From 04c99092a46b2ad0b90645bf6553360b5f1b7da7 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Tue, 16 Jun 2020 18:31:38 +0100 Subject: [PATCH] Update whitelist for sytest media fix (#1137) * Update sytest-whitelist, are-we-synapse-yet.list * Update gomatrixserverlib * Update gomatrixserverlib * Loop avoidance * Return UTF-8 filenames * Replace quotes only, instead of using strconv.Quote * Update sytest-whitelist * Update sytest-whitelist --- are-we-synapse-yet.list | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- mediaapi/routing/download.go | 10 +++++++++- mediaapi/routing/routing.go | 16 +++++++++++++++- sytest-whitelist | 15 ++++++++++++++- 6 files changed, 43 insertions(+), 8 deletions(-) diff --git a/are-we-synapse-yet.list b/are-we-synapse-yet.list index c088c8b5..f59f8067 100644 --- a/are-we-synapse-yet.list +++ b/are-we-synapse-yet.list @@ -97,8 +97,8 @@ rst PUT power_levels should not explode if the old power levels were empty rst Both GET and PUT work rct POST /rooms/:room_id/receipt can create receipts red POST /rooms/:room_id/read_markers can create read marker -med POST /media/v1/upload can create an upload -med GET /media/v1/download can fetch the value again +med POST /media/r0/upload can create an upload +med GET /media/r0/download can fetch the value again cap GET /capabilities is present and well formed for registered user cap GET /r0/capabilities is not public reg Register with a recaptcha diff --git a/go.mod b/go.mod index b2451d85..6154d0f3 100644 --- a/go.mod +++ b/go.mod @@ -20,7 +20,7 @@ require ( github.com/matrix-org/go-http-js-libp2p v0.0.0-20200518170932-783164aeeda4 github.com/matrix-org/go-sqlite3-js v0.0.0-20200522092705-bc8506ccbcf3 github.com/matrix-org/gomatrix v0.0.0-20190528120928-7df988a63f26 - github.com/matrix-org/gomatrixserverlib v0.0.0-20200615161710-f69539c86ea5 + github.com/matrix-org/gomatrixserverlib v0.0.0-20200616150727-7ac22b6f8e65 github.com/matrix-org/naffka v0.0.0-20200422140631-181f1ee7401f github.com/matrix-org/util v0.0.0-20190711121626-527ce5ddefc7 github.com/mattn/go-sqlite3 v2.0.2+incompatible diff --git a/go.sum b/go.sum index 2578e175..3fa242c7 100644 --- a/go.sum +++ b/go.sum @@ -371,8 +371,8 @@ github.com/matrix-org/go-sqlite3-js v0.0.0-20200522092705-bc8506ccbcf3 h1:Yb+Wlf github.com/matrix-org/go-sqlite3-js v0.0.0-20200522092705-bc8506ccbcf3/go.mod h1:e+cg2q7C7yE5QnAXgzo512tgFh1RbQLC0+jozuegKgo= github.com/matrix-org/gomatrix v0.0.0-20190528120928-7df988a63f26 h1:Hr3zjRsq2bhrnp3Ky1qgx/fzCtCALOoGYylh2tpS9K4= github.com/matrix-org/gomatrix v0.0.0-20190528120928-7df988a63f26/go.mod h1:3fxX6gUjWyI/2Bt7J1OLhpCzOfO/bB3AiX0cJtEKud0= -github.com/matrix-org/gomatrixserverlib v0.0.0-20200615161710-f69539c86ea5 h1:VN7DoSFVkQF9Bv+TWuBWHLgAz9Nw9UiahFfe2oE6uiQ= -github.com/matrix-org/gomatrixserverlib v0.0.0-20200615161710-f69539c86ea5/go.mod h1:JsAzE1Ll3+gDWS9JSUHPJiiyAksvOOnGWF2nXdg4ZzU= +github.com/matrix-org/gomatrixserverlib v0.0.0-20200616150727-7ac22b6f8e65 h1:2CcCcBnWdDPDOqFKiGOM+mi/KDDZXSTKmvFy/0/+ZJI= +github.com/matrix-org/gomatrixserverlib v0.0.0-20200616150727-7ac22b6f8e65/go.mod h1:JsAzE1Ll3+gDWS9JSUHPJiiyAksvOOnGWF2nXdg4ZzU= github.com/matrix-org/naffka v0.0.0-20200422140631-181f1ee7401f h1:pRz4VTiRCO4zPlEMc3ESdUOcW4PXHH4Kj+YDz1XyE+Y= github.com/matrix-org/naffka v0.0.0-20200422140631-181f1ee7401f/go.mod h1:y0oDTjZDv5SM9a2rp3bl+CU+bvTRINQsdb7YlDql5Go= github.com/matrix-org/util v0.0.0-20190711121626-527ce5ddefc7 h1:ntrLa/8xVzeSs8vHFHK25k0C+NV74sYMJnNSg5NoSRo= diff --git a/mediaapi/routing/download.go b/mediaapi/routing/download.go index 1a025f6f..3ce4ba39 100644 --- a/mediaapi/routing/download.go +++ b/mediaapi/routing/download.go @@ -21,6 +21,7 @@ import ( "io" "mime" "net/http" + "net/url" "os" "path/filepath" "regexp" @@ -302,7 +303,14 @@ func (r *downloadRequest) respondFromLocalFile( responseMetadata = r.MediaMetadata if len(responseMetadata.UploadName) > 0 { - w.