diff options
author | Richard van der Hoff <1389908+richvdh@users.noreply.github.com> | 2019-11-05 17:28:11 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-11-05 17:28:11 +0000 |
commit | 5570d1c93fc9611cafb79ade47fdc195e0d6ab81 (patch) | |
tree | 49a76473cfb2ada8c716b69d467f2995e09ee577 | |
parent | Merge pull request #6331 from matrix-org/rav/url_preview_limit_title (diff) | |
parent | Fix exception when OpenGraph tag values are ints (diff) | |
download | synapse-5570d1c93fc9611cafb79ade47fdc195e0d6ab81.tar.xz |
Merge pull request #6334 from matrix-org/rav/url_preview_limit_title_2
Fix exception when OpenGraph tag values are ints
-rw-r--r-- | changelog.d/6334.feature | 1 | ||||
-rw-r--r-- | synapse/rest/media/v1/preview_url_resource.py | 3 |
2 files changed, 3 insertions, 1 deletions
diff --git a/changelog.d/6334.feature b/changelog.d/6334.feature new file mode 100644 index 0000000000..eaf69ef3f6 --- /dev/null +++ b/changelog.d/6334.feature @@ -0,0 +1 @@ +Limit the length of data returned by url previews, to prevent DoS attacks. diff --git a/synapse/rest/media/v1/preview_url_resource.py b/synapse/rest/media/v1/preview_url_resource.py index 69544b3711..15c15a12f5 100644 --- a/synapse/rest/media/v1/preview_url_resource.py +++ b/synapse/rest/media/v1/preview_url_resource.py @@ -278,7 +278,8 @@ class PreviewUrlResource(DirectServeResource): # filter out any stupidly long values keys_to_remove = [] for k, v in og.items(): - if len(k) > OG_TAG_NAME_MAXLEN or len(v) > OG_TAG_VALUE_MAXLEN: + # values can be numeric as well as strings, hence the cast to str + if len(k) > OG_TAG_NAME_MAXLEN or len(str(v)) > OG_TAG_VALUE_MAXLEN: logger.warning( "Pruning overlong tag %s from OG data", k[:OG_TAG_NAME_MAXLEN] ) |