From 5acbe09b6773d003c35d78a08605d70ff40ba365 Mon Sep 17 00:00:00 2001 From: Matthew Hodgson Date: Sat, 27 Aug 2016 00:20:13 +0100 Subject: warn people to avoid running a HS media repository on the same domain as another webapp --- README.rst | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'README.rst') diff --git a/README.rst b/README.rst index 172dd4dfa0..323f5b8db7 100644 --- a/README.rst +++ b/README.rst @@ -199,6 +199,21 @@ run (e.g. ``~/.synapse``), and:: source ./bin/activate synctl start +Security Note +============= + +Matrix serves raw user generated data in some APIs - specifically the content +repository endpoints: http://matrix.org/docs/spec/client_server/r0.2.0.html#get-matrix-media-r0-download-servername-mediaid +Whilst we have tried to mitigate against possible XSS attacks (e.g. +https://github.com/matrix-org/synapse/pull/1021) we recommend running +matrix homeservers on a dedicated domain name, to limit any malicious user generated +content served to web browsers a matrix API from being able to attack webapps hosted +on the same domain. This is particularly true of sharing a matrix webclient and +server on the same domain. + +See https://github.com/vector-im/vector-web/issues/1977 and +https://developer.github.com/changes/2014-04-25-user-content-security for more details. + Using PostgreSQL ================ -- cgit 1.4.1 From b3be9e4376b976a5cc4b37d70c4985342d5c30cb Mon Sep 17 00:00:00 2001 From: Fabian Niepelt Date: Tue, 30 Aug 2016 15:03:03 +0200 Subject: Add prerequisites to install on openSUSE to README Signed-off-by: Fabian Niepelt --- README.rst | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'README.rst') diff --git a/README.rst b/README.rst index 323f5b8db7..358038ade0 100644 --- a/README.rst +++ b/README.rst @@ -134,6 +134,12 @@ Installing prerequisites on Raspbian:: sudo pip install --upgrade ndg-httpsclient sudo pip install --upgrade virtualenv +Installing prerequisites on openSUSE:: + + sudo zypper in -t pattern devel_basis + sudo zypper in python-pip python-setuptools sqlite3 python-virtualenv \ + python-devel libffi-devel libopenssl-devel libjpeg62-devel + To install the synapse homeserver run:: virtualenv -p python2.7 ~/.synapse -- cgit 1.4.1 From 928d337c168582c902d0f664857855d41206a117 Mon Sep 17 00:00:00 2001 From: Matthew Hodgson Date: Tue, 30 Aug 2016 15:33:05 +0100 Subject: Remove FUD over psql --- README.rst | 3 --- 1 file changed, 3 deletions(-) (limited to 'README.rst') diff --git a/README.rst b/README.rst index 323f5b8db7..9eebed784b 100644 --- a/README.rst +++ b/README.rst @@ -230,9 +230,6 @@ The advantages of Postgres include: pointing at the same DB master, as well as enabling DB replication in synapse itself. -The only disadvantage is that the code is relatively new as of April 2015 and -may have a few regressions relative to SQLite. - For information on how to install and use PostgreSQL, please see `docs/postgres.rst `_. -- cgit 1.4.1