Compare commits

...

14 Commits

Author SHA1 Message Date
Tulir Asokan
0f5e09524d Don't apply alias rules to admins 2024-01-23 19:08:34 +02:00
Tulir Asokan
1b784b06d4 Allow pdf inline 2024-01-23 19:08:15 +02:00
Tulir Asokan
f4f711f28b Remove unnecessary pusher URL validation 2024-01-23 19:08:15 +02:00
Tulir Asokan
de89885d15 Allow specific users to use timestamp massaging without being appservices 2024-01-23 19:08:15 +02:00
Tulir Asokan
3108b67232 Allow custom content in read receipts 2024-01-23 19:08:15 +02:00
Tulir Asokan
b07561405c Allow unhiding events that the C-S API filters away by default 2024-01-23 19:08:15 +02:00
Tulir Asokan
9eb9372eb4 Allow bypassing unnecessary validation in C-S API 2024-01-23 19:08:15 +02:00
Tulir Asokan
ab635c80a7 Set immutable cache-control header for media downloads 2024-01-23 19:08:15 +02:00
Tulir Asokan
5e7ff45534 Thumbnail webp images as webp to avoid losing transparency 2024-01-23 19:08:15 +02:00
Tulir Asokan
0de822af4d Allow registering invalid user IDs with admin API 2024-01-23 19:08:15 +02:00
Tulir Asokan
83f9a6cdd5 Allow specifying room ID when creating room 2024-01-23 19:08:15 +02:00
Tulir Asokan
78584d476c Fix default power level for room creator 2024-01-23 19:08:14 +02:00
Tulir Asokan
ce38046124 Add meow readme and config extension 2024-01-23 19:08:14 +02:00
Tulir Asokan
e95889bab3 Add meow dockerfile
N.B. requires requirements.txt to be generated in repo root beforehand
2024-01-23 19:08:14 +02:00
26 changed files with 309 additions and 81 deletions

View File

@ -8,6 +8,7 @@
!README.rst !README.rst
!pyproject.toml !pyproject.toml
!poetry.lock !poetry.lock
!requirements.txt
!Cargo.lock !Cargo.lock
!Cargo.toml !Cargo.toml
!build_rust.py !build_rust.py

19
.gitlab-ci.yml Normal file
View File

@ -0,0 +1,19 @@
image: docker:stable
stages:
- build
build amd64:
stage: build
tags:
- amd64
only:
- master
before_script:
- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
script:
- synversion=$(cat pyproject.toml | grep '^version =' | sed -E 's/^version = "(.+)"$/\1/')
- docker build --tag $CI_REGISTRY_IMAGE:latest --tag $CI_REGISTRY_IMAGE:$synversion .
- docker push $CI_REGISTRY_IMAGE:latest
- docker push $CI_REGISTRY_IMAGE:$synversion
- docker rmi $CI_REGISTRY_IMAGE:latest $CI_REGISTRY_IMAGE:$synversion

61
Dockerfile Normal file
View File

@ -0,0 +1,61 @@
ARG PYTHON_VERSION=3.11
FROM docker.io/python:${PYTHON_VERSION}-slim as builder
RUN apt-get update && apt-get install -y \
build-essential \
libffi-dev \
libjpeg-dev \
libpq-dev \
libssl-dev \
libwebp-dev \
libxml++2.6-dev \
libxslt1-dev \
zlib1g-dev \
openssl \
git \
curl \
&& rm -rf /var/lib/apt/lists/*
ENV RUSTUP_HOME=/rust
ENV CARGO_HOME=/cargo
ENV PATH=/cargo/bin:/rust/bin:$PATH
RUN mkdir /rust /cargo
RUN curl -sSf https://sh.rustup.rs | sh -s -- -y --no-modify-path --default-toolchain stable
COPY synapse /synapse/synapse/
COPY rust /synapse/rust/
COPY README.rst pyproject.toml requirements.txt build_rust.py /synapse/
RUN pip install --prefix="/install" --no-warn-script-location --ignore-installed \
--no-deps -r /synapse/requirements.txt \
&& pip install --prefix="/install" --no-warn-script-location \
--no-deps \
'git+https://github.com/maunium/synapse-simple-antispam#egg=synapse-simple-antispam' \
'git+https://github.com/devture/matrix-synapse-shared-secret-auth@2.0.3#egg=shared_secret_authenticator' \
&& pip install --prefix="/install" --no-warn-script-location \
--no-deps /synapse
FROM docker.io/python:${PYTHON_VERSION}-slim
RUN apt-get update && apt-get install -y \
curl \
libjpeg62-turbo \
libpq5 \
libwebp7 \
xmlsec1 \
libjemalloc2 \
openssl \
&& rm -rf /var/lib/apt/lists/*
COPY --from=builder /install /usr/local
VOLUME ["/data"]
ENV LD_PRELOAD="/usr/lib/x86_64-linux-gnu/libjemalloc.so.2"
ENTRYPOINT ["python3", "-m", "synapse.app.homeserver"]
CMD ["--keys-directory", "/data", "-c", "/data/homeserver.yaml"]
HEALTHCHECK --start-period=5s --interval=1m --timeout=5s \
CMD curl -fSs http://localhost:8008/health || exit 1

