diff options
author | Travis Ralston <travisr@matrix.org> | 2023-05-09 12:08:51 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-05-09 14:08:51 -0400 |
commit | ab4535b6082db97e8c48a69ea6674fe3b7c5e956 (patch) | |
tree | 68c545c1409c39ba43070ab21b2315e45d1415ea /synapse/media/media_repository.py | |
parent | Merge branch 'master' into develop (diff) | |
download | synapse-ab4535b6082db97e8c48a69ea6674fe3b7c5e956.tar.xz |
Add config option to prevent media downloads from listed domains. (#15197)
This stops media (and thumbnails) from being accessed from the listed domains. It does not delete any already locally cached media, but will prevent accessing it. Note that admin APIs are unaffected by this change.
Diffstat (limited to 'synapse/media/media_repository.py')
-rw-r--r-- | synapse/media/media_repository.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/synapse/media/media_repository.py b/synapse/media/media_repository.py index b81e3c2b0c..e81c987b10 100644 --- a/synapse/media/media_repository.py +++ b/synapse/media/media_repository.py @@ -93,6 +93,7 @@ class MediaRepository: self.federation_domain_whitelist = ( hs.config.federation.federation_domain_whitelist ) + self.prevent_media_downloads_from = hs.config.media.prevent_media_downloads_from # List of StorageProviders where we should search for media and # potentially upload to. @@ -276,6 +277,14 @@ class MediaRepository: ): raise FederationDeniedError(server_name) + # Don't let users download media from domains listed in the config, even + # if we might have the media to serve. This is Trust & Safety tooling to + # block some servers' media from being accessible to local users. + # See `prevent_media_downloads_from` config docs for more info. + if server_name in self.prevent_media_downloads_from: + respond_404(request) + return + self.mark_recently_accessed(server_name, media_id) # We linearize here to ensure that we don't try and download remote |