summary refs log tree commit diff
diff options
context:
space:
mode:
authorRichard van der Hoff <1389908+richvdh@users.noreply.github.com>2019-11-05 17:28:11 +0000
committerGitHub <noreply@github.com>2019-11-05 17:28:11 +0000
commit5570d1c93fc9611cafb79ade47fdc195e0d6ab81 (patch)
tree49a76473cfb2ada8c716b69d467f2995e09ee577
parentMerge pull request #6331 from matrix-org/rav/url_preview_limit_title (diff)
parentFix exception when OpenGraph tag values are ints (diff)
downloadsynapse-5570d1c93fc9611cafb79ade47fdc195e0d6ab81.tar.xz
Merge pull request #6334 from matrix-org/rav/url_preview_limit_title_2
Fix exception when OpenGraph tag values are ints
-rw-r--r--changelog.d/6334.feature1
-rw-r--r--synapse/rest/media/v1/preview_url_resource.py3
2 files changed, 3 insertions, 1 deletions
diff --git a/changelog.d/6334.feature b/changelog.d/6334.feature
new file mode 100644
index 0000000000..eaf69ef3f6
--- /dev/null
+++ b/changelog.d/6334.feature
@@ -0,0 +1 @@
+Limit the length of data returned by url previews, to prevent DoS attacks.
diff --git a/synapse/rest/media/v1/preview_url_resource.py b/synapse/rest/media/v1/preview_url_resource.py
index 69544b3711..15c15a12f5 100644
--- a/synapse/rest/media/v1/preview_url_resource.py
+++ b/synapse/rest/media/v1/preview_url_resource.py
@@ -278,7 +278,8 @@ class PreviewUrlResource(DirectServeResource):
         # filter out any stupidly long values
         keys_to_remove = []
         for k, v in og.items():
-            if len(k) > OG_TAG_NAME_MAXLEN or len(v) > OG_TAG_VALUE_MAXLEN:
+            # values can be numeric as well as strings, hence the cast to str
+            if len(k) > OG_TAG_NAME_MAXLEN or len(str(v)) > OG_TAG_VALUE_MAXLEN:
                 logger.warning(
                     "Pruning overlong tag %s from OG data", k[:OG_TAG_NAME_MAXLEN]
                 )