Releases: t2bot/matrix-media-repo
Releases · t2bot/matrix-media-repo
v1.3.8
Security
- Limit untrusted decoders during thumbnailing (GHSA-rcxc-wjgw-579r / CVE-2024-56515)
- Improve handling of JSON (GHSA-gp86-q8hg-fpxj / CVE-2024-52791)
- Fix SSRF issues (GHSA-r6jg-jfv6-2fjv / CVE-2024-52602)
Added
- Allow guests to access uploaded media, as per MSC4189.
- The thumbnailer can now be run independently with the
thumbnailer
binary. Seethumbnailer -help
for details.
Changed
- MMR now requires Go 1.22 for compilation.
- MMR now builds on a base image of
alpine:3.21
. - The global
repo.freezeUnauthenticatedMedia
option now defaults totrue
, enabling authenticated media by default. A future release will remove this option, requiring the freeze behaviour. Seeconfig.sample.yaml
for details. - For SVG and JPEGXL files, ImageMagick 7 is now required.
- For MP4 files, ffmpeg 6 or 7 (use 7 for best results) is now required.
Fixed
- Return a 404 instead of 500 when clients access media which is frozen.
- Return a 403 instead of 500 when guests access endpoints that are for registered users only.
- Ensure the request parameters are correctly set for authenticated media client requests.
- Ensure remote signing keys expire after at most 7 days.
- Fixed parsing of
Authorization
headers for federated servers. - Ensure
ignoredHosts
is applied to unauthenticated requests.
v1.3.7
Added
- A new global config option,
repo.freezeUnauthenticatedMedia
, is supported to enact the unauthenticated media freeze early. Seeconfig.sample.yaml
for details.
Changed
- The default leaky bucket capacity has changed from 300mb to 500mb, allowing for more downloads to go through. The drain rate and overflow limit are unchanged (5mb/minute and 100mb respectively).
v1.3.6
v1.3.5
Security
This release fixes the following security concerns:
Added
- New datastore option to ignore Redis cache when downloading media served by a
publicBaseUrl
. This can help ensure more requests get redirected to the CDN. HEAD /download
is now supported, as per MSC4120.- S3 datastores can now specify a
prefixLength
to improve S3 performance on some providers. Seeconfig.sample.yaml
for details. - Add
multipartUploads
flag for running MMR against unsupported S3 providers. Seeconfig.sample.yaml
for details. - A new "leaky bucket" rate limit algorithm has been applied to downloads. See
rateLimit.buckets
inconfig.sample.yaml
for details. - Add support for MSC3916: Authentication for media.
- To enable full support, use
signingKeyPath
in your config. Seeconfig.sample.yaml
for details. - Server operators should point
/_matrix/client/v1/media/*
and/_matrix/federation/v1/media/*
at MMR.
- To enable full support, use
Changed
- The leaky bucket rate limiting introduced above is turned on by default. Administrators are encouraged to review the default settings and adjust as needed.
Fixed
- Metrics for redirected and HTML requests are tracked.
- Fixed more issues relating to non-dimensional media being thumbnailed (
invalid image size: 0x0
errors). - Long-running purge requests no longer fail when the requesting client times out. They are continued in the background.
- Purging old media has been fixed to actually identify old media.
- JPEG thumbnails will now use sensible extensions.
- Fixed directory permissions when exporting MMR to Synapse.
- In some rare cases, memory usage may have leaked due to thumbnail error handling. This has been fixed.
- Synapse signing keys with blank lines can now be decoded/combined with other keys.
v1.3.4
Added
- Dendrite homeservers can now have their media imported safely, and
adminApiKind
may be set todendrite
. - Exporting MMR's data to Synapse is now possible with
import_to_synapse
. To use it, first rungdpr_export
or similar. - Errors encountered during a background task, such as an API-induced export, are exposed as
error_message
in the admin API. - MMR will follow redirects on federated downloads up to 5 hops.
- S3-backed datastores can have download requests redirected to a public-facing CDN rather than being proxied through MMR. See
publicBaseUrl
under the S3 datastore config.
Changed
- Exports now use an internal timeout of 10 minutes instead of 1 minute when downloading files. This may still result in errors if downloading from S3 takes too long.
- MMR now requires Go 1.21 for compilation.
- ARM-supported Docker images are now available through GHCR.
- The Docker Hub (docker.io) builds are deprecated and will not receive updates starting with v1.4.0
- Docker Hub images are not guaranteed to have ARM compatibility.
- The
latest
Docker tag on both Docker Hub and GHCR now points to the latest release instead of the unstable development build.
Fixed
- Exports created with
s3_urls
now contain valid URLs. - Exports no longer fail with "The requested range is not satisfiable".
