diff options
| author | Andrew Morgan <andrew@amorgan.xyz> | 2020-03-16 19:25:38 +0000 |
|---|---|---|
| committer | Andrew Morgan <andrew@amorgan.xyz> | 2020-03-16 19:25:38 +0000 |
| commit | 699d6fc2f63dc7d12bf8962b3d2773e05c5679ff (patch) | |
| tree | 068dadaa08c34c323dad4f642172a17fb3e351ab | |
| parent | Merge pull request #6331 from matrix-org/rav/url_preview_limit_title (diff) | |
| parent | Merge pull request #6334 from matrix-org/rav/url_preview_limit_title_2 (diff) | |
| download | synapse-699d6fc2f63dc7d12bf8962b3d2773e05c5679ff.tar.xz | |
Merge pull request #6334 from matrix-org/rav/url_preview_limit_title_2
* commit '5570d1c93': Fix exception when OpenGraph tag values are ints
| -rw-r--r-- | changelog.d/6334.feature | 1 | ||||
| -rw-r--r-- | synapse/rest/media/v1/preview_url_resource.py | 3 |
2 files changed, 3 insertions, 1 deletions
diff --git a/changelog.d/6334.feature b/changelog.d/6334.feature new file mode 100644 index 0000000000..eaf69ef3f6 --- /dev/null +++ b/changelog.d/6334.feature @@ -0,0 +1 @@ +Limit the length of data returned by url previews, to prevent DoS attacks. diff --git a/synapse/rest/media/v1/preview_url_resource.py b/synapse/rest/media/v1/preview_url_resource.py index 69544b3711..15c15a12f5 100644 --- a/synapse/rest/media/v1/preview_url_resource.py +++ b/synapse/rest/media/v1/preview_url_resource.py @@ -278,7 +278,8 @@ class PreviewUrlResource(DirectServeResource): # filter out any stupidly long values keys_to_remove = [] for k, v in og.items(): - if len(k) > OG_TAG_NAME_MAXLEN or len(v) > OG_TAG_VALUE_MAXLEN: + # values can be numeric as well as strings, hence the cast to str + if len(k) > OG_TAG_NAME_MAXLEN or len(str(v)) > OG_TAG_VALUE_MAXLEN: logger.warning( "Pruning overlong tag %s from OG data", k[:OG_TAG_NAME_MAXLEN] ) |