element-web icon indicating copy to clipboard operation
element-web copied to clipboard

Published 20 hours ago verified publisher icon element-hq

abuse: "via" parameter injected into share url and can't be removed by room admin

Open kainino0x opened this issue 1 year ago • 2 comments

Steps to reproduce

  1. Visit https://app.element.io/#/room/#WebGPU:matrix.org
  2. Highlight a message and click "Share"
  3. Copy the URL, get something like https://matrix.to/#/!MFogdGJfnZLrDmgkBN:matrix.org/$2itkkk9rB5CCFgK_MsuToQsg8Ghl6O8EOJX4fEcgFpI?via=matrix.org&via=mozilla.org&via=matrix.kiwifarms.net

Outcome

What did you expect?

URL should have only via=matrix.org because the only room address is on matrix.org.

What happened instead?

URL contains via=matrix.kiwifarms.net

I don't want kiwifarms URLs in my room's share URLs.

Operating system

No response

Browser information

No response

URL for webapp

app.element.io

Application version

Element version: 1.11.5, Olm version: 3.2.12

Homeserver

matrix.org

Will you send logs?

No

kainino0x avatar Sep 16 '22 23:09 kainino0x

FWIW if I share the room itself, there are no via parameters: https://matrix.to/#/#WebGPU:matrix.org

kainino0x avatar Sep 16 '22 23:09 kainino0x

The vias are generated as the homeserver of the highest power user in the room, as well as the top two servers ordered by number of users in the room. This is to prevent the link from not working when one of the servers is offline. Aliases have nothing to do with message permalinks which are specced to be based on the room id. You can remove it manually by tweaking the link or banning that server from your room using server ACLs

t3chguy avatar Sep 20 '22 08:09 t3chguy

Thanks for the explanation! That led me to the "workaround" of simply banning the server from my room - which I'd have wanted to do anyway, if I thought of it - and removing the 2 associated users, who have never participated in the chat anyway.

I think banning the server prevents its users from joining my room in the future, but I'm not familiar with the protocol so I'm not exactly sure.

I banned the server via /devtools using m.room.server_acl, as described here: https://matrix.org/docs/guides/moderation#banning-servers-from-rooms-server-acls

{
  "allow": [
    "*"
  ],
  "allow_ip_literals": false,
  "deny": [
    "matrix.kiwifarms.net"
  ]
}

Assuming I've understood correctly, this is a solution to the problem I have. I will close this issue, but you can reopen it if you think there's some work that should be done on it.

kainino0x avatar Sep 26 '22 22:09 kainino0x