The server-name segment of MXC URIs is sanitised differently from the media-id segment

Fixes: #1990 Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org>
2026-03-12 22:44:09 +01:00 · 2025-09-26 14:50:45 +02:00 · 2025-09-26 14:50:45 +02:00 · 02c1aba233
parent 21109b4d5b
commit 02c1aba233
2 changed files with 9 additions and 3 deletions
--- a/changelogs/client_server/newsfragments/2217.clarification
+++ b/changelogs/client_server/newsfragments/2217.clarification
@ -0,0 +1 @@
+The `server-name` segment of MXC URIs is sanitised differently from the `media-id` segment.
--- a/content/client-server-api/modules/content_repo.md
+++ b/content/client-server-api/modules/content_repo.md
@ -134,9 +134,14 @@ entity isn't in the room.
 `mxc://` URIs are vulnerable to directory traversal attacks such as
 `mxc://127.0.0.1/../../../some_service/etc/passwd`. This would cause the
 target homeserver to try to access and return this file. As such,
-homeservers MUST sanitise `mxc://` URIs by allowing only alphanumeric
-(`A-Za-z0-9`), `_` and `-` characters in the `server-name` and
-`media-id` values. This set of whitelisted characters allows URL-safe
+homeservers MUST sanitise `mxc://` URIs by:
+
+-   restricting the `server-name` segment to valid
+    [server names](/appendices/#server-name)
+-   allowing only alphanumeric (`A-Za-z0-9`), `_` and `-` characters in
+    the `media-id` segment
+
+The resulting set of whitelisted characters allows URL-safe
 base64 encodings specified in RFC 4648. Applying this character
 whitelist is preferable to blacklisting `.` and `/` as there are
 techniques around blacklisted characters (percent-encoded characters,
				`@ -0,0 +1 @@`
				The `server-name` segment of MXC URIs is sanitised differently from the `media-id` segment.