63
README.md Normal file
View File

@ -0,0 +1,63 @@
# Maunium Synapse
This is a fork of [Synapse] to remove dumb limits and fix bugs that the
upstream devs don't want to fix.
The only official distribution is the docker image in the [GitLab container
registry], but you can also install from source ([upstream instructions]).
The master branch and `:latest` docker tag are upgraded to each upstream
release candidate very soon after release (usually within 10 minutes†). There
are also docker tags for each release, e.g. `:1.75.0`. If you don't want RCs,
use the specific release tags.
†If there are merge conflicts, the update may be delayed for up to a few days
after the full release.
[Synapse]: https://github.com/matrix-org/synapse
[GitLab container registry]: https://mau.dev/maunium/synapse/container_registry
[upstream instructions]: https://github.com/matrix-org/synapse/blob/develop/INSTALL.md#installing-from-source
## List of changes
* Default power level for room creator is 9001 instead of 100.
* Room creator can specify a custom room ID with the `room_id` param in the
request body. If the room ID is already in use, it will return `M_CONFLICT`.
* ~~URL previewer user agent includes `Bot` so Twitter previews work properly.~~
Upstreamed after over 2 years 🎉
* ~~Local event creation concurrency is disabled to avoid unnecessary state
resolution.~~ Upstreamed after over 3 years 🎉
* Register admin API can register invalid user IDs.
* Docker image with jemalloc enabled by default.
* Config option to allow specific users to send events without unnecessary
validation.
* Config option to allow specific users to receive events that are usually
filtered away (e.g. `org.matrix.dummy_event` and `m.room.aliases`).
* Config option to allow specific users to use timestamp massaging without
being appservice users.
* Removed bad pusher URL validation.
* webp images are thumbnailed to webp instead of jpeg to avoid losing
transparency.
* Media repo `Cache-Control` header says `immutable` and 1 year for all media
that exists, as media IDs in Matrix are immutable.
* Allowed sending custom data with read receipts.
You can view the full list of changes on the [meow-patchset] branch.
Additionally, historical patch sets are saved as `meow-patchset-vX` [tags].
[meow-patchset]: https://mau.dev/maunium/synapse/-/compare/patchset-base...meow-patchset
[tags]: https://mau.dev/maunium/synapse/-/tags?search=meow-patchset&sort=updated_desc
## Configuration reference
```yaml
meow:
# List of users who aren't subject to unnecessary validation in the C-S API.
validation_override:
- "@you:example.com"
# List of users who will get org.matrix.dummy_event and m.room.aliases events down /sync
filter_override:
- "@you:example.com"
# Whether or not the admin API should be able to register invalid user IDs.
admin_api_register_invalid: true
# List of users who can use timestamp massaging without being appservices
timestamp_override:
- "@you:example.com"
```

View File

@ -35,6 +35,7 @@ from synapse.config import ( # noqa: F401
jwt, jwt,
key, key,
logger, logger,
meow,
metrics, metrics,
modules, modules,
oembed, oembed,
@ -91,6 +92,7 @@ class RootConfig:
voip: voip.VoipConfig voip: voip.VoipConfig
registration: registration.RegistrationConfig registration: registration.RegistrationConfig
account_validity: account_validity.AccountValidityConfig account_validity: account_validity.AccountValidityConfig
meow: meow.MeowConfig
metrics: metrics.MetricsConfig metrics: metrics.MetricsConfig
api: api.ApiConfig api: api.ApiConfig
appservice: appservice.AppServiceConfig appservice: appservice.AppServiceConfig

