From 07ff1162661b52a0a161ec769f4ad55aa3393d4c Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Tue, 19 May 2020 12:57:19 +0300 Subject: [PATCH] Do not send User Directory search requests to ma1sd for now We can undo this once https://github.com/ma1uta/ma1sd/issues/44 gets resolved. --- CHANGELOG.md | 14 ++++++++++++++ group_vars/matrix_servers | 5 ++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4e0188795..de86333da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,16 @@ +# 2020-05-19 + +## (Compatibility Break / Security Issue) Disabling User Directory search powered by the ma1sd Identity Server + +User Directory search requests used to go to the ma1sd identity server by default, which queried its own stores and the Synapse database. + +ma1sd current has [a security issue](https://github.com/ma1uta/ma1sd/issues/44), which made it leak information about all users - including users created by bridges, etc. + +Until the issue gets fixed, we're making User Directory search not go to ma1sd by default. You **need to re-run the playbook and restart services to apply this workaround**. + +*If you insist on restoring the old behavior* (**which has a security issue!**), you *might* use this configuration: `matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}"` + + # 2020-04-28 ## Newer IRC bridge (with potential breaking change) @@ -11,6 +24,7 @@ If you did not include `mappings` in your configuration for IRC, no change is necessary. `mappings` is not part of the default configuration. + # 2020-04-23 ## Slack bridging support diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers index 970a5703b..6d9876acf 100755 --- a/group_vars/matrix_servers +++ b/group_vars/matrix_servers @@ -616,7 +616,10 @@ matrix_nginx_proxy_proxy_synapse_metrics: "{{ matrix_synapse_metrics_enabled }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_with_container: "matrix-synapse:{{ matrix_synapse_metrics_port }}" matrix_nginx_proxy_proxy_synapse_metrics_addr_sans_container: "127.0.0.1:{{ matrix_synapse_metrics_port }}" -matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: "{{ matrix_ma1sd_enabled }}" +# Not proxying the user directory search to the identity server by default anymore, +# because it currently leaks data. +# See: https://github.com/ma1uta/ma1sd/issues/44 +matrix_nginx_proxy_proxy_matrix_user_directory_search_enabled: false matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_with_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container }}" matrix_nginx_proxy_proxy_matrix_user_directory_search_addr_sans_container: "{{ matrix_nginx_proxy_proxy_matrix_identity_api_addr_sans_container }}"