filter out m.room.aliases from the CS API until a better solution is …

…specced (#6878) * commit '8e64c5a24': filter out m.room.aliases from the CS API until a better solution is specced (#6878)
matrix-org · Mar 23, 2020 · 92c98de · 92c98de
2 parents d4ba9d2 + 8e64c5a
commit 92c98de
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/changelog.d/6878.feature b/changelog.d/6878.feature
@@ -0,0 +1 @@
+Filter out m.room.aliases from the CS API to mitigate abuse while a better solution is specced.
diff --git a/synapse/visibility.py b/synapse/visibility.py
@@ -122,6 +122,13 @@ def allowed(event):
         if not event.is_state() and event.sender in ignore_list:
             return None
 
+        # Until MSC2261 has landed we can't redact malicious alias events, so for
+        # now we temporarily filter out m.room.aliases entirely to mitigate
+        # abuse, while we spec a better solution to advertising aliases
+        # on rooms.
+        if event.type == EventTypes.Aliases:
+            return None
+
         # Don't try to apply the room's retention policy if the event is a state event, as
         # MSC1763 states that retention is only considered for non-state events.
         if apply_retention_policies and not event.is_state():