View File

@ -19,6 +19,7 @@
# #
# #
from ._base import RootConfig from ._base import RootConfig
from .meow import MeowConfig
from .account_validity import AccountValidityConfig from .account_validity import AccountValidityConfig
from .api import ApiConfig from .api import ApiConfig
from .appservice import AppServiceConfig from .appservice import AppServiceConfig
@ -64,6 +65,7 @@ from .workers import WorkerConfig
class HomeServerConfig(RootConfig): class HomeServerConfig(RootConfig):
config_classes = [ config_classes = [
MeowConfig,
ModulesConfig, ModulesConfig,
ServerConfig, ServerConfig,
RetentionConfig, RetentionConfig,

33
synapse/config/meow.py Normal file
View File

@ -0,0 +1,33 @@
# -*- coding: utf-8 -*-
# Copyright 2020 Maunium
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
from ._base import Config
class MeowConfig(Config):
"""Meow Configuration
Configuration for disabling dumb limits in Synapse
"""
section = "meow"
def read_config(self, config, **kwargs):
meow_config = config.get("meow", {})
self.validation_override = set(meow_config.get("validation_override", []))
self.filter_override = set(meow_config.get("filter_override", []))
self.timestamp_override = set(meow_config.get("timestamp_override", []))
self.admin_api_register_invalid = meow_config.get(
"admin_api_register_invalid", True
)

View File

@ -54,10 +54,8 @@ THUMBNAIL_SIZE_YAML = """\
THUMBNAIL_SUPPORTED_MEDIA_FORMAT_MAP = { THUMBNAIL_SUPPORTED_MEDIA_FORMAT_MAP = {
"image/jpeg": "jpeg", "image/jpeg": "jpeg",
"image/jpg": "jpeg", "image/jpg": "jpeg",
"image/webp": "jpeg", "image/webp": "webp",
# Thumbnails can only be jpeg or png. We choose png thumbnails for gif "image/gif": "webp",
# because it can have transparency.
"image/gif": "png",
"image/png": "png", "image/png": "png",
} }
@ -109,6 +107,10 @@ def parse_thumbnail_requirements(
requirement.append( requirement.append(
ThumbnailRequirement(width, height, method, "image/png") ThumbnailRequirement(width, height, method, "image/png")
) )
elif thumbnail_format == "webp":
requirement.append(
ThumbnailRequirement(width, height, method, "image/webp")
)
else: else:
raise Exception( raise Exception(
"Unknown thumbnail mapping from %s to %s. This is a Synapse problem, please report!" "Unknown thumbnail mapping from %s to %s. This is a Synapse problem, please report!"

View File

@ -64,7 +64,7 @@ class EventValidator:
event: The event to validate. event: The event to validate.
config: The homeserver's configuration. config: The homeserver's configuration.
""" """
self.validate_builder(event) self.validate_builder(event, config)
if event.format_version == EventFormatVersions.ROOM_V1_V2: if event.format_version == EventFormatVersions.ROOM_V1_V2:
EventID.from_string(event.event_id) EventID.from_string(event.event_id)
@ -95,6 +95,12 @@ class EventValidator:
# Note that only the client controlled portion of the event is # Note that only the client controlled portion of the event is
# checked, since we trust the portions of the event we created. # checked, since we trust the portions of the event we created.
validate_canonicaljson(event.content) validate_canonicaljson(event.content)
if not 0 < event.origin_server_ts < 2**53:
raise SynapseError(400, "Event timestamp is out of range")
# meow: allow specific users to send potentially dangerous events.
if event.sender in config.meow.validation_override:
return
if event.type == EventTypes.Aliases: if event.type == EventTypes.Aliases:
if "aliases" in event.content: if "aliases" in event.content:
@ -193,7 +199,9 @@ class EventValidator:
errcode=Codes.BAD_JSON, errcode=Codes.BAD_JSON,
) )
def validate_builder(self, event: Union[EventBase, EventBuilder]) -> None: def validate_builder(
self, event: Union[EventBase, EventBuilder], config: HomeServerConfig
) -> None:
"""Validates that the builder/event has roughly the right format. Only """Validates that the builder/event has roughly the right format. Only
checks values that we expect a proto event to have, rather than all the checks values that we expect a proto event to have, rather than all the
fields an event would have fields an event would have
@ -211,6 +219,10 @@ class EventValidator:
RoomID.from_string(event.room_id) RoomID.from_string(event.room_id)
UserID.from_string(event.sender) UserID.from_string(event.sender)
# meow: allow specific users to send so-called invalid events
if event.sender in config.meow.validation_override:
return
if event.type == EventTypes.Message: if event.type == EventTypes.Message:
strings = ["body", "msgtype"] strings = ["body", "msgtype"]

