Use federation blacklist for requests to identity servers #5935
Comments
|
@richvdh @erikjohnston Should matrixfederationclient be used for these requests so we get blacklisting for free? Or does that muddy the definition of the client? |
|
Previously, using the MatrixFederationClient would have meant that you'd get .well-known and SRV routing, which you don't want for an IS. But now I'm not so sure. @erikjohnston do your recent changes to the agent mean that https urls skip the federation routing? |
That should be the case, though I haven't tested it. |
|
I guess another question: do we want the options relating to TLS certs to also apply to connections to the IS? (I think we probably do?) |
|
Would the |
…rs (#6000) Uses a SimpleHttpClient instance equipped with the federation_ip_range_blacklist list for requests to identity servers provided by user input. Does not use a blacklist when contacting identity servers specified by account_threepid_delegates. The homeserver trusts the latter and we don't want to prevent homeserver admins from specifying delegates that are on internal IP addresses. Fixes #5935
|
fixed by #6000 |
|
(which did nothing to address the tls certs stuff: you'll have to use a real cert on your ID server) |
Now that we're getting rid of the concept of trusted identity servers, we need to make sure that people can't try and poke at internal addresses when sending identity server-related requests.
The plan is to reuse the federation blacklist for these requests which by default blocks internal CIDR ranges.
The text was updated successfully, but these errors were encountered: