diff options
author | Travis Ralston <travisr@matrix.org> | 2023-05-09 12:08:51 -0600 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-05-09 14:08:51 -0400 |
commit | ab4535b6082db97e8c48a69ea6674fe3b7c5e956 (patch) | |
tree | 68c545c1409c39ba43070ab21b2315e45d1415ea /synapse/rest/media/thumbnail_resource.py | |
parent | Merge branch 'master' into develop (diff) | |
download | synapse-ab4535b6082db97e8c48a69ea6674fe3b7c5e956.tar.xz |
Add config option to prevent media downloads from listed domains. (#15197)
This stops media (and thumbnails) from being accessed from the listed domains. It does not delete any already locally cached media, but will prevent accessing it. Note that admin APIs are unaffected by this change.
Diffstat (limited to 'synapse/rest/media/thumbnail_resource.py')
-rw-r--r-- | synapse/rest/media/thumbnail_resource.py | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/synapse/rest/media/thumbnail_resource.py b/synapse/rest/media/thumbnail_resource.py index a6396fb05a..661e604b85 100644 --- a/synapse/rest/media/thumbnail_resource.py +++ b/synapse/rest/media/thumbnail_resource.py @@ -60,6 +60,7 @@ class ThumbnailResource(DirectServeJsonResource): self.media_storage = media_storage self.dynamic_thumbnails = hs.config.media.dynamic_thumbnails self._is_mine_server_name = hs.is_mine_server_name + self.prevent_media_downloads_from = hs.config.media.prevent_media_downloads_from async def _async_render_GET(self, request: SynapseRequest) -> None: set_cors_headers(request) @@ -82,6 +83,14 @@ class ThumbnailResource(DirectServeJsonResource): ) self.media_repo.mark_recently_accessed(None, media_id) else: + # Don't let users download media from configured domains, even if it + # is already downloaded. This is Trust & Safety tooling to make some + # media inaccessible to local users. + # See `prevent_media_downloads_from` config docs for more info. + if server_name in self.prevent_media_downloads_from: + respond_404(request) + return + if self.dynamic_thumbnails: await self._select_or_generate_remote_thumbnail( request, server_name, media_id, width, height, method, m_type |