View File

@ -80,6 +80,8 @@ class DirectoryHandler:
) -> None: ) -> None:
# general association creation for both human users and app services # general association creation for both human users and app services
# meow: allow specific users to include anything in room aliases
if creator not in self.config.meow.validation_override:
for wchar in string.whitespace: for wchar in string.whitespace:
if wchar in room_alias.localpart: if wchar in room_alias.localpart:
raise SynapseError(400, "Invalid characters in room alias") raise SynapseError(400, "Invalid characters in room alias")
@ -127,7 +129,10 @@ class DirectoryHandler:
user_id = requester.user.to_string() user_id = requester.user.to_string()
room_alias_str = room_alias.to_string() room_alias_str = room_alias.to_string()
if len(room_alias_str) > MAX_ALIAS_LENGTH: if (
user_id not in self.hs.config.meow.validation_override
and len(room_alias_str) > MAX_ALIAS_LENGTH
):
raise SynapseError( raise SynapseError(
400, 400,
"Can't create aliases longer than %s characters" % MAX_ALIAS_LENGTH, "Can't create aliases longer than %s characters" % MAX_ALIAS_LENGTH,
@ -169,7 +174,7 @@ class DirectoryHandler:
if not self.config.roomdirectory.is_alias_creation_allowed( if not self.config.roomdirectory.is_alias_creation_allowed(
user_id, room_id, room_alias_str user_id, room_id, room_alias_str
): ) and not is_admin:
# Let's just return a generic message, as there may be all sorts of # Let's just return a generic message, as there may be all sorts of
# reasons why we said no. TODO: Allow configurable error messages # reasons why we said no. TODO: Allow configurable error messages
# per alias creation rule? # per alias creation rule?
@ -505,7 +510,7 @@ class DirectoryHandler:
if not self.config.roomdirectory.is_publishing_room_allowed( if not self.config.roomdirectory.is_publishing_room_allowed(
user_id, room_id, room_aliases user_id, room_id, room_aliases
): ) and not await self.auth.is_server_admin(requester):
# Let's just return a generic message, as there may be all sorts of # Let's just return a generic message, as there may be all sorts of
# reasons why we said no. TODO: Allow configurable error messages # reasons why we said no. TODO: Allow configurable error messages
# per alias creation rule? # per alias creation rule?

View File

@ -1452,7 +1452,7 @@ class FederationHandler:
room_version_obj, event_dict room_version_obj, event_dict
) )
EventValidator().validate_builder(builder) EventValidator().validate_builder(builder, self.hs.config)
# Try several times, it could fail with PartialStateConflictError # Try several times, it could fail with PartialStateConflictError
# in send_membership_event, cf comment in except block. # in send_membership_event, cf comment in except block.
@ -1617,7 +1617,7 @@ class FederationHandler:
builder = self.event_builder_factory.for_room_version( builder = self.event_builder_factory.for_room_version(
room_version_obj, event_dict room_version_obj, event_dict
) )
EventValidator().validate_builder(builder) EventValidator().validate_builder(builder, self.hs.config)
( (
event, event,

View File

@ -669,7 +669,7 @@ class EventCreationHandler:
room_version_obj, event_dict room_version_obj, event_dict
) )
self.validator.validate_builder(builder) self.validator.validate_builder(builder, self.config)
if builder.type == EventTypes.Member: if builder.type == EventTypes.Member:
membership = builder.content.get("membership", None) membership = builder.content.get("membership", None)
@ -1339,6 +1339,8 @@ class EventCreationHandler:
Raises: Raises:
SynapseError if the event is invalid. SynapseError if the event is invalid.
""" """
if event.sender in self.config.meow.validation_override:
return
relation = relation_from_event(event) relation = relation_from_event(event)
if not relation: if not relation:
@ -1757,7 +1759,8 @@ class EventCreationHandler:
await self._maybe_kick_guest_users(event, context) await self._maybe_kick_guest_users(event, context)
if event.type == EventTypes.CanonicalAlias: validation_override = event.sender in self.config.meow.validation_override
if event.type == EventTypes.CanonicalAlias and not validation_override:
# Validate a newly added alias or newly added alt_aliases. # Validate a newly added alias or newly added alt_aliases.
original_alias = None original_alias = None
@ -2112,7 +2115,7 @@ class EventCreationHandler:
builder = self.event_builder_factory.for_room_version( builder = self.event_builder_factory.for_room_version(
original_event.room_version, third_party_result original_event.room_version, third_party_result
) )
self.validator.validate_builder(builder) self.validator.validate_builder(builder, self.config)
except SynapseError as e: except SynapseError as e:
raise Exception( raise Exception(
"Third party rules module created an invalid event: " + e.msg, "Third party rules module created an invalid event: " + e.msg,

