From 106a335b7d4fcef8d204dfc15c7cf19f927e75d9 Mon Sep 17 00:00:00 2001 From: Neil Alexander Date: Tue, 12 May 2020 17:49:04 +0100 Subject: [PATCH 1/2] Update sytest-whitelist --- sytest-whitelist | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sytest-whitelist b/sytest-whitelist index 6dbc7ab2b..035b9b36e 100644 --- a/sytest-whitelist +++ b/sytest-whitelist @@ -272,3 +272,10 @@ Inbound federation of state_ids requires event_id as a mandatory paramater Federation rejects inbound events where the prev_events cannot be found Outbound federation requests missing prev_events and then asks for /state_ids and resolves the state Alternative server names do not cause a routing loop +Events whose auth_events are in the wrong room do not mess up the room state +Inbound federation can return events +Inbound federation can return missing events for world_readable visibility +Inbound federation can return missing events for invite visibility +Inbound federation can get public room list +An event which redacts itself should be ignored +A pair of events which redact each other should be ignored From 31e6a7f1932c11d9b5b682ad06a5b8db9d74a44f Mon Sep 17 00:00:00 2001 From: Sid Karunaratne Date: Wed, 13 May 2020 19:04:54 +0800 Subject: [PATCH 2/2] Enforce `mediaIDRegex` to be only valid `mediaIDCharacters` (#1020) Error messages indicate that: > mediaId must be a non-empty string using only characters in `mediaIDCharacters` However the regex used only required that some characters in the filename match the restriction, not that the entire filename does. This commit ensures that the filename must entirely fullfill the `mediaIDCharacters` restriction Signed-off-by: Sid Karunaratne Co-authored-by: Kegsay --- mediaapi/routing/download.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mediaapi/routing/download.go b/mediaapi/routing/download.go index 9feca90e9..75df313f6 100644 --- a/mediaapi/routing/download.go +++ b/mediaapi/routing/download.go @@ -43,7 +43,7 @@ import ( const mediaIDCharacters = "A-Za-z0-9_=-" // Note: unfortunately regex.MustCompile() cannot be assigned to a const -var mediaIDRegex = regexp.MustCompile("[" + mediaIDCharacters + "]+") +var mediaIDRegex = regexp.MustCompile("^[" + mediaIDCharacters + "]+$") // downloadRequest metadata included in or derivable from a download or thumbnail request // https://matrix.org/docs/spec/client_server/r0.2.0.html#get-matrix-media-r0-download-servername-mediaid