Skip to content
Snippets Groups Projects
Commit 1a7104fd authored by Richard van der Hoff's avatar Richard van der Hoff
Browse files

Blacklist 0.0.0.0 and :: by default for URL previews

parent 35442efb
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
changelog.d/5134.bugfix 0 → 100644
+ 1
0
View file @ 1a7104fd
Blacklist 0.0.0.0 and :: by default for URL previews. Thanks to @opnsec for identifying and responsibly disclosing this issue too!
docs/sample_config.yaml
+ 9
5
View file @ 1a7104fd
...@@ -506,11 +506,12 @@ uploads_path: "DATADIR/uploads" ...@@ -506,11 +506,12 @@ uploads_path: "DATADIR/uploads"
# height: 600 # height: 600
# method: scale # method: scale
# Is the preview URL API enabled? If enabled, you *must* specify # Is the preview URL API enabled?
# an explicit url_preview_ip_range_blacklist of IPs that the spider is
# denied from accessing.
# #
#url_preview_enabled: false # 'false' by default: uncomment the following to enable it (and specify a
# url_preview_ip_range_blacklist blacklist).
#
#url_preview_enabled: true
# List of IP address CIDR ranges that the URL preview spider is denied # List of IP address CIDR ranges that the URL preview spider is denied
# from accessing. There are no defaults: you must explicitly # from accessing. There are no defaults: you must explicitly
...@@ -520,6 +521,9 @@ uploads_path: "DATADIR/uploads" ...@@ -520,6 +521,9 @@ uploads_path: "DATADIR/uploads"
# synapse to issue arbitrary GET requests to your internal services, # synapse to issue arbitrary GET requests to your internal services,
# causing serious security issues. # causing serious security issues.
# #
# This must be specified if url_preview_enabled. It is recommended that you
# uncomment the following list as a starting point.
#
#url_preview_ip_range_blacklist: #url_preview_ip_range_blacklist:
# - '127.0.0.0/8' # - '127.0.0.0/8'
# - '10.0.0.0/8' # - '10.0.0.0/8'
...@@ -530,7 +534,7 @@ uploads_path: "DATADIR/uploads" ...@@ -530,7 +534,7 @@ uploads_path: "DATADIR/uploads"
# - '::1/128' # - '::1/128'
# - 'fe80::/64' # - 'fe80::/64'
# - 'fc00::/7' # - 'fc00::/7'
#
# List of IP address CIDR ranges that the URL preview spider is allowed # List of IP address CIDR ranges that the URL preview spider is allowed
# to access even if they are specified in url_preview_ip_range_blacklist. # to access even if they are specified in url_preview_ip_range_blacklist.
# This is useful for specifying exceptions to wide-ranging blacklisted # This is useful for specifying exceptions to wide-ranging blacklisted
......
synapse/config/repository.py
+ 18
10
View file @ 1a7104fd
...@@ -186,17 +186,21 @@ class ContentRepositoryConfig(Config): ...@@ -186,17 +186,21 @@ class ContentRepositoryConfig(Config):
except ImportError: except ImportError:
raise ConfigError(MISSING_NETADDR) raise ConfigError(MISSING_NETADDR)
if "url_preview_ip_range_blacklist" in config: if "url_preview_ip_range_blacklist" not in config:
self.url_preview_ip_range_blacklist = IPSet(
config["url_preview_ip_range_blacklist"]
)
else:
raise ConfigError( raise ConfigError(
"For security, you must specify an explicit target IP address " "For security, you must specify an explicit target IP address "
"blacklist in url_preview_ip_range_blacklist for url previewing " "blacklist in url_preview_ip_range_blacklist for url previewing "
"to work" "to work"
) )
self.url_preview_ip_range_blacklist = IPSet(
config["url_preview_ip_range_blacklist"]
)
# we always blacklist '0.0.0.0' and '::', which are supposed to be
# unroutable addresses.
self.url_preview_ip_range_blacklist.update(['0.0.0.0', '::'])
self.url_preview_ip_range_whitelist = IPSet( self.url_preview_ip_range_whitelist = IPSet(
config.get("url_preview_ip_range_whitelist", ()) config.get("url_preview_ip_range_whitelist", ())
) )
...@@ -260,11 +264,12 @@ class ContentRepositoryConfig(Config): ...@@ -260,11 +264,12 @@ class ContentRepositoryConfig(Config):
#thumbnail_sizes: #thumbnail_sizes:
%(formatted_thumbnail_sizes)s %(formatted_thumbnail_sizes)s
# Is the preview URL API enabled? If enabled, you *must* specify # Is the preview URL API enabled?
# an explicit url_preview_ip_range_blacklist of IPs that the spider is
# denied from accessing.
# #
#url_preview_enabled: false # 'false' by default: uncomment the following to enable it (and specify a
# url_preview_ip_range_blacklist blacklist).
#
#url_preview_enabled: true
# List of IP address CIDR ranges that the URL preview spider is denied # List of IP address CIDR ranges that the URL preview spider is denied
# from accessing. There are no defaults: you must explicitly # from accessing. There are no defaults: you must explicitly
...@@ -274,6 +279,9 @@ class ContentRepositoryConfig(Config): ...@@ -274,6 +279,9 @@ class ContentRepositoryConfig(Config):
# synapse to issue arbitrary GET requests to your internal services, # synapse to issue arbitrary GET requests to your internal services,
# causing serious security issues. # causing serious security issues.
# #
# This must be specified if url_preview_enabled. It is recommended that you
# uncomment the following list as a starting point.
#
#url_preview_ip_range_blacklist: #url_preview_ip_range_blacklist:
# - '127.0.0.0/8' # - '127.0.0.0/8'
# - '10.0.0.0/8' # - '10.0.0.0/8'
...@@ -284,7 +292,7 @@ class ContentRepositoryConfig(Config): ...@@ -284,7 +292,7 @@ class ContentRepositoryConfig(Config):
# - '::1/128' # - '::1/128'
# - 'fe80::/64' # - 'fe80::/64'
# - 'fc00::/7' # - 'fc00::/7'
#
# List of IP address CIDR ranges that the URL preview spider is allowed # List of IP address CIDR ranges that the URL preview spider is allowed
# to access even if they are specified in url_preview_ip_range_blacklist. # to access even if they are specified in url_preview_ip_range_blacklist.
# This is useful for specifying exceptions to wide-ranging blacklisted # This is useful for specifying exceptions to wide-ranging blacklisted
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment