Commit cdbe14e39a29d617fd8358639042fe57e08ac978 - matrix-synapse

New upstream version 1.61.1 Andrej Shadura 1 year, 10 months ago

5 changed file(s) with 86 addition(s) and 27 deletion(s). Raw diff Collapse all Expand all

+22

-1

CHANGES.md less more

	0	Synapse 1.61.1 (2022-06-28)
	1	===========================
	2
	3	This patch release fixes a security issue regarding URL previews, affecting all prior versions of Synapse. Server administrators are encouraged to update Synapse as soon as possible. We are not aware of these vulnerabilities being exploited in the wild.
	4
	5	Server administrators who are unable to update Synapse may use the workarounds described in the linked GitHub Security Advisory below.
	6
	7	## Security advisory
	8
	9	The following issue is fixed in 1.61.1.
	10
	11	* [GHSA-22p3-qrh9-cx32](https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32) / [CVE-2022-31052](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31052)
	12
	13	Synapse instances with the [`url_preview_enabled`](https://matrix-org.github.io/synapse/v1.61/usage/configuration/config_documentation.html#media-store) homeserver config option set to `true` are affected. URL previews of some web pages can lead to unbounded recursion, causing the request to either fail, or in some cases crash the running Synapse process.
	14
	15	Requesting URL previews requires authentication. Nevertheless, it is possible to exploit this maliciously, either by malicious users on the homeserver, or by remote users sending URLs that a local user's client may automatically request a URL preview for.
	16
	17	Homeservers with the `url_preview_enabled` configuration option set to `false` (the default) are unaffected. Instances with the `enable_media_repo` configuration option set to `false` are also unaffected, as this also disables URL preview functionality.
	18
	19	Fixed by [fa1308061802ac7b7d20e954ba7372c5ac292333](https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333).
	20
0	21	Synapse 1.61.0 (2022-06-14)
1	22	===========================
2	23

8	29	Improved Documentation
9	30	----------------------
10	31
11		- Mention removed community/group worker endpoints in [upgrade.md](https://github.com/matrix-org/synapse/blob/develop/docs/upgrade.md#upgrading-to-v1610s). Contributed by @olmari. ([\#13023](https://github.com/matrix-org/synapse/issues/13023))
	32	- Mention removed community/group worker endpoints in [the upgrade notes](https://github.com/matrix-org/synapse/blob/develop/docs/upgrade.md#upgrading-to-v1610). Contributed by @olmari. ([\#13023](https://github.com/matrix-org/synapse/issues/13023))
12	33
13	34
14	35	Synapse 1.61.0rc1 (2022-06-07)

-0

debian/changelog less more

	0	matrix-synapse-py3 (1.61.1) stable; urgency=medium
	1
	2	* New Synapse release 1.61.1.
	3
	4	-- Synapse Packaging team <packages@matrix.org> Tue, 28 Jun 2022 14:33:46 +0100
	5
0	6	matrix-synapse-py3 (1.61.0) stable; urgency=medium
1	7
2	8	* New Synapse release 1.61.0.

-1

pyproject.toml less more

53	53
54	54	[tool.poetry]
55	55	name = "matrix-synapse"
56		version = "1.61.0"
	56	version = "1.61.1"
57	57	description = "Homeserver for the Matrix decentralised comms protocol"
58	58	authors = ["Matrix.org Team and Contributors <packages@matrix.org>"]
59	59	license = "Apache-2.0"

+40

-25

synapse/rest/media/v1/preview_html.py less more

11	11	# See the License for the specific language governing permissions and
12	12	# limitations under the License.
13	13	import codecs
14		import itertools
15	14	import logging
16	15	import re
17		from typing import TYPE_CHECKING, Dict, Generator, Iterable, Optional, Set, Union
	16	from typing import TYPE_CHECKING, Dict, Generator, Iterable, List, Optional, Set, Union
18	17
19	18	if TYPE_CHECKING:
20	19	from lxml import etree

275	274
276	275	from lxml import etree
277	276
278		TAGS_TO_REMOVE = (
	277	TAGS_TO_REMOVE = {
279	278	"header",
280	279	"nav",
281	280	"aside",

