diff options
author | Denis Kasak <dkasak@termina.org.uk> | 2022-02-10 15:43:01 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-02-10 15:43:01 +0000 |
commit | 337f38cac38bc57bc6a3cc8b319e3079c60c4549 (patch) | |
tree | 15d58bea7ff37ac3d515c93984fc49417d670941 /synapse/rest/media/v1 | |
parent | Fix broken link in README to admin API. (#11955) (diff) | |
download | synapse-337f38cac38bc57bc6a3cc8b319e3079c60c4549.tar.xz |
Implement a content type allow list for URL previews (#11936)
This implements an allow list for content types for which Synapse will attempt URL preview. If a URL resolves to a resource with a content type which isn't in the list, the download will terminate immediately. This makes sense given that Synapse would never successfully generate a URL preview for such files in the first place, and helps prevent issues with streaming media servers, such as #8302. Signed-off-by: Denis Kasak dkasak@termina.org.uk
Diffstat (limited to 'synapse/rest/media/v1')
-rw-r--r-- | synapse/rest/media/v1/preview_url_resource.py | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/synapse/rest/media/v1/preview_url_resource.py b/synapse/rest/media/v1/preview_url_resource.py index efd84ced8f..8d3d1e54dc 100644 --- a/synapse/rest/media/v1/preview_url_resource.py +++ b/synapse/rest/media/v1/preview_url_resource.py @@ -403,6 +403,7 @@ class PreviewUrlResource(DirectServeJsonResource): output_stream=output_stream, max_size=self.max_spider_size, headers={"Accept-Language": self.url_preview_accept_language}, + is_allowed_content_type=_is_previewable, ) except SynapseError: # Pass SynapseErrors through directly, so that the servlet @@ -761,3 +762,10 @@ def _is_html(content_type: str) -> bool: def _is_json(content_type: str) -> bool: return content_type.lower().startswith("application/json") + + +def _is_previewable(content_type: str) -> bool: + """Returns True for content types for which we will perform URL preview and False + otherwise.""" + + return _is_html(content_type) or _is_media(content_type) or _is_json(content_type) |