View File

@ -20,11 +20,12 @@
# #
import logging import logging
from typing import TYPE_CHECKING from typing import TYPE_CHECKING, Optional
from synapse.api.constants import ReceiptTypes from synapse.api.constants import ReceiptTypes
from synapse.api.errors import SynapseError from synapse.api.errors import SynapseError
from synapse.util.async_helpers import Linearizer from synapse.util.async_helpers import Linearizer
from synapse.types import JsonDict
if TYPE_CHECKING: if TYPE_CHECKING:
from synapse.server import HomeServer from synapse.server import HomeServer
@ -39,7 +40,11 @@ class ReadMarkerHandler:
self.read_marker_linearizer = Linearizer(name="read_marker") self.read_marker_linearizer = Linearizer(name="read_marker")
async def received_client_read_marker( async def received_client_read_marker(
self, room_id: str, user_id: str, event_id: str self,
room_id: str,
user_id: str,
event_id: str,
extra_content: Optional[JsonDict] = None,
) -> None: ) -> None:
"""Updates the read marker for a given user in a given room if the event ID given """Updates the read marker for a given user in a given room if the event ID given
is ahead in the stream relative to the current read marker. is ahead in the stream relative to the current read marker.
@ -71,7 +76,7 @@ class ReadMarkerHandler:
should_update = event_ordering > old_event_ordering should_update = event_ordering > old_event_ordering
if should_update: if should_update:
content = {"event_id": event_id} content = {"event_id": event_id, **(extra_content or {})}
await self.account_data_handler.add_account_data_to_room( await self.account_data_handler.add_account_data_to_room(
user_id, room_id, ReceiptTypes.FULLY_READ, content user_id, room_id, ReceiptTypes.FULLY_READ, content
) )

View File

@ -181,6 +181,7 @@ class ReceiptsHandler:
user_id: UserID, user_id: UserID,
event_id: str, event_id: str,
thread_id: Optional[str], thread_id: Optional[str],
extra_content: Optional[JsonDict] = None,
) -> None: ) -> None:
"""Called when a client tells us a local user has read up to the given """Called when a client tells us a local user has read up to the given
event_id in the room. event_id in the room.
@ -197,7 +198,7 @@ class ReceiptsHandler:
user_id=user_id.to_string(), user_id=user_id.to_string(),
event_ids=[event_id], event_ids=[event_id],
thread_id=thread_id, thread_id=thread_id,
data={"ts": int(self.clock.time_msec())}, data={"ts": int(self.clock.time_msec()), **(extra_content or {})},
) )
is_new = await self._handle_new_receipts([receipt]) is_new = await self._handle_new_receipts([receipt])

View File

@ -148,8 +148,11 @@ class RegistrationHandler:
localpart: str, localpart: str,
guest_access_token: Optional[str] = None, guest_access_token: Optional[str] = None,
assigned_user_id: Optional[str] = None, assigned_user_id: Optional[str] = None,
allow_invalid: bool = False,
inhibit_user_in_use_error: bool = False, inhibit_user_in_use_error: bool = False,
) -> None: ) -> None:
# meow: allow admins to register invalid user ids
if not allow_invalid:
if types.contains_invalid_mxid_characters(localpart): if types.contains_invalid_mxid_characters(localpart):
raise SynapseError( raise SynapseError(
400, 400,
@ -177,6 +180,8 @@ class RegistrationHandler:
"A different user ID has already been registered for this session", "A different user ID has already been registered for this session",
) )
# meow: allow admins to register reserved user ids and long user ids
if not allow_invalid:
self.check_user_id_not_appservice_exclusive(user_id) self.check_user_id_not_appservice_exclusive(user_id)
if len(user_id) > MAX_USERID_LENGTH: if len(user_id) > MAX_USERID_LENGTH:
@ -290,7 +295,12 @@ class RegistrationHandler:
await self.auth_blocking.check_auth_blocking(threepid=threepid) await self.auth_blocking.check_auth_blocking(threepid=threepid)
if localpart is not None: if localpart is not None:
await self.check_username(localpart, guest_access_token=guest_access_token) allow_invalid = by_admin and self.hs.config.meow.admin_api_register_invalid
await self.check_username(
localpart,
guest_access_token=guest_access_token,
allow_invalid=allow_invalid,
)
was_guest = guest_access_token is not None was_guest = guest_access_token is not None