- Exports no longer fail with "index out of range [0] with length 0".
- Requests requiring authentication, but lack a provided access token, will return HTTP 401 instead of HTTP 500 now.
- Downloads when using a self-hosted MinIO instance are no longer slower than expected.
- The
DELETE /_matrix/media/unstable/admin/export/:exportId
endpoint has been reinstated as described. - If a server's
downloads.maxSize
is greater than theuploads.maxSize
, remote media is no longer cut off atuploads.maxSize
. The media will instead be downloaded atdownloads.maxSize
and error if greater. Content-Type
on/download
and/thumbnail
is now brought in line with MSC2701.
v1.3.3
Fixed
- Improved handling when encountering an error attempting to populate Redis during uploads.
- Fixed
Range
requests failing by default by internally setting a default chunk size of 10mb. - Stop logging "no exif data".
- Fixed admin API requests not working when authenticating as the shared secret user.
Changed
- Updated dependencies. Manually compiled deployments may need to recompile
libheif
as well.
v1.3.2
v1.3.1
From v1.3.0
- Mandatory configuration change: Please see docs.t2bot.io for details.
- Fix improper usage of
Content-Disposition: inline
and relatedContent-Type
safety (CVE-2023-41318, GHSA-5crw-6j7v-xc72).
Fixed
- Fixed media purge API not being able to delete thumbnails.
- Fixed thumbnails being attempted for disabled media types.
- Fixed SVG and other non-dimensional media failing to be usefully thumbnailed in some cases.
v1.3.0
Mandatory Configuration Change
Please see docs.t2bot.io for details.
Security Fixes
- Fix improper usage of
Content-Disposition: inline
and relatedContent-Type
safety (CVE-2023-41318, GHSA-5crw-6j7v-xc72).
Deprecations
- The
GET /_matrix/media/unstable/local_copy/:server/:mediaId
(andunstable/io.t2bot.media
variant) endpoint is deprecated and scheduled for removal. If you are using this endpoint, please comment on this issue to explain your use case.
Added
- Added a
federation.ignoredHosts
config option to block media from individual homeservers. - Support for MSC2246 (async uploads) is added, with per-user quota limiting options.
- Support for MSC4034 (self-serve usage information) is added, alongside a new "maximum file count" quota limit.
- The
GET /_synapse/admin/v1/statistics/users/media
endpoint from Synapse is now supported at the same path for local server admins. - Thumbnailing support for:
- BMP images.
- TIFF images.
- HEIC images.
- New metrics:
- HTTP response times.
- Age of downloaded/accessed media.
- Support for PGO builds has been enabled via pgo-fleet.
Removed
- IPFS support has been removed due to maintenance burden.
- Exports initiated through the admin API no longer support
?include_data=false
. Exports will always contain data. - Server-side blurhash calculation has been removed. Clients and bridges already calculate blurhashes locally where applicable.
Changed
- Mandatory configuration change: You must add datastore IDs to your datastore configuration, as matrix-media-repo will no longer manage datastores for you.
- If compiling
matrix-media-repo
, note that new external dependencies are required. See the docs.- Docker images already contain these dependencies.
- Datastores no longer use the
enabled
flag set on them. UseforKinds: []
instead to disable a datastore's usage. - Per-user upload quotas now do not allow users to exceed the maximum values, even by 1 byte. Previously, users could exceed the limits by a little bit.
- Updated to Go 1.19, then Go 1.20 in the same release cycle.
- New CGO dependencies are required. See docs.t2bot.io for details.
- Logs are now less noisy by default.
- Connected homeservers must support at least Matrix 1.1 on the Client-Server API. Servers over federation are not affected.
- The example Grafana dashboard has been updated.
Fixed
- URL previews now follow redirects properly.
- Overall memory usage is improved, particularly during media uploads and API-initiated imports.
- Note: If you use plugins then memory usage will still be somewhat high due to temporary caching of uploads.
- Note: This affects RSS primarily. VSZ and other memory metrics may be higher than expected due to how Go releases memory to the OS. This is fixed when there's memory pressure.
- Fixed shutdown stall if the config was reloaded more than once while running.
v1.2.13
Deprecations
- In version 1.3.0, IPFS will no longer be supported as a datastore. Please migrate your data if you are using the IPFS support.
Added
- Added the
Cross-Origin-Resource-Policy: cross-origin
header to all downloads, as per MSC3828. - Added metrics for tracking which S3 operations are performed against datastores.
Changed
- Swap out the HEIF library for better support towards ARM64 Docker Images.
- The development environment now uses Synapse as a homeserver. Test accounts will need recreating.
- Updated to Go 1.18
- Improved error message when thumbnailer cannot determine image dimensions.
Fixed
- Return default media attributes if none have been explicitly set.