From 332cce8dcf9c28314f568c290b57e98036a0e723 Mon Sep 17 00:00:00 2001 From: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> Date: Wed, 4 May 2022 16:41:40 +0100 Subject: [PATCH] Disable device name lookup over federation by default (#12616) --- changelog.d/12616.misc | 1 + docs/sample_config.yaml | 8 ++++---- docs/upgrade.md | 11 +++++++++++ docs/usage/configuration/config_documentation.md | 6 +++--- synapse/config/federation.py | 10 +++++----- 5 files changed, 24 insertions(+), 12 deletions(-) create mode 100644 changelog.d/12616.misc diff --git a/changelog.d/12616.misc b/changelog.d/12616.misc new file mode 100644 index 000000000..d17ce24cd --- /dev/null +++ b/changelog.d/12616.misc @@ -0,0 +1 @@ +Prevent remote homeservers from requesting local user device names by default. \ No newline at end of file diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 67184c6b1..5eba0fcf3 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -709,11 +709,11 @@ retention: # #allow_profile_lookup_over_federation: false -# Uncomment to disable device display name lookup over federation. By default, the -# Federation API allows other homeservers to obtain device display names of any user -# on this homeserver. Defaults to 'true'. +# Uncomment to allow device display name lookup over federation. By default, the +# Federation API prevents other homeservers from obtaining the display names of +# user devices on this homeserver. Defaults to 'false'. # -#allow_device_name_lookup_over_federation: false +#allow_device_name_lookup_over_federation: true ## Caching ## diff --git a/docs/upgrade.md b/docs/upgrade.md index 3a8aeb039..b40cac86f 100644 --- a/docs/upgrade.md +++ b/docs/upgrade.md @@ -89,6 +89,17 @@ process, for example: dpkg -i matrix-synapse-py3_1.3.0+stretch1_amd64.deb ``` +# Upgrading to v1.59.0 + +## Device name lookup over federation has been disabled by default + +The names of user devices are no longer visible to users on other homeservers by default. +Device IDs are unaffected, as these are necessary to facilitate end-to-end encryption. + +To re-enable this functionality, set the +[`allow_device_name_lookup_over_federation`](https://matrix-org.github.io/synapse/v1.59/usage/configuration/config_documentation.html#federation) +homeserver config option to `true`. + # Upgrading to v1.58.0 ## Groups/communities feature has been disabled by default diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md index 968b0fbfa..36db64946 100644 --- a/docs/usage/configuration/config_documentation.md +++ b/docs/usage/configuration/config_documentation.md @@ -1035,13 +1035,13 @@ allow_profile_lookup_over_federation: false --- Config option: `allow_device_name_lookup_over_federation` -Set this option to false to disable device display name lookup over federation. By default, the -Federation API allows other homeservers to obtain device display names of any user +Set this option to true to allow device display name lookup over federation. By default, the +Federation API prevents other homeservers from obtaining the display names of any user devices on this homeserver. Example configuration: ```yaml -allow_device_name_lookup_over_federation: false +allow_device_name_lookup_over_federation: true ``` --- ## Caching ## diff --git a/synapse/config/federation.py b/synapse/config/federation.py index 0e74f7078..f83f93c0e 100644 --- a/synapse/config/federation.py +++ b/synapse/config/federation.py @@ -46,7 +46,7 @@ class FederationConfig(Config): ) self.allow_device_name_lookup_over_federation = config.get( - "allow_device_name_lookup_over_federation", True + "allow_device_name_lookup_over_federation", False ) def generate_config_section(self, **kwargs: Any) -> str: @@ -81,11 +81,11 @@ class FederationConfig(Config): # #allow_profile_lookup_over_federation: false - # Uncomment to disable device display name lookup over federation. By default, the - # Federation API allows other homeservers to obtain device display names of any user - # on this homeserver. Defaults to 'true'. + # Uncomment to allow device display name lookup over federation. By default, the + # Federation API prevents other homeservers from obtaining the display names of + # user devices on this homeserver. Defaults to 'false'. # - #allow_device_name_lookup_over_federation: false + #allow_device_name_lookup_over_federation: true """