diff --git a/src/api/client/directory.rs b/src/api/client/directory.rs index ea499545..6cf7b13f 100644 --- a/src/api/client/directory.rs +++ b/src/api/client/directory.rs @@ -37,14 +37,12 @@ pub(crate) async fn get_public_rooms_filtered_route( ) -> Result { if let Some(server) = &body.server { if services - .globals - .forbidden_remote_room_directory_server_names() + .server + .config + .forbidden_remote_room_directory_server_names .contains(server) { - return Err(Error::BadRequest( - ErrorKind::forbidden(), - "Server is banned on this homeserver.", - )); + return Err!(Request(Forbidden("Server is banned on this homeserver."))); } } @@ -77,14 +75,12 @@ pub(crate) async fn get_public_rooms_route( ) -> Result { if let Some(server) = &body.server { if services - .globals - .forbidden_remote_room_directory_server_names() + .server + .config + .forbidden_remote_room_directory_server_names .contains(server) { - return Err(Error::BadRequest( - ErrorKind::forbidden(), - "Server is banned on this homeserver.", - )); + return Err!(Request(Forbidden("Server is banned on this homeserver."))); } } diff --git a/src/core/config/mod.rs b/src/core/config/mod.rs index 23d35424..59ddd7c7 100644 --- a/src/core/config/mod.rs +++ b/src/core/config/mod.rs @@ -2,7 +2,7 @@ pub mod check; pub mod proxy; use std::{ - collections::{BTreeMap, BTreeSet}, + collections::{BTreeMap, BTreeSet, HashSet}, fmt, net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr}, path::PathBuf, @@ -983,8 +983,8 @@ pub struct Config { /// Vector list of servers that conduwuit will refuse to download remote /// media from. No default. - #[serde(default = "Vec::new")] - pub prevent_media_downloads_from: Vec, + #[serde(default = "HashSet::new")] + pub prevent_media_downloads_from: HashSet, /// List of forbidden server names that we will block incoming AND outgoing /// federation with, and block client room joins / remote user invites. @@ -994,14 +994,14 @@ pub struct Config { /// outbound federation handler. /// /// Basically "global" ACLs. No default. - #[serde(default = "Vec::new")] - pub forbidden_remote_server_names: Vec, + #[serde(default = "HashSet::new")] + pub forbidden_remote_server_names: HashSet, /// List of forbidden server names that we will block all outgoing federated /// room directory requests for. Useful for preventing our users from /// wandering into bad servers or spaces. No default. - #[serde(default = "Vec::new")] - pub forbidden_remote_room_directory_server_names: Vec, + #[serde(default = "HashSet::new")] + pub forbidden_remote_room_directory_server_names: HashSet, /// Vector list of IPv4 and IPv6 CIDR ranges / subnets *in quotes* that you /// do not want conduwuit to send outbound requests to. Defaults to diff --git a/src/service/globals/mod.rs b/src/service/globals/mod.rs index 329a6583..157c3944 100644 --- a/src/service/globals/mod.rs +++ b/src/service/globals/mod.rs @@ -252,10 +252,6 @@ impl Service { pub fn allow_outgoing_read_receipts(&self) -> bool { self.config.allow_outgoing_read_receipts } - pub fn forbidden_remote_room_directory_server_names(&self) -> &[OwnedServerName] { - &self.config.forbidden_remote_room_directory_server_names - } - pub fn well_known_support_page(&self) -> &Option { &self.config.well_known.support_page } pub fn well_known_support_role(&self) -> &Option { &self.config.well_known.support_role } diff --git a/src/service/media/remote.rs b/src/service/media/remote.rs index 59846b8e..1c6c9ca0 100644 --- a/src/service/media/remote.rs +++ b/src/service/media/remote.rs @@ -382,8 +382,7 @@ fn check_fetch_authorized(&self, mxc: &Mxc<'_>) -> Result<()> { .server .config .prevent_media_downloads_from - .iter() - .any(|entry| entry == mxc.server_name) + .contains(mxc.server_name) { // we'll lie to the client and say the blocked server's media was not found and // log. the client has no way of telling anyways so this is a security bonus. diff --git a/src/service/sending/send.rs b/src/service/sending/send.rs index 73b6a468..62da59ef 100644 --- a/src/service/sending/send.rs +++ b/src/service/sending/send.rs @@ -1,8 +1,8 @@ use std::{fmt::Debug, mem}; use conduit::{ - debug, debug_error, debug_info, debug_warn, err, error::inspect_debug_log, implement, trace, utils::string::EMPTY, - Err, Error, Result, + debug, debug_error, debug_warn, err, error::inspect_debug_log, implement, trace, utils::string::EMPTY, Err, Error, + Result, }; use http::{header::AUTHORIZATION, HeaderValue}; use ipaddress::IPAddress; @@ -36,10 +36,9 @@ impl super::Service { .server .config .forbidden_remote_server_names - .contains(&dest.to_owned()) + .contains(dest) { - debug_info!("Refusing to send outbound federation request to {dest}"); - return Err!(Request(Forbidden("Federation with this homeserver is not allowed."))); + return Err!(Request(Forbidden(debug_warn!("Federation with this {dest} is not allowed.")))); } let actual = self.services.resolver.get_actual_dest(dest).await?;