View File

@ -893,6 +893,18 @@ class RoomCreationHandler:
self._validate_room_config(config, visibility) self._validate_room_config(config, visibility)
if "room_id" in config:
room_id = config["room_id"]
try:
await self.store.store_room(
room_id=room_id,
room_creator_user_id=user_id,
is_public=is_public,
room_version=room_version,
)
except StoreError:
raise SynapseError(409, "Room ID already in use", errcode="M_CONFLICT")
else:
room_id = await self._generate_and_create_room_id( room_id = await self._generate_and_create_room_id(
creator_id=user_id, creator_id=user_id,
is_public=is_public, is_public=is_public,
@ -916,7 +928,7 @@ class RoomCreationHandler:
room_aliases.append(room_alias.to_string()) room_aliases.append(room_alias.to_string())
if not self.config.roomdirectory.is_publishing_room_allowed( if not self.config.roomdirectory.is_publishing_room_allowed(
user_id, room_id, room_aliases user_id, room_id, room_aliases
): ) and not is_requester_admin:
# allow room creation to continue but do not publish room # allow room creation to continue but do not publish room
await self.store.set_room_is_public(room_id, False) await self.store.set_room_is_public(room_id, False)
@ -1188,7 +1200,7 @@ class RoomCreationHandler:
events_to_send.append((power_event, power_context)) events_to_send.append((power_event, power_context))
else: else:
power_level_content: JsonDict = { power_level_content: JsonDict = {
"users": {creator_id: 100}, "users": {creator_id: 9001},
"users_default": 0, "users_default": 0,
"events": { "events": {
EventTypes.Name: 50, EventTypes.Name: 50,

View File

@ -754,26 +754,6 @@ class RoomMemberHandler(metaclass=abc.ABCMeta):
content.pop("displayname", None) content.pop("displayname", None)
content.pop("avatar_url", None) content.pop("avatar_url", None)
if len(content.get("displayname") or "") > MAX_DISPLAYNAME_LEN:
raise SynapseError(
400,
f"Displayname is too long (max {MAX_DISPLAYNAME_LEN})",
errcode=Codes.BAD_JSON,
)
if len(content.get("avatar_url") or "") > MAX_AVATAR_URL_LEN:
raise SynapseError(
400,
f"Avatar URL is too long (max {MAX_AVATAR_URL_LEN})",
errcode=Codes.BAD_JSON,
)
if "avatar_url" in content and content.get("avatar_url") is not None:
if not await self.profile_handler.check_avatar_size_and_mime_type(
content["avatar_url"],
):
raise SynapseError(403, "This avatar is not allowed", Codes.FORBIDDEN)
# The event content should *not* include the authorising user as # The event content should *not* include the authorising user as
# it won't be properly signed. Strip it out since it might come # it won't be properly signed. Strip it out since it might come
# back from a client updating a display name / avatar. # back from a client updating a display name / avatar.

View File

@ -1242,7 +1242,6 @@ class SyncHandler:
for e in await sync_config.filter_collection.filter_room_state( for e in await sync_config.filter_collection.filter_room_state(
list(state.values()) list(state.values())
) )
if e.type != EventTypes.Aliases # until MSC2261 or alternative solution
} }
async def _find_missing_partial_state_memberships( async def _find_missing_partial_state_memberships(

View File

@ -64,6 +64,7 @@ INLINE_CONTENT_TYPES = [
"text/csv", "text/csv",
"application/json", "application/json",
"application/ld+json", "application/ld+json",
"application/pdf",
# We allow some media files deemed as safe, which comes from the matrix-react-sdk. # We allow some media files deemed as safe, which comes from the matrix-react-sdk.
# https://github.com/matrix-org/matrix-react-sdk/blob/a70fcfd0bcf7f8c85986da18001ea11597989a7c/src/utils/blobs.ts#L51 # https://github.com/matrix-org/matrix-react-sdk/blob/a70fcfd0bcf7f8c85986da18001ea11597989a7c/src/utils/blobs.ts#L51
# SVGs are *intentionally* omitted. # SVGs are *intentionally* omitted.
@ -206,7 +207,9 @@ def add_file_headers(
# recommend caching as it's sensitive or private - or at least # recommend caching as it's sensitive or private - or at least
# select private. don't bother setting Expires as all our # select private. don't bother setting Expires as all our
# clients are smart enough to be happy with Cache-Control # clients are smart enough to be happy with Cache-Control
request.setHeader(b"Cache-Control", b"public,max-age=86400,s-maxage=86400") request.setHeader(
b"Cache-Control", b"public,immutable,max-age=86400,s-maxage=86400"
)
if file_size is not None: if file_size is not None:
request.setHeader(b"Content-Length", b"%d" % (file_size,)) request.setHeader(b"Content-Length", b"%d" % (file_size,))

