backups/grapevine
1
0
Fork 0
mirror of https://gitlab.computer.surgery/matrix/grapevine.git synced 2025-12-17 07:41:23 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Disable unauthenticated media access

Browse source
This commit is contained in:
Lambda 2024-09-18 19:59:51 +00:00
parent b9ee898920
commit 0d6a7eb968
3 changed files with 30 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

3
book/changelog.md
View file

@ -128,6 +128,9 @@ This will be the first release of Grapevine since it was forked from Conduit
11. Try to generate thumbnails for remote media ourselves if the federation 11. Try to generate thumbnails for remote media ourselves if the federation
thumbnail request fails. thumbnail request fails.
([!58](https://gitlab.computer.surgery/matrix/grapevine-fork/-/merge_requests/58)) ([!58](https://gitlab.computer.surgery/matrix/grapevine-fork/-/merge_requests/58))
12. **BREAKING:** Disable unauthenticated access to media by default, set the
`serve_media_unauthenticated` config option to `true` to enable it.
([!103](https://gitlab.computer.surgery/matrix/grapevine-fork/-/merge_requests/103))
### Fixed ### Fixed

2
src/config.rs
View file

@ -60,6 +60,8 @@ pub(crate) struct Config {
pub(crate) allow_encryption: bool, pub(crate) allow_encryption: bool,
#[serde(default = "true_fn")] #[serde(default = "true_fn")]
pub(crate) allow_room_creation: bool, pub(crate) allow_room_creation: bool,
#[serde(default = "false_fn")]
pub(crate) serve_media_unauthenticated: bool,
#[serde(default = "default_default_room_version")] #[serde(default = "default_default_room_version")]
pub(crate) default_room_version: RoomVersionId, pub(crate) default_room_version: RoomVersionId,
#[serde(default)] #[serde(default)]

31
src/main.rs
View file

@ -408,12 +408,24 @@ fn routes(config: &Config) -> Router {
.ruma_route(c2s::turn_server_route) .ruma_route(c2s::turn_server_route)
.ruma_route(c2s::send_event_to_device_route); .ruma_route(c2s::send_event_to_device_route);
// unauthenticated (legacy) media // deprecated, but unproblematic
let router = router let router = router.ruma_route(c2s::get_media_config_legacy_route);
.ruma_route(c2s::get_media_config_legacy_route) let router = if config.serve_media_unauthenticated {
.ruma_route(c2s::get_content_legacy_route) router
.ruma_route(c2s::get_content_as_filename_legacy_route) .ruma_route(c2s::get_content_legacy_route)
.ruma_route(c2s::get_content_thumbnail_legacy_route); .ruma_route(c2s::get_content_as_filename_legacy_route)
.ruma_route(c2s::get_content_thumbnail_legacy_route)
} else {
router
.route(
"/_matrix/media/v3/download/*path",
any(unauthenticated_media_disabled),
)
.route(
"/_matrix/media/v3/thumbnail/*path",
any(unauthenticated_media_disabled),
)
};
// authenticated media // authenticated media
let router = router let router = router
@ -570,6 +582,13 @@ async fn federation_disabled(_: Uri) -> impl IntoResponse {
Error::bad_config("Federation is disabled.") Error::bad_config("Federation is disabled.")
} }
async fn unauthenticated_media_disabled(_: Uri) -> impl IntoResponse {
Error::BadRequest(
ErrorKind::NotFound,
"Unauthenticated media access is disabled",
)
}
async fn not_found(method: Method, uri: Uri) -> impl IntoResponse { async fn not_found(method: Method, uri: Uri) -> impl IntoResponse {
debug!(%method, %uri, "Unknown route"); debug!(%method, %uri, "Unknown route");
Error::BadRequest(ErrorKind::Unrecognized, "Unrecognized request") Error::BadRequest(ErrorKind::Unrecognized, "Unrecognized request")