-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Endpoint preview_url exposes url to Log #11591
Comments
Changing GET to POST would require a spec change on matrix-doc unfortunately. I'm not entirely confident that it'd be accepted by the spec people. I believe clients are not supposed to use the preview_url endpoint when E2E encryption is on, since that would leak message contents as you point out. On the Synapse end, we can redact preview URLs from the logs, since we already do this for access tokens and client secrets: |
The spec notes:
|
@DMRobertson: I agree, clients shouldn't use preview_url especially not in encrypted rooms. In our case, we also disabled preview_url in synapse homeserver.yml. So it might be a good idea, to promote activated features to clients. I know this will result in much work and long discussions. @squahtx: Your proposal could be a fast solution, but redacting homeserver logs has no effect to reverse proxy logs. So it couldn't be the final solution. |
That's a fair point, and probably means log redaction isn't worth pursuing as a fix. A proper fix would be, as you mentioned, moving this endpoint to accepting data via POST. We can't do that unilaterally in Synapse because it's an issue with the Matrix specification itself. I'd strongly urge you (or anyone else reading this issue) to propose a Matrix Spec Change (MSC) following the process at https://spec.matrix.org/v1.1/proposals/#process I'm going to close this as wontfix as we can't do anything about it until the Spec Core Team approves of this change to the Matrix specification. |
Description
If a client sends an URL, it uses the endpoint
/_matrix/api/r0/preview_url
via GET method. So the URL and the sender are exposed to the Homeserver Log (log_level: INFO) and the Reverse-Proxy Access Log (f.e. apache).Disabling
url_preview_enabled
in homeserver.yml has no effect.Its expected that no user messages are exposed to any logfiles, especially with activated e2e encryption. Changing the method from GET to POST will fix this issue.
Workaround
f.e. in apache config.
Steps to reproduce
Version information
The text was updated successfully, but these errors were encountered: