Filip/matrix-spec
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-spec synced 2026-05-16 15:00:42 +02:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Clarify allowed characters in mxc:// URIs (#2377)
Some checks are pending
Spec / 🔎 Validate OpenAPI specifications (push) Waiting to run
Details
Spec / 🔎 Check Event schema examples (push) Waiting to run
Details
Spec / 🔎 Check OpenAPI definitions examples (push) Waiting to run
Details
Spec / 🔎 Check JSON Schemas inline examples (push) Waiting to run
Details
Spec / ⚙️ Calculate baseURL for later jobs (push) Waiting to run
Details
Spec / 🐍 Build OpenAPI definitions (push) Blocked by required conditions
Details
Spec / 📢 Run towncrier for changelog (push) Waiting to run
Details
Spec / 📖 Build the spec (push) Blocked by required conditions
Details
Spec / 🔎 Validate generated HTML (push) Blocked by required conditions
Details
Spec / 📖 Build the historical backup spec (push) Blocked by required conditions
Details
Spec / Create release (push) Blocked by required conditions
Details
Spell Check / Spell Check with Typos (push) Waiting to run
Details

Browse source 
The security considerations section already has this MUST, but people
often don't look that far.

Signed-off-by: Tulir Asokan <tulir@maunium.net>
This commit is contained in:
Tulir Asokan 2026-05-14 00:50:55 +03:00 committed by GitHub
parent 656bf61a3c
commit 684d080f9a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
changelogs/client_server/newsfragments/2377.clarification Normal file
View file

@ -0,0 +1 @@
Clarify allowed characters in `mxc://` URIs.

6
content/client-server-api/modules/content_repo.md
View file

@ -40,6 +40,10 @@ mxc://<server-name>/<media-id>
<media-id> : An opaque ID which identifies the content. <media-id> : An opaque ID which identifies the content.
``` ```
The `media-id` segment MUST consist of only alphanumeric (`A-Za-z0-9`), `_` and
`-` characters. See the [security considerations](#content-repo-security-considerations)
section below for more details.
#### Client behaviour {id="content-repo-client-behaviour"} #### Client behaviour {id="content-repo-client-behaviour"}
Clients can access the content repository using the following endpoints. Clients can access the content repository using the following endpoints.
@ -125,7 +129,7 @@ Servers MUST NOT upscale thumbnails under any circumstance. Servers MUST
NOT return a smaller thumbnail than requested, unless the original NOT return a smaller thumbnail than requested, unless the original
content makes that impossible. content makes that impossible.
#### Security considerations #### Security considerations {id="content-repo-security-considerations"}
The HTTP GET endpoint does not require any authentication. Knowing the The HTTP GET endpoint does not require any authentication. Knowing the
URL of the content is sufficient to retrieve the content, even if the URL of the content is sufficient to retrieve the content, even if the