Add config option to prevent media downloads from listed domains. #15197
Conversation
|
Will this also support wildcards? I.e., prevent_downloads_from:
- '*.example.org'Or, would prevent_downloads_from:
- example.orgautomatically deny |
|
Wildcard are really important because |
|
Wildcards would be a different PR. |
|
Since you block servers and not domains (D'OH!) it makes perfect sense. |
|
it's more the cost of implementation versus the benefit: we don't see a particular profile of abuse that needs wildcard bans here, making the implementation+maintenance effort (and associated performance loss) not worth it. If needed, we can always add it in a pinch. |
|
I think a list without wildcards makes perfect sense since we target servers, not domains. There's no ambiguity this way. |
though it'd possibly be quite easy to serve up media on wildcard domains. I guess this is just a theoretical risk until someone does, though. |
Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
| @@ -1768,6 +1768,30 @@ Example configuration: | |||
| max_image_pixels: 35M | |||
| ``` | |||
| --- | |||
| ### `prevent_media_downloads_from` | |||
There was a problem hiding this comment.
I was just thinking about the name. This is a block list, if you later want to use the concept with allow lists, you have to rename the parameter.
Wouldn't it be better to adapt the name to the current parameters for allowing and disallowing federation or url previews?
There was a problem hiding this comment.
Allow lists aren't currently planned for this feature - I'd favour a config migration (deprecation) later on if we decide to go that route.
|
Can clients still pull the media from the host server? I have people using matrix.org for abuse and I do not want to prevent matrix.org downloads nor do I want to email matrix.org every time theres illegal media |
|
The type of abuse described can happen, but it will likely never be media coming from an abusive server. To really prevent this attack, you would need to index every single public matrix server and block media federation. This PR is a great step towards a solution but it needs more fine tuned control such as exists on many ActivityPub platforms |
|
I think adding a boolean federate media flag in addition to this would be beneficial in cases where attackers are determined. Then implement a client option as I describe in my Element feature suggestion to disable fetching media federated or a server request to client to fetch media using the server the media is located on |
…5197) This stops media (and thumbnails) from being accessed from the listed domains. It does not delete any already locally cached media, but will prevent accessing it. Note that admin APIs are unaffected by this change.
|
Clients should not be reaching out to the original server the media was hosted on. That's abusive in its own right. This PR is to target a different abusive case than the one you're describing. I can't go into details here though, sorry. Please report any illegal material found originating from matrix.org to abuse@matrix.org via email. It's not the most efficient system at the moment, but it is the most reliable. |
There is honestly not much point to even reporting it. I will do it, sure, but these are throwaway accounts doing this. In the time it takes for a report to process, the burner accounts already did their jobs |
|
The team does pattern analysis in these cases, but this is highly offtopic for this PR. Not reporting burner accounts just means they're able to get away with it. |
|
Yeah, sorry for flooding this PR with off topic. I just wish to see an option to disable media downloading from my server. A way to host my matrix without doubling as a file upload site and having to deal with the burdens associated with that. Maybe eventually, I can hope a PR that does what im looking for is merged |
|
Can I use this if i only want to upload media from my server, but don't want to download media from any other server? (The Server is only used for bridges/bots) |
|
Folks, I'm locking this. Please use the existing support rooms for questions/future extensions. |
See config documentation for more details on the feature description.
This could probably be implemented as an antispam or similar module, however this is also tooling that we'd like available to everyone. Instead of trying to bundle a module into every deployment, let's just put it in the core project :)
This is Trust & Safety (T&S) tooling to combat a specific type of abuse. There are no active incidents related to this, but is something we'd like available to us just in case.
Pull Request Checklist
EventStoretoEventWorkerStore.".code blocks.(run the linters)