synapse Be stricter when parsing MXC URIs (SYN-393)

Be stricter when parsing MXC URIs (SYN-393)

Open matrixbot opened this issue 10 years ago • 5 comments

We should implement the restrictions on media-ids added in ~~SPEC-165~~ https://github.com/matrix-org/matrix-doc/pull/103

(Imported from https://matrix.org/jira/browse/SYN-393)

(Reported by @Kegsay)

May 27 '15 09:05 matrixbot

Jira watchers: @Kegsay @NegativeMjark

May 27 '15 09:05 matrixbot

Links exported from Jira:

is blocked by SPEC-165

May 27 '15 09:05 matrixbot

Blocked by SPEC-165

-- @NegativeMjark

May 27 '15 09:05 matrixbot

Related, Synapse 1.47.1

https://github.com/matrix-org/synapse/commit/91f2bd090
https://github.com/matrix-org/synapse/blob/develop/docs/changelogs/CHANGES-2021.md#security-advisory

Apr 23 '22 06:04 dklimpel

The restrictions in question now live at https://spec.matrix.org/v1.4/client-server-api/#security-considerations-5:

As such, homeservers MUST sanitise MXC URIs by allowing only alphanumeric (A-Za-z0-9), _ and - characters in the server-name and media-id values. This set of whitelisted characters allows URL-safe base64 encodings specified in RFC 4648. Applying this character whitelist is preferable to blacklisting . and / as there are techniques around blacklisted characters (percent-encoded characters, UTF-8 encoded traversals, etc).

https://github.com/matrix-org/synapse/commit/91f2bd090 added some validation to the server name, but still allows characters (in both the server name and media id) not allowed by the above.

Oct 05 '22 10:10 richvdh

synapse synapse copied to clipboard

Be stricter when parsing MXC URIs (SYN-393)

synapse
synapse copied to clipboard