Do not send User Directory search requests to ma1sd for now

We can undo this once https://github.com/ma1uta/ma1sd/issues/44 gets
resolved.
This commit is contained in:
Slavi Pantaleev 2020-05-19 12:57:19 +03:00
parent ba23779b05
commit 07ff116266
2 changed files with 18 additions and 1 deletions

View File

@ -1,3 +1,16 @@
# 2020-05-19
## (Compatibility Break / Security Issue) Disabling User Directory search powered by the ma1sd Identity Server
User Directory search requests used to go to the ma1sd identity server by default, which queried its own stores and the Synapse database.
ma1sd current has [a security issue](https://github.com/ma1uta/ma1sd/issues/44), which made it leak information about all users - including users created by bridges, etc.
Until the issue gets fixed, we're making User Directory search not go to ma1sd by default. You **need to re-run the playbook and restart services to apply this workaround**.
*If you insist on restoring the old behavior* (**which has a security issue!**), you *might* use this configuration: `matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"`
# 2020-04-28 # 2020-04-28
## Newer IRC bridge (with potential breaking change) ## Newer IRC bridge (with potential breaking change)
@ -11,6 +24,7 @@ If you did not include `mappings` in your configuration for IRC, no
change is necessary. `mappings` is not part of the default change is necessary. `mappings` is not part of the default
configuration. configuration.
# 2020-04-23 # 2020-04-23
## Slack bridging support ## Slack bridging support

View File

@ -616,7 +616,10 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}"
matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}"
matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" # Not proxying the user directory search to the identity server by default anymore,
# because it currently leaks data.
# See: https://github.com/ma1uta/ma1sd/issues/44
matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}"
matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"