Codebase list matrix-synapse / c3e687e
New upstream version 1.5.1 Andrej Shadura 4 years ago
5 changed file(s) with 71 addition(s) and 2 deletion(s). Raw diff Collapse all Expand all
+9
-0
CHANGES.md less more
0 Synapse 1.5.1 (2019-11-06)
1 ==========================
2
3 Features
4 --------
5
6 - Limit the length of data returned by url previews, to prevent DoS attacks. ([\#6331](https://github.com/matrix-org/synapse/issues/6331), [\#6334](https://github.com/matrix-org/synapse/issues/6334))
7
8
09 Synapse 1.5.0 (2019-10-29)
110 ==========================
211
+6
-0
debian/changelog less more
0 matrix-synapse-py3 (1.5.1) stable; urgency=medium
1
2 * New synapse release 1.5.1.
3
4 -- Synapse Packaging team <packages@matrix.org> Wed, 06 Nov 2019 10:02:14 +0000
5
06 matrix-synapse-py3 (1.5.0) stable; urgency=medium
17
28 * New synapse release 1.5.0.
+1
-1
synapse/__init__.py less more
3535 except ImportError:
3636 pass
3737
38 __version__ = "1.5.0"
38 __version__ = "1.5.1"
3939
4040 if bool(os.environ.get("SYNAPSE_TEST_PATCH_LOG_CONTEXTS", False)):
4141 # We import here so that we don't have to install a bunch of deps when
+20
-1
synapse/rest/media/v1/preview_url_resource.py less more
5555 _charset_match = re.compile(br"<\s*meta[^>]*charset\s*=\s*([a-z0-9-]+)", flags=re.I)
5656 _content_type_match = re.compile(r'.*; *charset="?(.*?)"?(;|$)', flags=re.I)
5757
58 OG_TAG_NAME_MAXLEN = 50
59 OG_TAG_VALUE_MAXLEN = 1000
60
5861
5962 class PreviewUrlResource(DirectServeResource):
6063 isLeaf = True
166169 ts (int):
167170
168171 Returns:
169 Deferred[str]: json-encoded og data
172 Deferred[bytes]: json-encoded og data
170173 """
171174 # check the URL cache in the DB (which will also provide us with
172175 # historical previews, if we have any)
266269 else:
267270 logger.warn("Failed to find any OG data in %s", url)
268271 og = {}
272
273 # filter out any stupidly long values
274 keys_to_remove = []
275 for k, v in og.items():
276 # values can be numeric as well as strings, hence the cast to str
277 if len(k) > OG_TAG_NAME_MAXLEN or len(str(v)) > OG_TAG_VALUE_MAXLEN:
278 logger.warning(
279 "Pruning overlong tag %s from OG data", k[:OG_TAG_NAME_MAXLEN]
280 )
281 keys_to_remove.append(k)
282 for k in keys_to_remove:
283 del og[k]
269284
270285 logger.debug("Calculated OG for %s as %s" % (url, og))
271286
501516 og = {}
502517 for tag in tree.xpath("//*/meta[starts-with(@property, 'og:')]"):
503518 if "content" in tag.attrib:
519 # if we've got more than 50 tags, someone is taking the piss
520 if len(og) >= 50:
521 logger.warning("Skipping OG for page with too many 'og:' tags")
522 return {}
504523 og[tag.attrib["property"]] = tag.attrib["content"]
505524
506525 # TODO: grab article: meta tags too, e.g.:
+35
-0
tests/rest/media/v1/test_url_preview.py less more
246246 self.assertEqual(channel.code, 200)
247247 self.assertEqual(channel.json_body["og:title"], "\u0434\u043a\u0430")
248248
249 def test_overlong_title(self):
250 self.lookups["matrix.org"] = [(IPv4Address, "8.8.8.8")]
251
252 end_content = (
253 b"<html><head>"
254 b"<title>" + b"x" * 2000 + b"</title>"
255 b'<meta property="og:description" content="hi" />'
256 b"</head></html>"
257 )
258
259 request, channel = self.make_request(
260 "GET", "url_preview?url=http://matrix.org", shorthand=False
261 )
262 request.render(self.preview_url)
263 self.pump()
264
265 client = self.reactor.tcpClients[0][2].buildProtocol(None)
266 server = AccumulatingProtocol()
267 server.makeConnection(FakeTransport(client, self.reactor))
268 client.makeConnection(FakeTransport(server, self.reactor))
269 client.dataReceived(
270 (
271 b"HTTP/1.0 200 OK\r\nContent-Length: %d\r\n"
272 b'Content-Type: text/html; charset="windows-1251"\r\n\r\n'
273 )
274 % (len(end_content),)
275 + end_content
276 )
277
278 self.pump()
279 self.assertEqual(channel.code, 200)
280 res = channel.json_body
281 # We should only see the `og:description` field, as `title` is too long and should be stripped out
282 self.assertCountEqual(["og:description"], res.keys())
283
249284 def test_ipaddr(self):
250285 """
251286 IP addresses can be previewed directly.