diff options
Diffstat (limited to 'mediaapi/routing')
| -rw-r--r-- | mediaapi/routing/download.go | 10 | ||||
| -rw-r--r-- | mediaapi/routing/routing.go | 16 |
2 files changed, 24 insertions, 2 deletions
diff --git a/mediaapi/routing/download.go b/mediaapi/routing/download.go index 1a025f6f..3ce4ba39 100644 --- a/mediaapi/routing/download.go +++ b/mediaapi/routing/download.go @@ -21,6 +21,7 @@ import ( "io" "mime" "net/http" + "net/url" "os" "path/filepath" "regexp" @@ -302,7 +303,14 @@ func (r *downloadRequest) respondFromLocalFile( responseMetadata = r.MediaMetadata if len(responseMetadata.UploadName) > 0 { - w.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename*=utf-8"%s"`, responseMetadata.UploadName)) + uploadName, err := url.PathUnescape(string(responseMetadata.UploadName)) + if err != nil { + return nil, fmt.Errorf("url.PathUnescape: %w", err) + } + w.Header().Set("Content-Disposition", fmt.Sprintf( + `inline; filename=utf-8"%s"`, + strings.ReplaceAll(uploadName, `"`, `\"`), // escape quote marks only, as per RFC6266 + )) } } diff --git a/mediaapi/routing/routing.go b/mediaapi/routing/routing.go index 13f84c33..f8577826 100644 --- a/mediaapi/routing/routing.go +++ b/mediaapi/routing/routing.go @@ -16,6 +16,7 @@ package routing import ( "net/http" + "strings" userapi "github.com/matrix-org/dendrite/userapi/api" @@ -94,11 +95,24 @@ func makeDownloadAPI( util.SetCORSHeaders(w) // Content-Type will be overridden in case of returning file data, else we respond with JSON-formatted errors w.Header().Set("Content-Type", "application/json") + vars, _ := httputil.URLDecodeMapValues(mux.Vars(req)) + serverName := gomatrixserverlib.ServerName(vars["serverName"]) + + // For the purposes of loop avoidance, we will return a 404 if allow_remote is set to + // false in the query string and the target server name isn't our own. + // https://github.com/matrix-org/matrix-doc/pull/1265 + if allowRemote := req.URL.Query().Get("allow_remote"); strings.ToLower(allowRemote) == "false" { + if serverName != cfg.Matrix.ServerName { + w.WriteHeader(http.StatusNotFound) + return + } + } + Download( w, req, - gomatrixserverlib.ServerName(vars["serverName"]), + serverName, types.MediaID(vars["mediaId"]), cfg, db, |