diff options
| author | Neil Alexander <neilalexander@users.noreply.github.com> | 2020-06-16 18:31:38 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-06-16 18:31:38 +0100 |
| commit | 04c99092a46b2ad0b90645bf6553360b5f1b7da7 (patch) | |
| tree | 0ce1380949c6c224a6f872b303d9e4767e5a2c31 /mediaapi | |
| parent | e15a8042a19b270060beef1358f90cda075ddd38 (diff) | |
Update whitelist for sytest media fix (#1137)
* Update sytest-whitelist, are-we-synapse-yet.list
* Update gomatrixserverlib
* Update gomatrixserverlib
* Loop avoidance
* Return UTF-8 filenames
* Replace quotes only, instead of using strconv.Quote
* Update sytest-whitelist
* Update sytest-whitelist
Diffstat (limited to 'mediaapi')
| -rw-r--r-- | mediaapi/routing/download.go | 10 | ||||
| -rw-r--r-- | mediaapi/routing/routing.go | 16 |
2 files changed, 24 insertions, 2 deletions
diff --git a/mediaapi/routing/download.go b/mediaapi/routing/download.go index 1a025f6f..3ce4ba39 100644 --- a/mediaapi/routing/download.go +++ b/mediaapi/routing/download.go @@ -21,6 +21,7 @@ import ( "io" "mime" "net/http" + "net/url" "os" "path/filepath" "regexp" @@ -302,7 +303,14 @@ func (r *downloadRequest) respondFromLocalFile( responseMetadata = r.MediaMetadata if len(responseMetadata.UploadName) > 0 { - w.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename*=utf-8"%s"`, responseMetadata.UploadName)) + uploadName, err := url.PathUnescape(string(responseMetadata.UploadName)) + if err != nil { + return nil, fmt.Errorf("url.PathUnescape: %w", err) + } + w.Header().Set("Content-Disposition", fmt.Sprintf( + `inline; filename=utf-8"%s"`, + strings.ReplaceAll(uploadName, `"`, `\"`), // escape quote marks only, as per RFC6266 + )) } } diff --git a/mediaapi/routing/routing.go b/mediaapi/routing/routing.go index 13f84c33..f8577826 100644 --- a/mediaapi/routing/routing.go +++ b/mediaapi/routing/routing.go @@ -16,6 +16,7 @@ package routing import ( "net/http" + "strings" userapi "github.com/matrix-org/dendrite/userapi/api" @@ -94,11 +95,24 @@ func makeDownloadAPI( util.SetCORSHeaders(w) // Content-Type will be overridden in case of returning file data, else we respond with JSON-formatted errors w.Header().Set("Content-Type", "application/json") + vars, _ := httputil.URLDecodeMapValues(mux.Vars(req)) + serverName := gomatrixserverlib.ServerName(vars["serverName"]) + + // For the purposes of loop avoidance, we will return a 404 if allow_remote is set to + // false in the query string and the target server name isn't our own. + // https://github.com/matrix-org/matrix-doc/pull/1265 + if allowRemote := req.URL.Query().Get("allow_remote"); strings.ToLower(allowRemote) == "false" { + if serverName != cfg.Matrix.ServerName { + w.WriteHeader(http.StatusNotFound) + return + } + } + Download( w, req, - gomatrixserverlib.ServerName(vars["serverName"]), + serverName, types.MediaID(vars["mediaId"]), cfg, db, |