mirrors/dendrite
1
0
Fork 0
mirror of https://github.com/matrix-org/dendrite.git synced 2025-12-21 05:43:09 -06:00
Code Issues Packages Projects Releases Wiki Activity

Loop avoidance

Browse source
This commit is contained in:
Neil Alexander 2020-06-16 16:16:28 +01:00
parent 73939cb50a
commit 0e2375c3b2
1 changed files with 15 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
mediaapi/routing/routing.go
View file

@ -16,6 +16,7 @@ package routing
import ( import (
"net/http" "net/http"
"strings"
userapi "github.com/matrix-org/dendrite/userapi/api" userapi "github.com/matrix-org/dendrite/userapi/api"
@ -94,11 +95,24 @@ func makeDownloadAPI(
util.SetCORSHeaders(w) util.SetCORSHeaders(w)
// Content-Type will be overridden in case of returning file data, else we respond with JSON-formatted errors // Content-Type will be overridden in case of returning file data, else we respond with JSON-formatted errors
w.Header().Set("Content-Type", "application/json") w.Header().Set("Content-Type", "application/json")
vars, _ := httputil.URLDecodeMapValues(mux.Vars(req)) vars, _ := httputil.URLDecodeMapValues(mux.Vars(req))
serverName := gomatrixserverlib.ServerName(vars["serverName"])
// For the purposes of loop avoidance, we will return a 404 if allow_remote is set to
// false in the query string and the target server name isn't our own.
// https://github.com/matrix-org/matrix-doc/pull/1265
if allowRemote := req.URL.Query().Get("allow_remote"); strings.ToLower(allowRemote) == "false" {
if serverName != cfg.Matrix.ServerName {
w.WriteHeader(http.StatusNotFound)
return
}
}
Download( Download(
w, w,
req, req,
gomatrixserverlib.ServerName(vars["serverName"]), serverName,
types.MediaID(vars["mediaId"]), types.MediaID(vars["mediaId"]),
cfg, cfg,
db, db,