Limit the number of events that can be requested when backfilling events (#6864)

Limit the maximum number of events requested when backfilling events.

2 files changed, 5 insertions, 0 deletions

diff --git a/changelog.d/6864.misc b/changelog.d/6864.misc
new file mode 100644
index 0000000000..d24eb68460
--- /dev/null
+++ b/changelog.d/6864.misc
@@ -0,0 +1 @@
+Limit the number of events that can be requested by the backfill federation API to 100.
diff --git a/synapse/handlers/federation.py b/synapse/handlers/federation.py
index 10e8b6ea4c..eb20ef4aec 100644
--- a/synapse/handlers/federation.py
+++ b/synapse/handlers/federation.py
@@ -1788,6 +1788,9 @@ class FederationHandler(BaseHandler):
         if not in_room:
             raise AuthError(403, "Host not in room.")
 
+        # Synapse asks for 100 events per backfill request. Do not allow more.
+        limit = min(limit, 100)
+
         events = yield self.store.get_backfill_events(room_id, pdu_list, limit)
 
         events = yield filter_events_for_server(self.storage, origin, events)
@@ -2168,6 +2171,7 @@ class FederationHandler(BaseHandler):
         if not in_room:
             raise AuthError(403, "Host not in room.")
 
+        # Only allow up to 20 events to be retrieved per request.
         limit = min(limit, 20)
 
         missing_events = await self.store.get_missing_events(