Update whitelist for sytest media fix (#1137)

* Update sytest-whitelist, are-we-synapse-yet.list * Update gomatrixserverlib * Update gomatrixserverlib * Loop avoidance * Return UTF-8 filenames * Replace quotes only, instead of using strconv.Quote * Update sytest-whitelist * Update sytest-whitelist
2025-07-29 12:42:46 +00:00 · 2020-06-16 18:31:38 +01:00 · 2020-06-16 18:31:38 +01:00 · 04c99092a4
commit 04c99092a4
parent e15a8042a1
6 changed files with 43 additions and 8 deletions
--- a/mediaapi/routing/download.go
+++ b/mediaapi/routing/download.go
@ -21,6 +21,7 @@ import (
 	"io"
 	"mime"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
 	"regexp"
@ -302,7 +303,14 @@ func (r *downloadRequest) respondFromLocalFile(
 		responseMetadata = r.MediaMetadata

 		if len(responseMetadata.UploadName) > 0 {
-			w.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename*=utf-8"%s"`, responseMetadata.UploadName))
+			uploadName, err := url.PathUnescape(string(responseMetadata.UploadName))
+			if err != nil {
+				return nil, fmt.Errorf("url.PathUnescape: %w", err)
+			}
+			w.Header().Set("Content-Disposition", fmt.Sprintf(
+				`inline; filename=utf-8"%s"`,
+				strings.ReplaceAll(uploadName, `"`, `\"`), // escape quote marks only, as per RFC6266
+			))
 		}
 	}

--- a/mediaapi/routing/routing.go
+++ b/mediaapi/routing/routing.go
@ -16,6 +16,7 @@ package routing

 import (
 	"net/http"
+	"strings"

 	userapi "github.com/matrix-org/dendrite/userapi/api"

@ -94,11 +95,24 @@ func makeDownloadAPI(
 		util.SetCORSHeaders(w)
 		// Content-Type will be overridden in case of returning file data, else we respond with JSON-formatted errors
 		w.Header().Set("Content-Type", "application/json")
+
 		vars, _ := httputil.URLDecodeMapValues(mux.Vars(req))
+		serverName := gomatrixserverlib.ServerName(vars["serverName"])
+
+		// For the purposes of loop avoidance, we will return a 404 if allow_remote is set to
+		// false in the query string and the target server name isn't our own.
+		// https://github.com/matrix-org/matrix-doc/pull/1265
+		if allowRemote := req.URL.Query().Get("allow_remote"); strings.ToLower(allowRemote) == "false" {
+			if serverName != cfg.Matrix.ServerName {
+				w.WriteHeader(http.StatusNotFound)
+				return
+			}
+		}
+
 		Download(
 			w,
 			req,
-			gomatrixserverlib.ServerName(vars["serverName"]),
+			serverName,
 			types.MediaID(vars["mediaId"]),
 			cfg,
 			db,