diff options
author | Brendan Abolivier <babolivier@matrix.org> | 2022-01-28 14:41:33 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-28 15:41:33 +0100 |
commit | bf60da1a60096fac5fb778b732ff2214862ac808 (patch) | |
tree | 494a272a37f8d6ce5be677d5bc828a652b440c58 /synapse/handlers/room_member.py | |
parent | Pass `isolation_level` to `runWithConnection` (#11847) (diff) | |
download | synapse-bf60da1a60096fac5fb778b732ff2214862ac808.tar.xz |
Configurable limits on avatars (#11846)
Only allow files which file size and content types match configured limits to be set as avatar. Most of the inspiration from the non-test code comes from matrix-org/synapse-dinsic#19
Diffstat (limited to '')
-rw-r--r-- | synapse/handlers/room_member.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/synapse/handlers/room_member.py b/synapse/handlers/room_member.py index 6aa910dd10..3dd5e1b6e4 100644 --- a/synapse/handlers/room_member.py +++ b/synapse/handlers/room_member.py @@ -590,6 +590,12 @@ class RoomMemberHandler(metaclass=abc.ABCMeta): errcode=Codes.BAD_JSON, ) + if "avatar_url" in content: + if not await self.profile_handler.check_avatar_size_and_mime_type( + content["avatar_url"], + ): + raise SynapseError(403, "This avatar is not allowed", Codes.FORBIDDEN) + # The event content should *not* include the authorising user as # it won't be properly signed. Strip it out since it might come # back from a client updating a display name / avatar. |