routing/routing.go b/mediaapi/routing/routing.go
index 13f84c33..f8577826 100644
--- a/mediaapi/routing/routing.go
+++ b/mediaapi/routing/routing.go
@@ -16,6 +16,7 @@ package routing
 
 import (
 	"net/http"
+	"strings"
 
 	userapi "github.com/matrix-org/dendrite/userapi/api"
 
@@ -94,11 +95,24 @@ func makeDownloadAPI(
 		util.SetCORSHeaders(w)
 		// Content-Type will be overridden in case of returning file data, else we respond with JSON-formatted errors
 		w.Header().Set("Content-Type", "application/json")
+
 		vars, _ := httputil.URLDecodeMapValues(mux.Vars(req))
+		serverName := gomatrixserverlib.ServerName(vars["serverName"])
+
+		// For the purposes of loop avoidance, we will return a 404 if allow_remote is set to
+		// false in the query string and the target server name isn't our own.
+		// https://github.com/matrix-org/matrix-doc/pull/1265
+		if allowRemote := req.URL.Query().Get("allow_remote"); strings.ToLower(allowRemote) == "false" {
+			if serverName != cfg.Matrix.ServerName {
+				w.WriteHeader(http.StatusNotFound)
+				return
+			}
+		}
+
 		Download(
 			w,
 			req,
-			gomatrixserverlib.ServerName(vars["serverName"]),
+			serverName,
 			types.MediaID(vars["mediaId"]),
 			cfg,
 			db,