continuwuation/continuwuity
continuwuation/continuwuity
15
98
Fork 109
Code Issues 122 Pull requests 23 Releases 30 Packages 3 Activity Actions 9

docs: clarify max_request_size limiting federation #1706

Merged
nex merged 4 commits from grgergo/continuwuity:docs-max_request_size into main 2026-05-04 14:17:32 +00:00
Conversation 5 Commits 4 Files changed 3 +3
grgergo commented 2026-04-26 10:36:13 +00:00
Contributor
Copy link

Clarifies in the config that max_request_size affects federated media as well.
Mostly because it took me 20 minutes to figure out why Firefox was opening a .flac file in vim...

Pull request checklist:

  • This pull request targets the main branch, and the branch is named something other than
    main.
  • I have written an appropriate pull request title and my description is clear.
  • I understand I am responsible for the contents of this pull request.
  • I have followed the contributing guidelines:
Clarifies in the config that `max_request_size` affects federated media as well. Mostly because it took me 20 minutes to figure out why Firefox was opening a `.flac` file in `vim`... **Pull request checklist:** - [x] This pull request targets the `main` branch, and the branch is named something other than `main`. - [x] I have written an appropriate pull request title and my description is clear. - [x] I understand I am responsible for the contents of this pull request. - I have followed the [contributing guidelines][c1]: - [x] My contribution follows the [code style][c2], if applicable. - [x] I ran [pre-commit checks][c1pc] before opening/drafting this pull request. - [x] I have [tested my contribution][c1t] (or proof-read it for documentation-only changes) myself, if applicable. This includes ensuring code compiles. - [x] My commit messages follow the [commit message format][c1cm] and are descriptive. - [x] I have written a [news fragment][n1] for this PR, if applicable<!--(can be done after hitting open!)-->. [c1]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md [c2]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/docs/development/code_style.mdx [c1pc]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#pre-commit-checks [c1t]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#running-tests-locally [c1cm]: https://forgejo.ellis.link/continuwuation/continuwuity/src/branch/main/CONTRIBUTING.md#commit-messages [n1]: https://towncrier.readthedocs.io/en/stable/tutorial.html#creating-news-fragments
spaetz commented 2026-04-27 11:07:35 +00:00
Member
Copy link

Question is whether that is what is actually intended or not (

Line 293 in 754959e
.max_request_size

?!)

Should max_request_size be concerned with incoming media too and not only uploads? It is not an intuitive behaviour, I would say.

Question is whether that is what is actually intended or not (https://forgejo.ellis.link/continuwuation/continuwuity/src/commit/754959e80d4865cfcfd9c0de10ab9391b11bac39/src/service/media/remote.rs#L293 ?!) Should max_request_size be concerned with incoming media too and not only uploads? It is not an intuitive behaviour, I would say.
Aranjedeath commented 2026-04-27 13:50:05 +00:00
Owner
Copy link

@spaetz wrote in #1706 (comment):

Should max_request_size be concerned with incoming media too and not only uploads? It is not an intuitive behaviour, I would say.

This is a docs clarification request, but it is indeed intended that "a" request size limit applies everywhere. Without a limit, it's a security vulnerability.

@spaetz wrote in https://forgejo.ellis.link/continuwuation/continuwuity/pulls/1706#issuecomment-28564: > Should max_request_size be concerned with incoming media too and not only uploads? It is not an intuitive behaviour, I would say. This is a docs clarification request, but it is indeed intended that "a" request size limit applies everywhere. Without a limit, it's a security vulnerability.
nex commented 2026-04-28 02:23:19 +00:00
Owner
Copy link

For context: This max size was applied to all remote responses, excluding the federated send_join endpoint, to mitigate an attack vector that was actively being exploited, albeit unintentionally: 37888fb670

The intention was not that this would then cap remote media size too, however the followup change that allowed overriding it for media specifically was never made. For now, noting this restriction in the docs is probably the easiest solution.

For context: This max size was applied to *all* remote responses, excluding the federated `send_join` endpoint, to mitigate an attack vector that was actively being exploited, albeit unintentionally: https://forgejo.ellis.link/continuwuation/continuwuity/commit/37888fb67098c7dfba680cea122bc72c3a970406 The intention was not that this would then cap remote media size too, however the followup change that allowed overriding it for media specifically was never made. For now, noting this restriction in the docs is probably the easiest solution.
nex requested changes 2026-04-28 02:25:29 +00:00
Dismissed
nex left a comment
Copy link