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename*=utf-8"%s"`, responseMetadata.UploadName)) + uploadName, err := url.PathUnescape(string(responseMetadata.UploadName)) + if err != nil { + return nil, fmt.Errorf("url.PathUnescape: %w", err) + } + w.Header().Set("Content-Disposition", fmt.Sprintf( + `inline; filename=utf-8"%s"`, + strings.ReplaceAll(uploadName, `"`, `\"`), // escape quote marks only, as per RFC6266 + )) } } diff --git a/mediaapi/routing/routing.go b/mediaapi/routing/routing.go index 13f84c33..f8577826 100644 --- a/mediaapi/routing/routing.go +++ b/mediaapi/routing/routing.go @@ -16,6 +16,7 @@ package routing import ( "net/http" + "strings" userapi "github.com/matrix-org/dendrite/userapi/api" @@ -94,11 +95,24 @@ func makeDownloadAPI( util.SetCORSHeaders(w) // Content-Type will be overridden in case of returning file data, else we respond with JSON-formatted errors w.Header().Set("Content-Type", "application/json") + vars, _ := httputil.URLDecodeMapValues(mux.Vars(req)) + serverName := gomatrixserverlib.ServerName(vars["serverName"]) + + // For the purposes of loop avoidance, we will return a 404 if allow_remote is set to + // false in the query string and the target server name isn't our own. + // https://github.com/matrix-org/matrix-doc/pull/1265 + if allowRemote := req.URL.Query().Get("allow_remote"); strings.ToLower(allowRemote) == "false" { + if serverName != cfg.Matrix.ServerName { + w.WriteHeader(http.StatusNotFound) + return + } + } + Download( w, req, - gomatrixserverlib.ServerName(vars["serverName"]), + serverName, types.MediaID(vars["mediaId"]), cfg, db, diff --git a/sytest-whitelist b/sytest-whitelist index e59d2df1..04c6f098 100644 --- a/sytest-whitelist +++ b/sytest-whitelist @@ -128,7 +128,7 @@ Outbound federation can send events # test for now. #Backfill checks the events requested belong to the room Can upload without a file name -Can download without a file name locally +#Can download without a file name locally Can upload with ASCII file name Can send image in room message AS cannot create users outside its own namespace @@ -314,3 +314,16 @@ Invalid JSON special values Invalid JSON floats Outbound federation will ignore a missing event with bad JSON for room version 6 Can download without a file name over federation +POST /media/r0/upload can create an upload +GET /media/r0/download can fetch the value again +Remote users can join room by alias +Alias creators can delete alias with no ops +Alias creators can delete canonical alias with no ops +Room members can override their displayname on a room-specific basis +displayname updates affect room member events +avatar_url updates affect room member events +Real non-joined users can get individual state for world_readable rooms after leaving +Can upload with Unicode file name +POSTed media can be thumbnailed +Remote media can be thumbnailed +Can download with Unicode file name locally