Filip/matrix-spec
1
0
Fork 0
mirror of https://github.com/matrix-org/matrix-spec synced 2026-05-02 07:04:09 +02:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Compare commits

base: Filip:58bdf3211966af98439e6aea948f33479f996378
Branches Tags
Filip:main
Filip:anoa/mention_messages
Filip:release/v1.18
Filip:release/v1.17
Filip:release/v1.16
Filip:release/v1.15
Filip:release/1.14
Filip:release/v1.13
Filip:release/v1.12
Filip:release/v1.11
Filip:tulir/msc4142
Filip:release/v1.10
Filip:travis/msc2702-msc2701
Filip:rav/ref_objects_in_params
Filip:dkasak/foldable-sidebar
Filip:travis/knock-join
Filip:release/v1.9
Filip:release/v1.8
Filip:anoa/update_docsy
Filip:anoa/nix_flake
Filip:dbkr/3077-multi-stream-voip
Filip:release/v1.7
Filip:dbkr/2746-reliable-voip
Filip:rav/links_for_object_defs
Filip:release/v1.6
Filip:release/v1.5
Filip:release/v1.4
Filip:anoa/invite_knock_room_state
Filip:release/v1.3
Filip:v1.18
Filip:v1.17
Filip:v1.16
Filip:v1.15
Filip:v1.14
Filip:v1.13
Filip:v1.12
Filip:v1.11
Filip:v1.10
Filip:v1.9
Filip:v1.8
Filip:v1.7
Filip:v1.6
Filip:v1.5
Filip:v1.4
Filip:v1.3
Filip:v1.2
Filip:v1.1
Filip:server_server/r0.1.4
Filip:client_server/r0.6.1
Filip:client_server/r0.6.0
Filip:identity_service/r0.3.0
Filip:server_server/r0.1.3
Filip:application_service/r0.1.2
Filip:push_gateway/r0.1.1
Filip:identity_service/r0.2.1
Filip:client_server/r0.5.0
Filip:server_server/r0.1.2
Filip:identity_service/r0.2.0
Filip:application_service/r0.1.1
Filip:server_server/r0.1.1
Filip:server_server/r0.1.0
Filip:client_server/r0.4.0
Filip:identity_service/r0.1.0
Filip:application_service/r0.1.0
Filip:push_gateway/r0.1.0
Filip:client-server/r0.3.0
Filip:client-server/0.3.0
Filip:client-server/r0.2.0
Filip:client-server/r0.1.0
Filip:r0.0.1
Filip:r0.0.0
Filip:0.2.0
...
compare: Filip:84823bc0667a4c0da9dd00449516e7bec50ee517
Branches Tags
Filip:main
Filip:anoa/mention_messages
Filip:release/v1.18
Filip:release/v1.17
Filip:release/v1.16
Filip:release/v1.15
Filip:release/1.14
Filip:release/v1.13
Filip:release/v1.12
Filip:release/v1.11
Filip:tulir/msc4142
Filip:release/v1.10
Filip:travis/msc2702-msc2701
Filip:rav/ref_objects_in_params
Filip:dkasak/foldable-sidebar
Filip:travis/knock-join
Filip:release/v1.9
Filip:release/v1.8
Filip:anoa/update_docsy
Filip:anoa/nix_flake
Filip:dbkr/3077-multi-stream-voip
Filip:release/v1.7
Filip:dbkr/2746-reliable-voip
Filip:rav/links_for_object_defs
Filip:release/v1.6
Filip:release/v1.5
Filip:release/v1.4
Filip:anoa/invite_knock_room_state
Filip:release/v1.3
Filip:v1.18
Filip:v1.17
Filip:v1.16
Filip:v1.15
Filip:v1.14
Filip:v1.13
Filip:v1.12
Filip:v1.11
Filip:v1.10
Filip:v1.9
Filip:v1.8
Filip:v1.7
Filip:v1.6
Filip:v1.5
Filip:v1.4
Filip:v1.3
Filip:v1.2
Filip:v1.1
Filip:server_server/r0.1.4
Filip:client_server/r0.6.1
Filip:client_server/r0.6.0
Filip:identity_service/r0.3.0
Filip:server_server/r0.1.3
Filip:application_service/r0.1.2
Filip:push_gateway/r0.1.1
Filip:identity_service/r0.2.1
Filip:client_server/r0.5.0
Filip:server_server/r0.1.2
Filip:identity_service/r0.2.0
Filip:application_service/r0.1.1
Filip:server_server/r0.1.1
Filip:server_server/r0.1.0
Filip:client_server/r0.4.0
Filip:identity_service/r0.1.0
Filip:application_service/r0.1.0
Filip:push_gateway/r0.1.0
Filip:client-server/r0.3.0
Filip:client-server/0.3.0
Filip:client-server/r0.2.0
Filip:client-server/r0.1.0
Filip:r0.0.1
Filip:r0.0.0
Filip:0.2.0

