Travis Ralston

https://github.com/turt2live/matrix-media-repo/releases/tag/v1.1.1 stems most of the leaks around unclosed streams and channels, but there's still a 20mb/hour leak somewhere. Pending more information and time to continue investigating.

The code is actively preventing redirects because the destination IP hasn't been validated against the allowable list of IPs, as otherwise someone could redirect to `evil.example.org` which has an IP...

Checking after is an option, though iirc the code is supposed to validate and pin the IP it'll connect to before the request is made (hence the domain redirection check).

There was some security context to that check I'll have to dig up tbh. At a glance though, it's certainly questionable.

Currently it's not possible to change it because the project is still relatively early days. The logging helps diagnose any issues that come up and are a requirement for getting...

Could use something like this: https://github.com/temoto/robotstxt

https://github.com/turt2live/matrix-media-repo/commit/888086eb1dd0c15ea2a02389faf544643fe6e5c7 is the start of the work towards actually making this a real thing. Instead of using a REST API to configure homeservers, we have config live reloading.

Thank you for the contribution! I'd be interested to hear how many people are looking for this sort of thing before merging.

I can't reproduce this, sorry. Is there something strange going on in your shell which might interfere somehow?

oh, this is the Docker image, which sets an environment override. Documentation needs to be updated to say to set `REPO_CONFIG` at runtime, overriding the `-config` argument.