View File

@ -47,7 +47,7 @@ class ThumbnailError(Exception):
class Thumbnailer: class Thumbnailer:
FORMATS = {"image/jpeg": "JPEG", "image/png": "PNG"} FORMATS = {"image/jpeg": "JPEG", "image/png": "PNG", "image/webp": "WEBP"}
@staticmethod @staticmethod
def set_limits(max_image_pixels: int) -> None: def set_limits(max_image_pixels: int) -> None:

View File

@ -140,13 +140,6 @@ class HttpPusher(Pusher):
url = self.data["url"] url = self.data["url"]
if not isinstance(url, str): if not isinstance(url, str):
raise PusherConfigException("'url' must be a string") raise PusherConfigException("'url' must be a string")
url_parts = urllib.parse.urlparse(url)
# Note that the specification also says the scheme must be HTTPS, but
# it isn't up to the homeserver to verify that.
if url_parts.path != "/_matrix/push/v1/notify":
raise PusherConfigException(
"'url' must have a path of '/_matrix/push/v1/notify'"
)
self.url = url self.url = url
self.http_client = hs.get_proxied_blocklisted_http_client() self.http_client = hs.get_proxied_blocklisted_http_client()

View File

@ -80,12 +80,16 @@ class ReadMarkerRestServlet(RestServlet):
# TODO Add validation to reject non-string event IDs. # TODO Add validation to reject non-string event IDs.
if not event_id: if not event_id:
continue continue
extra_content = body.get(
receipt_type.replace("m.", "com.beeper.") + ".extra", None
)
if receipt_type == ReceiptTypes.FULLY_READ: if receipt_type == ReceiptTypes.FULLY_READ:
await self.read_marker_handler.received_client_read_marker( await self.read_marker_handler.received_client_read_marker(
room_id, room_id,
user_id=requester.user.to_string(), user_id=requester.user.to_string(),
event_id=event_id, event_id=event_id,
extra_content=extra_content,
) )
else: else:
await self.receipts_handler.received_client_receipt( await self.receipts_handler.received_client_receipt(
@ -95,6 +99,7 @@ class ReadMarkerRestServlet(RestServlet):
event_id=event_id, event_id=event_id,
# Setting the thread ID is not possible with the /read_markers endpoint. # Setting the thread ID is not possible with the /read_markers endpoint.
thread_id=None, thread_id=None,
extra_content=extra_content,
) )
return 200, {} return 200, {}

View File

@ -73,7 +73,7 @@ class ReceiptRestServlet(RestServlet):
f"Receipt type must be {', '.join(self._known_receipt_types)}", f"Receipt type must be {', '.join(self._known_receipt_types)}",
) )
body = parse_json_object_from_request(request) body = parse_json_object_from_request(request, allow_empty_body=False)
# Pull the thread ID, if one exists. # Pull the thread ID, if one exists.
thread_id = None thread_id = None
@ -110,6 +110,7 @@ class ReceiptRestServlet(RestServlet):
room_id, room_id,
user_id=requester.user.to_string(), user_id=requester.user.to_string(),
event_id=event_id, event_id=event_id,
extra_content=body,
) )
else: else:
await self.receipts_handler.received_client_receipt( await self.receipts_handler.received_client_receipt(
@ -118,6 +119,7 @@ class ReceiptRestServlet(RestServlet):
user_id=requester.user, user_id=requester.user,
event_id=event_id, event_id=event_id,
thread_id=thread_id, thread_id=thread_id,
extra_content=body,
) )
return 200, {} return 200, {}

