diff options
author | Matthew Hodgson <matthew@matrix.org> | 2020-02-10 09:36:23 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-02-10 09:36:23 +0000 |
commit | 8e64c5a24c26a733c0cfd3e997ea4079ae457096 (patch) | |
tree | 8a154dda1769cb948d1a084b3eb7eef64d9a5131 | |
parent | Update setuptools for python 3.5 tests (#6880) (diff) | |
download | synapse-8e64c5a24c26a733c0cfd3e997ea4079ae457096.tar.xz |
filter out m.room.aliases from the CS API until a better solution is specced (#6878)
We're in the middle of properly mitigating spam caused by malicious aliases being added to a room. However, until this work fully lands, we temporarily filter out all m.room.aliases events from /sync and /messages on the CS API, to remove abusive aliases. This is considered acceptable as m.room.aliases events were never a reliable record of the given alias->id mapping and were purely informational, and in their current state do more harm than good.
-rw-r--r-- | changelog.d/6878.feature | 1 | ||||
-rw-r--r-- | synapse/visibility.py | 7 |
2 files changed, 8 insertions, 0 deletions
diff --git a/changelog.d/6878.feature b/changelog.d/6878.feature new file mode 100644 index 0000000000..af3e958a43 --- /dev/null +++ b/changelog.d/6878.feature @@ -0,0 +1 @@ +Filter out m.room.aliases from the CS API to mitigate abuse while a better solution is specced. diff --git a/synapse/visibility.py b/synapse/visibility.py index 100dc47a8a..d0abd8f04f 100644 --- a/synapse/visibility.py +++ b/synapse/visibility.py @@ -122,6 +122,13 @@ def filter_events_for_client( if not event.is_state() and event.sender in ignore_list: return None + # Until MSC2261 has landed we can't redact malicious alias events, so for + # now we temporarily filter out m.room.aliases entirely to mitigate + # abuse, while we spec a better solution to advertising aliases + # on rooms. + if event.type == EventTypes.Aliases: + return None + # Don't try to apply the room's retention policy if the event is a state event, as # MSC1763 states that retention is only considered for non-state events. if apply_retention_policies and not event.is_state(): |