From 7765bf398996002ee461904915de9d8bc2ea951a Mon Sep 17 00:00:00 2001
From: Patrick Cloke <clokep@users.noreply.github.com>
Date: Thu, 6 Feb 2020 13:25:24 -0500
Subject: [PATCH] Limit the number of events that can be requested when
 backfilling events (#6864)

Limit the maximum number of events requested when backfilling events.
---
 changelog.d/6864.misc          | 1 +
 synapse/handlers/federation.py | 4 ++++
 2 files changed, 5 insertions(+)
 create mode 100644 changelog.d/6864.misc

diff --git a/changelog.d/6864.misc b/changelog.d/6864.misc
new file mode 100644
index 0000000000..d24eb68460
--- /dev/null
+++ b/changelog.d/6864.misc
@@ -0,0 +1 @@
+Limit the number of events that can be requested by the backfill federation API to 100.
diff --git a/synapse/handlers/federation.py b/synapse/handlers/federation.py
index 10e8b6ea4c..eb20ef4aec 100644
--- a/synapse/handlers/federation.py
+++ b/synapse/handlers/federation.py
@@ -1788,6 +1788,9 @@ class FederationHandler(BaseHandler):
         if not in_room:
             raise AuthError(403, "Host not in room.")
 
+        # Synapse asks for 100 events per backfill request. Do not allow more.
+        limit = min(limit, 100)
+
         events = yield self.store.get_backfill_events(room_id, pdu_list, limit)
 
         events = yield filter_events_for_server(self.storage, origin, events)
@@ -2168,6 +2171,7 @@ class FederationHandler(BaseHandler):
         if not in_room:
             raise AuthError(403, "Host not in room.")
 
+        # Only allow up to 20 events to be retrieved per request.
         limit = min(limit, 20)
 
         missing_events = await self.store.get_missing_events(
-- 
GitLab