Fix 'ip_range_whitelist' not working for federation servers (#10115)
Add 'federation_ip_range_whitelist'. This allows backwards-compatibility, If 'federation_ip_range_blacklist' is set. Otherwise 'ip_range_whitelist' will be used for federation servers. Signed-off-by: Michael Kutzner 1mikure@gmail.compull/10180/head
							parent
							
								
									1dfdc87b9b
								
							
						
					
					
						commit
						aac2c49b9b
					
				|  | @ -0,0 +1 @@ | |||
| Fix a bug introduced in Synapse v1.25.0 that prevented the `ip_range_whitelist` configuration option from working for federation and identity servers. Contributed by @mikure. | ||||
|  | @ -397,19 +397,22 @@ class ServerConfig(Config): | |||
|         self.ip_range_whitelist = generate_ip_set( | ||||
|             config.get("ip_range_whitelist", ()), config_path=("ip_range_whitelist",) | ||||
|         ) | ||||
| 
 | ||||
|         # The federation_ip_range_blacklist is used for backwards-compatibility | ||||
|         # and only applies to federation and identity servers. If it is not given, | ||||
|         # default to ip_range_blacklist. | ||||
|         federation_ip_range_blacklist = config.get( | ||||
|             "federation_ip_range_blacklist", ip_range_blacklist | ||||
|         ) | ||||
|         # Always blacklist 0.0.0.0, :: | ||||
|         self.federation_ip_range_blacklist = generate_ip_set( | ||||
|             federation_ip_range_blacklist, | ||||
|             ["0.0.0.0", "::"], | ||||
|             config_path=("federation_ip_range_blacklist",), | ||||
|         ) | ||||
|         # and only applies to federation and identity servers. | ||||
|         if "federation_ip_range_blacklist" in config: | ||||
|             # Always blacklist 0.0.0.0, :: | ||||
|             self.federation_ip_range_blacklist = generate_ip_set( | ||||
|                 config["federation_ip_range_blacklist"], | ||||
|                 ["0.0.0.0", "::"], | ||||
|                 config_path=("federation_ip_range_blacklist",), | ||||
|             ) | ||||
|             # 'federation_ip_range_whitelist' was never a supported configuration option. | ||||
|             self.federation_ip_range_whitelist = None | ||||
|         else: | ||||
|             # No backwards-compatiblity requrired, as federation_ip_range_blacklist | ||||
|             # is not given. Default to ip_range_blacklist and ip_range_whitelist. | ||||
|             self.federation_ip_range_blacklist = self.ip_range_blacklist | ||||
|             self.federation_ip_range_whitelist = self.ip_range_whitelist | ||||
| 
 | ||||
|         # (undocumented) option for torturing the worker-mode replication a bit, | ||||
|         # for testing. The value defines the number of milliseconds to pause before | ||||
|  |  | |||
|  | @ -318,7 +318,9 @@ class MatrixFederationHttpClient: | |||
|         # We need to use a DNS resolver which filters out blacklisted IP | ||||
|         # addresses, to prevent DNS rebinding. | ||||
|         self.reactor = BlacklistingReactorWrapper( | ||||
|             hs.get_reactor(), None, hs.config.federation_ip_range_blacklist | ||||
|             hs.get_reactor(), | ||||
|             hs.config.federation_ip_range_whitelist, | ||||
|             hs.config.federation_ip_range_blacklist, | ||||
|         )  # type: ISynapseReactor | ||||
| 
 | ||||
|         user_agent = hs.version_string | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue
	
	 Michael Kutzner
						Michael Kutzner