290	289	"img",
291	290	"picture",
292	291	etree.Comment,
293		)
	292	}
294	293
295	294	# Split all the text nodes into paragraphs (by splitting on new
296	295	# lines)
297	296	text_nodes = (
298	297	re.sub(r"\s+", "\n", el).strip()
299		for el in _iterate_over_text(tree.find("body"), *TAGS_TO_REMOVE)
	298	for el in _iterate_over_text(tree.find("body"), TAGS_TO_REMOVE)
300	299	)
301	300	return summarize_paragraphs(text_nodes)
302	301
303	302
304	303	def _iterate_over_text(
305		tree: "etree.Element", *tags_to_ignore: Union[str, "etree.Comment"]
	304	tree: Optional["etree.Element"],
	305	tags_to_ignore: Set[Union[str, "etree.Comment"]],
	306	stack_limit: int = 1024,
306	307	) -> Generator[str, None, None]:
307	308	"""Iterate over the tree returning text nodes in a depth first fashion,
308	309	skipping text nodes inside certain tags.
309		"""
310		# This is basically a stack that we extend using itertools.chain.
311		# This will either consist of an element to iterate over or a string
	310
	311	Args:
	312	tree: The parent element to iterate. Can be None if there isn't one.
	313	tags_to_ignore: Set of tags to ignore
	314	stack_limit: Maximum stack size limit for depth-first traversal.
	315	Nodes will be dropped if this limit is hit, which may truncate the
	316	textual result.
	317	Intended to limit the maximum working memory when generating a preview.
	318	"""
	319
	320	if tree is None:
	321	return
	322
	323	# This is a stack whose items are elements to iterate over or strings
312	324	# to be returned.
313		elements = iter([tree])
314		while True:
315		el = next(elements, None)
316		if el is None:
317		return
	325	elements: List[Union[str, "etree.Element"]] = [tree]
	326	while elements:
	327	el = elements.pop()
318	328
319	329	if isinstance(el, str):
320	330	yield el

328	338	if el.text:
329	339	yield el.text
330	340
331		# We add to the stack all the elements children, interspersed with
332		# each child's tail text (if it exists). The tail text of a node
333		# is text that comes after the node, so we always include it even
334		# if we ignore the child node.
335		elements = itertools.chain(
336		itertools.chain.from_iterable( # Basically a flatmap
337		[child, child.tail] if child.tail else [child]
338		for child in el.iterchildren()
339		),
340		elements,
341		)
	341	# We add to the stack all the element's children, interspersed with
	342	# each child's tail text (if it exists).
	343	#
	344	# We iterate in reverse order so that earlier pieces of text appear
	345	# closer to the top of the stack.
	346	for child in el.iterchildren(reversed=True):
	347	if len(elements) > stack_limit:
	348	# We've hit our limit for working memory
	349	break
	350
	351	if child.tail:
	352	# The tail text of a node is text that comes after the node,
	353	# so we always include it even if we ignore the child node.
	354	elements.append(child.tail)
	355
	356	elements.append(child)
342	357
343	358
344	359	def summarize_paragraphs(

+17

-0

tests/rest/media/v1/test_html_preview.py less more

369	369	og = parse_html_to_open_graph(tree)
370	370	self.assertEqual(og, {"og:title": "ó", "og:description": "Some text."})
371	371
	372	def test_nested_nodes(self) -> None:
	373	"""A body with some nested nodes. Tests that we iterate over children
	374	in the right order (and don't reverse the order of the text)."""
	375	html = b"""
	376	<a href="somewhere">Welcome <b>the bold <u>and underlined text <svg>
	377	with a cheeky SVG</svg></u> and <strong>some</strong> tail text</b></a>
	378	"""
	379	tree = decode_body(html, "http://example.com/test.html")
	380	og = parse_html_to_open_graph(tree)
	381	self.assertEqual(
	382	og,
	383	{
	384	"og:title": None,
	385	"og:description": "Welcome\n\nthe bold\n\nand underlined text\n\nand\n\nsome\n\ntail text",
	386	},
	387	)
	388
372	389
373	390	class MediaEncodingTestCase(unittest.TestCase):
374	391	def test_meta_charset(self) -> None: