Skip to content
This repository has been archived by the owner on Nov 25, 2024. It is now read-only.

It is possible to use matrix network to mirror one file on each instance #1938

Closed
MrCyjaneK opened this issue Jul 24, 2021 · 3 comments
Closed

It is possible to use matrix network to mirror one file on each instance #1938

MrCyjaneK opened this issue Jul 24, 2021 · 3 comments

Comments

@MrCyjaneK
Copy link

MrCyjaneK commented Jul 24, 2021
edited
Loading

Background information

  • Dendrite version or git SHA: c6acb94af4bc88eb999e56da4f6e0132438cb50a
  • Monolith or Polylith?: Polylith
  • SQLite3 or Postgres?: Postgres
  • Running in Docker?: no
  • go version: go1.16.4 linux/amd64

Description

It is possible to use my instance, to mirror content of other instances (and vice-versa). I've sent an image, a simple, unencrypted image, from @cyjan:mrcyjanek.net to a small group (with users from mrcyjanek.net, matrix.org and t2bot.io). This group is private.
Here is source of this message:

{
  "content": {
    "body": "image.png",
    "info": {
      "h": 85,
      "mimetype": "image/png",
      "size": 2078,
      "thumbnail_info": {
        "h": 85,
        "mimetype": "image/png",
        "size": 2704,
        "w": 118
      },
      "thumbnail_url": "mxc://mrcyjanek.net/dc1e9f9e95ea2de764fe8f9ce8c2b7e86af560477cbdebe13e87245c3ad09830",
      "w": 118
    },
    "msgtype": "m.image",
    "url": "mxc://mrcyjanek.net/c5b45a1748453dfca594c237a023debd0c64ffe0f597bb3dadce7dcb83359e31"
  },
  "event_id": "$5A6qfTV7eaegMCtyG2AVDer7yfl-_YhmY-eqQBzmmFM",
  "origin_server_ts": 1627160326464,
  "sender": "@cyjan:mrcyjanek.net",
  "type": "m.room.message",
  "unsigned": {
    "transaction_id": "m1627160325134.40"
  },
  "room_id": "!DTDvPmpFDiacEsAsYt:matrix.org"
}

And I can access that image by these links:

That's all fine - but why is my image also being sent to other homeservers?

Steps to reproduce

  • Send an image
  • Copy link
  • Replace domain

Expected result

matrix.org, mrcyjanek.net and t2bot.io should only reply to this request, and other homeservers, which don't participate in this chat should ignore this request, since this group is private they shouldn't be able to access this image.

p.s. is it okay that this link just work for one-to-one chats and private groups? Shouldn't it require some form of authentication? I know that this issue doesn't happen with E2EE chat, but still private group should be private.
@neilalexander
Copy link
Contributor

Ultimately this is working as intended. The media API is not aware of room memberships or resident servers.

It’s also not so much that your media is being proactively replicated to other servers when it is first uploaded, but rather that those servers are seeking out the location of the media from the origin server in the URL when you ask them to.

@MrCyjaneK
Copy link
Author

And it isn't viewed as an issue? I know that it isn't send to the whole federation at once, but somebody with list of all servers could just use them as a mirror for a file... Are there any plans to implement some kind of authentication before allowing to access /_matrix/media paths?

@kegsay
Copy link
Member

kegsay commented Jul 26, 2021

This isn't a Dendrite-specific issue.

https://github.com/matrix-org/matrix-doc/issues/701

See also: https://github.com/matrix-org/synapse/issues/2150

@kegsay kegsay closed this as completed Jul 26, 2021
@matrixbot matrixbot mentioned this issue Nov 1, 2024
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neilalexander @kegsay @MrCyjaneK