View File

@ -337,6 +337,7 @@ class RoomSendEventRestServlet(TransactionRestServlet):
super().__init__(hs) super().__init__(hs)
self.event_creation_handler = hs.get_event_creation_handler() self.event_creation_handler = hs.get_event_creation_handler()
self.auth = hs.get_auth() self.auth = hs.get_auth()
self.hs = hs
def register(self, http_server: HttpServer) -> None: def register(self, http_server: HttpServer) -> None:
# /rooms/$roomid/send/$event_type[/$txn_id] # /rooms/$roomid/send/$event_type[/$txn_id]
@ -360,7 +361,10 @@ class RoomSendEventRestServlet(TransactionRestServlet):
"sender": requester.user.to_string(), "sender": requester.user.to_string(),
} }
if requester.app_service: if (
requester.app_service
or requester.user.to_string() in self.hs.config.meow.timestamp_override
):
origin_server_ts = parse_integer(request, "ts") origin_server_ts = parse_integer(request, "ts")
if origin_server_ts is not None: if origin_server_ts is not None:
event_dict["origin_server_ts"] = origin_server_ts event_dict["origin_server_ts"] = origin_server_ts

View File

@ -45,6 +45,7 @@ class StorageControllers:
# rewrite all the existing code to split it into high vs low level # rewrite all the existing code to split it into high vs low level
# interfaces. # interfaces.
self.main = stores.main self.main = stores.main
self.hs = hs
self.purge_events = PurgeEventsStorageController(hs, stores) self.purge_events = PurgeEventsStorageController(hs, stores)
self.state = StateStorageController(hs, stores) self.state = StateStorageController(hs, stores)

View File

@ -133,6 +133,10 @@ async def filter_events_for_client(
room_id room_id
] = await storage.main.get_retention_policy_for_room(room_id) ] = await storage.main.get_retention_policy_for_room(room_id)
# meow: let admins see secret events like org.matrix.dummy_event, m.room.aliases
# and events expired by the retention policy.
filter_override = user_id in storage.hs.config.meow.filter_override
def allowed(event: EventBase) -> Optional[EventBase]: def allowed(event: EventBase) -> Optional[EventBase]:
return _check_client_allowed_to_see_event( return _check_client_allowed_to_see_event(
user_id=user_id, user_id=user_id,
@ -145,6 +149,7 @@ async def filter_events_for_client(
state=event_id_to_state.get(event.event_id), state=event_id_to_state.get(event.event_id),
is_peeking=is_peeking, is_peeking=is_peeking,
sender_erased=erased_senders.get(event.sender, False), sender_erased=erased_senders.get(event.sender, False),
filter_override=filter_override,
) )
# Check each event: gives an iterable of None or (a potentially modified) # Check each event: gives an iterable of None or (a potentially modified)
@ -292,6 +297,7 @@ def _check_client_allowed_to_see_event(
retention_policy: RetentionPolicy, retention_policy: RetentionPolicy,
state: Optional[StateMap[EventBase]], state: Optional[StateMap[EventBase]],
sender_erased: bool, sender_erased: bool,
filter_override: bool,
) -> Optional[EventBase]: ) -> Optional[EventBase]:
"""Check with the given user is allowed to see the given event """Check with the given user is allowed to see the given event
@ -308,6 +314,7 @@ def _check_client_allowed_to_see_event(
retention_policy: The retention policy of the room retention_policy: The retention policy of the room
state: The state at the event, unless its an outlier state: The state at the event, unless its an outlier
sender_erased: Whether the event sender has been marked as "erased" sender_erased: Whether the event sender has been marked as "erased"
filter_override: meow
Returns: Returns:
None if the user cannot see this event at all None if the user cannot see this event at all
@ -321,7 +328,7 @@ def _check_client_allowed_to_see_event(
# because, if this is not the case, we're probably only checking if the users can # because, if this is not the case, we're probably only checking if the users can
# see events in the room at that point in the DAG, and that shouldn't be decided # see events in the room at that point in the DAG, and that shouldn't be decided
# on those checks. # on those checks.
if filter_send_to_client: if filter_send_to_client and not filter_override:
if ( if (
_check_filter_send_to_client(event, clock, retention_policy, sender_ignored) _check_filter_send_to_client(event, clock, retention_policy, sender_ignored)
== _CheckFilter.DENIED == _CheckFilter.DENIED
@ -331,6 +338,9 @@ def _check_client_allowed_to_see_event(
event.event_id, event.event_id,
) )
return None return None
# meow: even with filter_override, we want to filter ignored users
elif filter_send_to_client and not event.is_state() and sender_ignored:
return None
if event.event_id in always_include_ids: if event.event_id in always_include_ids:
return event return event