Example config file needs regenerating (run cargo build), otherwise looks fine

Example config file needs regenerating (run `cargo build`), otherwise looks fine
nex approved these changes 2026-05-04 13:55:34 +00:00
nex force-pushed docs-max_request_size from 7985a2e4b3
Some checks failed
Documentation / Build and Deploy Documentation (pull_request) Has been skipped
Details
Checks / Prek / Check changed files (pull_request) Successful in 6s
Details
Checks / Changelog / Check changelog is added (pull_request_target) Successful in 36s
Details
Checks / Prek / Clippy and Cargo Tests (pull_request) Has been cancelled
Details
Checks / Prek / Pre-commit & Formatting (pull_request) Has been cancelled
Details
Update flake hashes / update-flake-hashes (pull_request) Successful in 1m54s
Details
to 4c1638e495
Some checks failed
Documentation / Build and Deploy Documentation (pull_request) Has been skipped
Details
Checks / Prek / Check changed files (pull_request) Successful in 6s
Details
Checks / Prek / Pre-commit & Formatting (pull_request) Successful in 1m21s
Details
Checks / Changelog / Check changelog is added (pull_request_target) Successful in 31s
Details
Checks / Prek / Clippy and Cargo Tests (pull_request) Successful in 19m45s
Details
Checks / Prek / Check changed files (push) Successful in 6s
Details
Documentation / Build and Deploy Documentation (push) Successful in 1m34s
Details
Checks / Prek / Pre-commit & Formatting (push) Successful in 2m37s
Details
Release Docker Image / Build linux-amd64 (release) (push) Successful in 14m57s
Details
Release Docker Image / Build linux-arm64 (release) (push) Successful in 15m16s
Details
Release Docker Image / Create Multi-arch Release Manifest (push) Successful in 39s
Details
Release Docker Image / Build linux-amd64 (max-perf) (push) Failing after 3m34s
Details
Checks / Prek / Clippy and Cargo Tests (push) Successful in 23m54s
Details
Release Docker Image / Build linux-arm64 (max-perf) (push) Successful in 34m29s
Details
Release Docker Image / Create Max-Perf Manifest (push) Has been skipped
Details
Release Docker Image / Mirror Images (push) Has been skipped
Details
Release Docker Image / Release Binaries (push) Has been skipped
Details
2026-05-04 13:57:27 +00:00 Compare
nex scheduled this pull request to auto merge when all checks succeed 2026-05-04 14:11:48 +00:00
nex merged commit 4c1638e495 into main 2026-05-04 14:17:32 +00:00
nex referenced this pull request from a commit 2026-05-04 14:17:32 +00:00
chore: news fragment for #1706
Sign in to join this conversation.
Reviewers
No reviewers
nex
Labels
Clear labels   
Blocked
This pull request or issue is currently blocked from being merged/closed

  
Bug
Something isn't working as intended

  
Changelog
Added
 Changelog entry added

  
Changelog
Missing
 No changelog when one is needed

  
Changelog
None
 Changelog is unnecesary for this change

  
Cherry-picking
Commits picked from other conduit projects

  
Database
This requires or includes changes to the database

  
Dependencies
Something dependency related

  
Dependencies/Renovate
Automatic dependency upgrades by Renovate

  
Difficulty
Easy
 Low difficulty to implement - touches few parts of the codebase, low complexity

  
Difficulty
Hard
 High difficulty to implement - touches many parts of the codebase, high complexity

  
Difficulty
Medium
 Medium difficulty to implement - touches more parts of the codebase, higher complexity

  
Documentation
Improvements or additions to documentation

  
Enhancement
New feature or request

  
Good first issue
Good for newcomers

  
Help wanted
Additional eyes and keyboards are required for this one

  
Inherited
Issues that have been inhereted from the project pre-fork

  
Matrix/Administration
Features pertaining to homeserver administration

  
Matrix/Appservices
Features pertaining to the appservice API

  
Matrix/Auth
Features pertaining to authentication

  
Matrix/Client
Features pertaining to client-to-server interactions

  
Matrix/Core
Issues relating to core matrix functionality, such as state resolution and PDU formats

  
Matrix/E2EE
Issues related to end to end encryption

  
Matrix/Federation
Features pertaining to server-to-server interactions

  
Matrix/Hydra
Issues related to room version 12 and related changes (temporary label)

  
Matrix/MSC
Features pertaining to unstable matrix features

  
Matrix/Media
Features pertaining to media interactions

  
Matrix/T&S
Changes or issues related to trust & safety tooling

  
Merge
This PR is ready to be merged

  
Merge/Manual
This PR should be manually merged

  
Merge/Squash
This PR should be squashed when it is merged

  
Meta
Related to housekeeping, maintenance, or other repo-meta.

  
Meta/CI
Issues related to CI changes

  
Meta/Packaging
Packaging

  
Priority
Blocking
 This issue is blocking the next release

  
Priority
High
 This issue is very important

  
Priority
Low
 This issue is of a rather low priority

  
Security
This item is related to general security

  
Status
Confirmed
 This issue has enough information and is confirmed

  
Status
Duplicate
 This issue or pull request already exists

  
Status
Invalid
 This issue doesn't seem right

  
Status
Needs Investigation
 This issue needs further investigation

  
Support
Questions or support requests

  
Wont fix
This will not be worked on

  
old/ci/cd
Ci/CD

Archived

  
old/rust
Pull requests that update Rust code

Archived

No labels
Blocked
Bug
Changelog
Added
Changelog
Missing
Changelog
None
Cherry-picking
Database
Dependencies
Dependencies/Renovate
Difficulty
Easy
Difficulty
Hard
Difficulty
Medium
Documentation
Enhancement
Good first issue
Help wanted
Inherited
Matrix/Administration
Matrix/Appservices
Matrix/Auth
Matrix/Client
Matrix/Core
Matrix/E2EE
Matrix/Federation
Matrix/Hydra
Matrix/MSC
Matrix/Media
Matrix/T&S
Merge
Merge/Manual
Merge/Squash
Meta
Meta/CI
Meta/Packaging
Priority
Blocking
Priority
High
Priority
Low
Security
Status
Confirmed
Status
Duplicate
Status
Invalid
Status
Needs Investigation
Support
Wont fix
old/ci/cd
old/rust
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
4 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
continuwuation/continuwuity!1706
No description provided.