Configurable limits on avatars (#11846)

Only allow files which file size and content types match configured limits to be set as avatar. Most of the inspiration from the non-test code comes from matrix-org/synapse-dinsic#19
author: Brendan Abolivier <babolivier@matrix.org> 2022-01-28 14:41:33 +0000
committer: GitHub <noreply@github.com> 2022-01-28 15:41:33 +0100
commit: bf60da1a60096fac5fb778b732ff2214862ac808 (patch)
tree: 494a272a37f8d6ce5be677d5bc828a652b440c58 /synapse/handlers/room_member.py
parent: Pass `isolation_level` to `runWithConnection` (#11847) (diff)
download: synapse-bf60da1a60096fac5fb778b732ff2214862ac808.tar.xz
1 files changed, 6 insertions, 0 deletions
diff --git a/synapse/handlers/room_member.py b/synapse/handlers/room_member.py
index 6aa910dd10..3dd5e1b6e4 100644
--- a/synapse/handlers/room_member.py
+++ b/synapse/handlers/room_member.py
@@ -590,6 +590,12 @@ class RoomMemberHandler(metaclass=abc.ABCMeta):
                 errcode=Codes.BAD_JSON,
             )
 
+        if "avatar_url" in content:
+            if not await self.profile_handler.check_avatar_size_and_mime_type(
+                content["avatar_url"],
+            ):
+                raise SynapseError(403, "This avatar is not allowed", Codes.FORBIDDEN)
+
         # The event content should *not* include the authorising user as
         # it won't be properly signed. Strip it out since it might come
         # back from a client updating a display name / avatar.
author	Brendan Abolivier <babolivier@matrix.org>	2022-01-28 14:41:33 +0000
committer	GitHub <noreply@github.com>	2022-01-28 15:41:33 +0100
commit	bf60da1a60096fac5fb778b732ff2214862ac808 (patch)
tree	494a272a37f8d6ce5be677d5bc828a652b440c58 /synapse/handlers/room_member.py
parent	Pass `isolation_level` to `runWithConnection` (#11847) (diff)
download	synapse-bf60da1a60096fac5fb778b732ff2214862ac808.tar.xz