New upstream version 1.5.1
Andrej Shadura
4 years ago
|
0 |
Synapse 1.5.1 (2019-11-06)
|
|
1 |
==========================
|
|
2 |
|
|
3 |
Features
|
|
4 |
--------
|
|
5 |
|
|
6 |
- Limit the length of data returned by url previews, to prevent DoS attacks. ([\#6331](https://github.com/matrix-org/synapse/issues/6331), [\#6334](https://github.com/matrix-org/synapse/issues/6334))
|
|
7 |
|
|
8 |
|
0 | 9 |
Synapse 1.5.0 (2019-10-29)
|
1 | 10 |
==========================
|
2 | 11 |
|
|
0 |
matrix-synapse-py3 (1.5.1) stable; urgency=medium
|
|
1 |
|
|
2 |
* New synapse release 1.5.1.
|
|
3 |
|
|
4 |
-- Synapse Packaging team <packages@matrix.org> Wed, 06 Nov 2019 10:02:14 +0000
|
|
5 |
|
0 | 6 |
matrix-synapse-py3 (1.5.0) stable; urgency=medium
|
1 | 7 |
|
2 | 8 |
* New synapse release 1.5.0.
|
35 | 35 |
except ImportError:
|
36 | 36 |
pass
|
37 | 37 |
|
38 | |
__version__ = "1.5.0"
|
|
38 |
__version__ = "1.5.1"
|
39 | 39 |
|
40 | 40 |
if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)):
|
41 | 41 |
# We import here so that we don't have to install a bunch of deps when
|
55 | 55 |
_charset_match = re.compile(br"<\s*meta[^>]*charset\s*=\s*([a-z0-9-]+)", flags=re.I)
|
56 | 56 |
_content_type_match = re.compile(r'.*; *charset="?(.*?)"?(;|$)', flags=re.I)
|
57 | 57 |
|
|
58 |
OG_TAG_NAME_MAXLEN = 50
|
|
59 |
OG_TAG_VALUE_MAXLEN = 1000
|
|
60 |
|
58 | 61 |
|
59 | 62 |
class PreviewUrlResource(DirectServeResource):
|
60 | 63 |
isLeaf = True
|
|
166 | 169 |
ts (int):
|
167 | 170 |
|
168 | 171 |
Returns:
|
169 | |
Deferred[str]: json-encoded og data
|
|
172 |
Deferred[bytes]: json-encoded og data
|
170 | 173 |
"""
|
171 | 174 |
# check the URL cache in the DB (which will also provide us with
|
172 | 175 |
# historical previews, if we have any)
|
|
266 | 269 |
else:
|
267 | 270 |
logger.warn("Failed to find any OG data in %s", url)
|
268 | 271 |
og = {}
|
|
272 |
|
|
273 |
# filter out any stupidly long values
|
|
274 |
keys_to_remove = []
|
|
275 |
for k, v in og.items():
|
|
276 |
# values can be numeric as well as strings, hence the cast to str
|
|
277 |
if len(k) > OG_TAG_NAME_MAXLEN or len(str(v)) > OG_TAG_VALUE_MAXLEN:
|
|
278 |
logger.warning(
|
|
279 |
"Pruning overlong tag %s from OG data", k[:OG_TAG_NAME_MAXLEN]
|
|
280 |
)
|
|
281 |
keys_to_remove.append(k)
|
|
282 |
for k in keys_to_remove:
|
|
283 |
del og[k]
|
269 | 284 |
|
270 | 285 |
logger.debug("Calculated OG for %s as %s" % (url, og))
|
271 | 286 |
|
|
501 | 516 |
og = {}
|
502 | 517 |
for tag in tree.xpath("//*/meta[starts-with(@property, 'og:')]"):
|
503 | 518 |
if "content" in tag.attrib:
|
|
519 |
# if we've got more than 50 tags, someone is taking the piss
|
|
520 |
if len(og) >= 50:
|
|
521 |
logger.warning("Skipping OG for page with too many 'og:' tags")
|
|
522 |
return {}
|
504 | 523 |
og[tag.attrib["property"]] = tag.attrib["content"]
|
505 | 524 |
|
506 | 525 |
# TODO: grab article: meta tags too, e.g.:
|
246 | 246 |
self.assertEqual(channel.code, 200)
|
247 | 247 |
self.assertEqual(channel.json_body["og:title"], "\u0434\u043a\u0430")
|
248 | 248 |
|
|
249 |
def test_overlong_title(self):
|
|
250 |
self.lookups["matrix.org"] = [(IPv4Address, "8.8.8.8")]
|
|
251 |
|
|
252 |
end_content = (
|
|
253 |
b"<html><head>"
|
|
254 |
b"<title>" + b"x" * 2000 + b"</title>"
|
|
255 |
b'<meta property="og:description" content="hi" />'
|
|
256 |
b"</head></html>"
|
|
257 |
)
|
|
258 |
|
|
259 |
request, channel = self.make_request(
|
|
260 |
"GET", "url_preview?url=http://matrix.org", shorthand=False
|
|
261 |
)
|
|
262 |
request.render(self.preview_url)
|
|
263 |
self.pump()
|
|
264 |
|
|
265 |
client = self.reactor.tcpClients[0][2].buildProtocol(None)
|
|
266 |
server = AccumulatingProtocol()
|
|
267 |
server.makeConnection(FakeTransport(client, self.reactor))
|
|
268 |
client.makeConnection(FakeTransport(server, self.reactor))
|
|
269 |
client.dataReceived(
|
|
270 |
(
|
|
271 |
b"HTTP/1.0 200 OK\r\nContent-Length: %d\r\n"
|
|
272 |
b'Content-Type: text/html; charset="windows-1251"\r\n\r\n'
|
|
273 |
)
|
|
274 |
% (len(end_content),)
|
|
275 |
+ end_content
|
|
276 |
)
|
|
277 |
|
|
278 |
self.pump()
|
|
279 |
self.assertEqual(channel.code, 200)
|
|
280 |
res = channel.json_body
|
|
281 |
# We should only see the `og:description` field, as `title` is too long and should be stripped out
|
|
282 |
self.assertCountEqual(["og:description"], res.keys())
|
|
283 |
|
249 | 284 |
def test_ipaddr(self):
|
250 | 285 |
"""
|
251 | 286 |
IP addresses can be previewed directly.
|