Merge remote-tracking branch 'upstream/release-v1.41'

2025-08-16 22:20:12 -04:00 · 2021-08-18 18:12:12 +03:00 · 2021-08-18 18:12:12 +03:00 · f285b4200c
commit f285b4200c
parent 6615884ffe e328d8ffd9
237 changed files with 9601 additions and 6005 deletions
--- a/synapse/config/repository.py
+++ b/synapse/config/repository.py
@ -12,9 +12,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

+import logging
 import os
 from collections import namedtuple
 from typing import Dict, List
+from urllib.request import getproxies_environment  # type: ignore

 from synapse.config.server import DEFAULT_IP_RANGE_BLACKLIST, generate_ip_set
 from synapse.python_dependencies import DependencyException, check_requirements
@ -22,6 +24,8 @@ from synapse.util.module_loader import load_module

 from ._base import Config, ConfigError

+logger = logging.getLogger(__name__)
+
 DEFAULT_THUMBNAIL_SIZES = [
    {"width": 32, "height": 32, "method": "crop"},
    {"width": 96, "height": 96, "method": "crop"},
@ -36,6 +40,9 @@ THUMBNAIL_SIZE_YAML = """\
        #    method: %(method)s
 """

+HTTP_PROXY_SET_WARNING = """\
+The Synapse config url_preview_ip_range_blacklist will be ignored as an HTTP(s) proxy is configured."""
+
 ThumbnailRequirement = namedtuple(
    "ThumbnailRequirement", ["width", "height", "method", "media_type"]
 )
@ -181,12 +188,17 @@ class ContentRepositoryConfig(Config):
                    e.message  # noqa: B306, DependencyException.message is a property
                )

+            proxy_env = getproxies_environment()
            if "url_preview_ip_range_blacklist" not in config:
-                raise ConfigError(
-                    "For security, you must specify an explicit target IP address "
-                    "blacklist in url_preview_ip_range_blacklist for url previewing "
-                    "to work"
-                )
+                if "http" not in proxy_env or "https" not in proxy_env:
+                    raise ConfigError(
+                        "For security, you must specify an explicit target IP address "
+                        "blacklist in url_preview_ip_range_blacklist for url previewing "
+                        "to work"
+                    )
+            else:
+                if "http" in proxy_env or "https" in proxy_env:
+                    logger.warning("".join(HTTP_PROXY_SET_WARNING))

            # we always blacklist '0.0.0.0' and '::', which are supposed to be
            # unroutable addresses.
@ -293,6 +305,8 @@ class ContentRepositoryConfig(Config):
        # This must be specified if url_preview_enabled is set. It is recommended that
        # you uncomment the following list as a starting point.
        #
+        # Note: The value is ignored when an HTTP proxy is in use
+        #
        #url_preview_ip_range_blacklist:
 %(ip_range_blacklist)s