4 commits
58bdf32119 ... 84823bc066

Author SHA1 Message Date
famfo 84823bc066
Merge 70f6749c92 into d8be2ad942 2025-09-29 10:21:52 +01:00
Johannes Marbach d8be2ad942
The server-name segment of MXC URIs is sanitised differently from the media-id segment (#2217)
Some checks failed
Spec / 🔎 Validate OpenAPI specifications (push) Has been cancelled
Details
Spec / 🔎 Check Event schema examples (push) Has been cancelled
Details
Spec / 🔎 Check OpenAPI definitions examples (push) Has been cancelled
Details
Spec / 🔎 Check JSON Schemas inline examples (push) Has been cancelled
Details
Spec / ⚙️ Calculate baseURL for later jobs (push) Has been cancelled
Details
Spec / 📢 Run towncrier for changelog (push) Has been cancelled
Details
Spell Check / Spell Check with Typos (push) Has been cancelled
Details
Spec / 🐍 Build OpenAPI definitions (push) Has been cancelled
Details
Spec / 📖 Build the spec (push) Has been cancelled
Details
Spec / 🔎 Validate generated HTML (push) Has been cancelled
Details
Spec / 📖 Build the historical backup spec (push) Has been cancelled
Details 
Fixes: #1990

Signed-off-by: Johannes Marbach <n0-0ne+github@mailbox.org>
 2025-09-26 17:36:34 +03:00
famfo 70f6749c92
changelogs/s2s: add minimum_valid_until_ts clarification 2025-09-11 02:19:33 +02:00
famfo 1583a12cec
s2s/keys: clarify minimum_valid_until_ts query 
Signed-off-by: famfo <famfo@famfo.xyz>
 2025-09-11 02:19:33 +02:00
4 changed files with 14 additions and 8 deletions
Show stats Expand all files Collapse all files

1
changelogs/client_server/newsfragments/2217.clarification Normal file
View file

@ -0,0 +1 @@
The `server-name` segment of MXC URIs is sanitised differently from the `media-id` segment.

1
changelogs/server_server/newsfragments/2191.clarification Normal file
View file

@ -0,0 +1 @@
Clarify what the minimum_valid_until_ts field means when it is set in key queries.

11
content/client-server-api/modules/content_repo.md
View file

@ -134,9 +134,14 @@ entity isn't in the room.
`mxc://` URIs are vulnerable to directory traversal attacks such as `mxc://` URIs are vulnerable to directory traversal attacks such as
`mxc://127.0.0.1/../../../some_service/etc/passwd`. This would cause the `mxc://127.0.0.1/../../../some_service/etc/passwd`. This would cause the
target homeserver to try to access and return this file. As such, target homeserver to try to access and return this file. As such,
homeservers MUST sanitise `mxc://` URIs by allowing only alphanumeric homeservers MUST sanitise `mxc://` URIs by:
(`A-Za-z0-9`), `_` and `-` characters in the `server-name` and
`media-id` values. This set of whitelisted characters allows URL-safe - restricting the `server-name` segment to valid
[server names](/appendices/#server-name)
- allowing only alphanumeric (`A-Za-z0-9`), `_` and `-` characters in
the `media-id` segment
The resulting set of whitelisted characters allows URL-safe
base64 encodings specified in RFC 4648. Applying this character base64 encodings specified in RFC 4648. Applying this character
whitelist is preferable to blacklisting `.` and `/` as there are whitelist is preferable to blacklisting `.` and `/` as there are
techniques around blacklisted characters (percent-encoded characters, techniques around blacklisted characters (percent-encoded characters,

9
data/api/server-server/keys_query.yaml
View file

@ -34,8 +34,8 @@ paths:
- in: query - in: query
name: minimum_valid_until_ts name: minimum_valid_until_ts
description: |- description: |-
A millisecond POSIX timestamp in milliseconds indicating when the returned A millisecond POSIX timestamp. The returned keys MUST be valid
certificates will need to be valid until to be useful to the requesting server. until at least this timestamp.
If not supplied, the current time as determined by the notary server is used. If not supplied, the current time as determined by the notary server is used.
required: false required: false
@ -98,9 +98,8 @@ paths:
type: integer type: integer
format: int64 format: int64
description: |- description: |-
A millisecond POSIX timestamp in milliseconds indicating when A millisecond POSIX timestamp. The returned keys
the returned certificates will need to be valid until to be MUST be valid until at least this timestamp.
useful to the requesting server.
If not supplied, the current time as determined by the notary If not supplied, the current time as determined by the notary
server is used. server is used.