瀏覽代碼
Do not send User Directory search requests to ma1sd for now
We can undo this once https://github.com/ma1uta/ma1sd/issues/44 gets resolved.pull/511/head
Slavi Pantaleev
5 年之前
共有 2 個檔案被更改,包括 18 行新增 和 1 行删除
統一視圖
Diff Options
-
+14 -0CHANGELOG.md
-
+4 -1group_vars/matrix_servers
+ 14
- 0
CHANGELOG.md
查看文件
| @@ -1,3 +1,16 @@ | |||||
| # 2020-05-19 | |||||
| ## (Compatibility Break / Security Issue) Disabling User Directory search powered by the ma1sd Identity Server | |||||
| User Directory search requests used to go to the ma1sd identity server by default, which queried its own stores and the Synapse database. | |||||
| ma1sd current has [a security issue](https://github.com/ma1uta/ma1sd/issues/44), which made it leak information about all users - including users created by bridges, etc. | |||||
| Until the issue gets fixed, we're making User Directory search not go to ma1sd by default. You **need to re-run the playbook and restart services to apply this workaround**. | |||||
| *If you insist on restoring the old behavior* (**which has a security issue!**), you *might* use this configuration: `matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"` | |||||
| # 2020-04-28 | # 2020-04-28 | ||||
| ## Newer IRC bridge (with potential breaking change) | ## Newer IRC bridge (with potential breaking change) | ||||
| @@ -11,6 +24,7 @@ If you did not include `mappings` in your configuration for IRC, no | |||||
| change is necessary. `mappings` is not part of the default | change is necessary. `mappings` is not part of the default | ||||
| configuration. | configuration. | ||||
| # 2020-04-23 | # 2020-04-23 | ||||
| ## Slack bridging support | ## Slack bridging support | ||||
+ 4
- 1
group_vars/matrix_servers
查看文件
| @@ -616,7 +616,10 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" | |||||
| matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" | matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" | ||||
| matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" | matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" | ||||
| matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" | |||||
| # Not proxying the user directory search to the identity server by default anymore, | |||||
| # because it currently leaks data. | |||||
| # See: https://github.com/ma1uta/ma1sd/issues/44 | |||||
| matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false | |||||
| matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" | matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" | ||||
| matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" | matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}" | ||||