diff options
| author | Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> | 2019-09-23 21:23:20 +0200 |
|---|---|---|
| committer | Richard van der Hoff <1389908+richvdh@users.noreply.github.com> | 2019-09-23 20:23:20 +0100 |
| commit | e08ea43463bacd5efacbf6c790c6be0f3cd06ce6 (patch) | |
| tree | 19f98e18e1ea719bc533b653a3e57c96e7e98fe5 /synapse/config/server.py | |
| parent | Add m.id_access_token to /versions unstable_features (MSC2264) (#5974) (diff) | |
| download | synapse-e08ea43463bacd5efacbf6c790c6be0f3cd06ce6.tar.xz | |
Use the federation blacklist for requests to untrusted Identity Servers (#6000)
Uses a SimpleHttpClient instance equipped with the federation_ip_range_blacklist list for requests to identity servers provided by user input. Does not use a blacklist when contacting identity servers specified by account_threepid_delegates. The homeserver trusts the latter and we don't want to prevent homeserver admins from specifying delegates that are on internal IP addresses. Fixes #5935
Diffstat (limited to 'synapse/config/server.py')
| -rw-r--r-- | synapse/config/server.py | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/synapse/config/server.py b/synapse/config/server.py index 7f8d315954..419787a89c 100644 --- a/synapse/config/server.py +++ b/synapse/config/server.py @@ -545,6 +545,9 @@ class ServerConfig(Config): # blacklist IP address CIDR ranges. If this option is not specified, or # specified with an empty list, no ip range blacklist will be enforced. # + # As of Synapse v1.4.0 this option also affects any outbound requests to identity + # servers provided by user input. + # # (0.0.0.0 and :: are always blacklisted, whether or not they are explicitly # listed here, since they correspond to unroutable addresses.) # |