diff options
author | Patrick Cloke <clokep@users.noreply.github.com> | 2020-12-04 10:51:56 -0500 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-12-04 10:51:56 -0500 |
commit | b774c555d821170e4f16de7d48f01484c3a1d740 (patch) | |
tree | 5e111a35806ba3403c372cb65d8b737a93d06011 /synapse/push/httppusher.py | |
parent | Do not 500 if the content-length is not provided when uploading media. (#8862) (diff) | |
download | synapse-b774c555d821170e4f16de7d48f01484c3a1d740.tar.xz |
Add additional validation to pusher URLs. (#8865)
Pusher URLs now must end in `/_matrix/push/v1/notify` per the specification.
Diffstat (limited to 'synapse/push/httppusher.py')
-rw-r--r-- | synapse/push/httppusher.py | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/synapse/push/httppusher.py b/synapse/push/httppusher.py index 0e845212a9..6a0ee8274c 100644 --- a/synapse/push/httppusher.py +++ b/synapse/push/httppusher.py @@ -14,6 +14,7 @@ # See the License for the specific language governing permissions and # limitations under the License. import logging +import urllib.parse from prometheus_client import Counter @@ -97,9 +98,22 @@ class HttpPusher: if self.data is None: raise PusherConfigException("data can not be null for HTTP pusher") + # Validate that there's a URL and it is of the proper form. if "url" not in self.data: raise PusherConfigException("'url' required in data for HTTP pusher") - self.url = self.data["url"] + + url = self.data["url"] + if not isinstance(url, str): + raise PusherConfigException("'url' must be a string") + url_parts = urllib.parse.urlparse(url) + # Note that the specification also says the scheme must be HTTPS, but + # it isn't up to the homeserver to verify that. + if url_parts.path != "/_matrix/push/v1/notify": + raise PusherConfigException( + "'url' must have a path of '/_matrix/push/v1/notify'" + ) + + self.url = url self.http_client = hs.get_proxied_blacklisted_http_client() self.data_minus_url = {} self.data_minus_url.update(self.data) |