Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Fix 'ip_range_whitelist' not working for federation servers #10115

Merged
merged 8 commits into from
Jun 15, 2021
Merged

Fix 'ip_range_whitelist' not working for federation servers #10115

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
d0d833d
Create 9569.bugfix
mikure Jun 3, 2021
21b7e77
Fix 'ip_range_whitelist' not working for federation servers
mikure Jun 3, 2021
86010c4
Remove incorrect named changelog file
mikure Jun 3, 2021
1dc53bf
Update changelog.d/10115.bugfix
mikure Jun 10, 2021
c821203
Update changelog.d/10115.bugfix
mikure Jun 10, 2021
fc202ea
Add explanation about backwards-compatibiliy check
mikure Jun 10, 2021
604a7ed
Restructure code for readability
mikure Jun 13, 2021
31b1cb7
Merge branch 'matrix-org:develop' into fix9569-merged
mikure Jun 13, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/10115.bugfix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix a bug introduced in Synapse v1.25.0 that prevented the `ip_range_whitelist` configuration option from working for federation and identity servers. Contributed by @mikure.
27 changes: 15 additions & 12 deletions synapse/config/server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -397,19 +397,22 @@ def read_config(self, config, **kwargs):
self.ip_range_whitelist = generate_ip_set(
config.get("ip_range_whitelist", ()), config_path=("ip_range_whitelist",)
)

# The federation_ip_range_blacklist is used for backwards-compatibility
# and only applies to federation and identity servers. If it is not given,
# default to ip_range_blacklist.
federation_ip_range_blacklist = config.get(
"federation_ip_range_blacklist", ip_range_blacklist
)
# Always blacklist 0.0.0.0, ::
self.federation_ip_range_blacklist = generate_ip_set(
federation_ip_range_blacklist,
["0.0.0.0", "::"],
config_path=("federation_ip_range_blacklist",),
)
# and only applies to federation and identity servers.
if "federation_ip_range_blacklist" in config:
# Always blacklist 0.0.0.0, ::
self.federation_ip_range_blacklist = generate_ip_set(
config["federation_ip_range_blacklist"],
["0.0.0.0", "::"],
config_path=("federation_ip_range_blacklist",),
)
# 'federation_ip_range_whitelist' was never a supported configuration option.
self.federation_ip_range_whitelist = None
else:
# No backwards-compatiblity requrired, as federation_ip_range_blacklist
# is not given. Default to ip_range_blacklist and ip_range_whitelist.
self.federation_ip_range_blacklist = self.ip_range_blacklist
self.federation_ip_range_whitelist = self.ip_range_whitelist

# (undocumented) option for torturing the worker-mode replication a bit,
# for testing. The value defines the number of milliseconds to pause before
Expand Down
4 changes: 3 additions & 1 deletion synapse/http/matrixfederationclient.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -318,7 +318,9 @@ def __init__(self, hs, tls_client_options_factory):
# We need to use a DNS resolver which filters out blacklisted IP
# addresses, to prevent DNS rebinding.
self.reactor = BlacklistingReactorWrapper(
hs.get_reactor(), None, hs.config.federation_ip_range_blacklist
hs.get_reactor(),
hs.config.federation_ip_range_whitelist,
hs.config.federation_ip_range_blacklist,
) # type: ISynapseReactor

user_agent = hs.version_string
Expand Down