All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
Nothing yet
1.3.8 - January 16, 2025
- Limit untrusted decoders during thumbnailing (GHSA-rcxc-wjgw-579r / CVE-2024-56515)
- Improve handling of JSON (GHSA-gp86-q8hg-fpxj / CVE-2024-52791)
- Fix SSRF issues (GHSA-r6jg-jfv6-2fjv / CVE-2024-52602)
- Allow guests to access uploaded media, as per MSC4189.
- The thumbnailer can now be run independently with the
thumbnailer
binary. Seethumbnailer -help
for details.
- MMR now requires Go 1.22 for compilation.
- MMR now builds on a base image of
alpine:3.21
. - The global
repo.freezeUnauthenticatedMedia
option now defaults totrue
, enabling authenticated media by default. A future release will remove this option, requiring the freeze behaviour. Seeconfig.sample.yaml
for details. - For SVG and JPEGXL files, ImageMagick 7 is now required.
- For MP4 files, ffmpeg 6 or 7 (use 7 for best results) is now required.
- Return a 404 instead of 500 when clients access media which is frozen.
- Return a 403 instead of 500 when guests access endpoints that are for registered users only.
- Ensure the request parameters are correctly set for authenticated media client requests.
- Ensure remote signing keys expire after at most 7 days.
- Fixed parsing of
Authorization
headers for federated servers. - Ensure
ignoredHosts
is applied to unauthenticated requests.
1.3.7 - July 30, 2024
- A new global config option,
repo.freezeUnauthenticatedMedia
, is supported to enact the unauthenticated media freeze early. Seeconfig.sample.yaml
for details.
- The default leaky bucket capacity has changed from 300mb to 500mb, allowing for more downloads to go through. The drain rate and overflow limit are unchanged (5mb/minute and 100mb respectively).
1.3.6 - July 10, 2024
- Ensure a
boundary
is set on federation downloads, allowing the download to work.
1.3.5 - July 10, 2024
This release fixes the following security concerns:
- New datastore option to ignore Redis cache when downloading media served by a
publicBaseUrl
. This can help ensure more requests get redirected to the CDN. HEAD /download
is now supported, as per MSC4120.- S3 datastores can now specify a
prefixLength
to improve S3 performance on some providers. Seeconfig.sample.yaml
for details. - Add
multipartUploads
flag for running MMR against unsupported S3 providers. Seeconfig.sample.yaml
for details. - A new "leaky bucket" rate limit algorithm has been applied to downloads. See
rateLimit.buckets
inconfig.sample.yaml
for details. - Add support for MSC3916: Authentication for media.
- To enable full support, use
signingKeyPath
in your config. Seeconfig.sample.yaml
for details. - Server operators should point
/_matrix/client/v1/media/*
and/_matrix/federation/v1/media/*
at MMR.
- To enable full support, use
- The leaky bucket rate limiting introduced above is turned on by default. Administrators are encouraged to review the default settings and adjust as needed.
- Metrics for redirected and HTML requests are tracked.
- Fixed more issues relating to non-dimensional media being thumbnailed (
invalid image size: 0x0
errors). - Long-running purge requests no longer fail when the requesting client times out. They are continued in the background.
- Purging old media has been fixed to actually identify old media.
- JPEG thumbnails will now use sensible extensions.
- Fixed directory permissions when exporting MMR to Synapse.
- In some rare cases, memory usage may have leaked due to thumbnail error handling. This has been fixed.
- Synapse signing keys with blank lines can now be decoded/combined with other keys.
1.3.4 - February 9, 2024
- Dendrite homeservers can now have their media imported safely, and
adminApiKind
may be set todendrite
. - Exporting MMR's data to Synapse is now possible with
import_to_synapse
. To use it, first rungdpr_export
or similar. - Errors encountered during a background task, such as an API-induced export, are exposed as
error_message
in the admin API. - MMR will follow redirects on federated downloads up to 5 hops.
- S3-backed datastores can have download requests redirected to a public-facing CDN rather than being proxied through MMR. See
publicBaseUrl
under the S3 datastore config.
- Exports now use an internal timeout of 10 minutes instead of 1 minute when downloading files. This may still result in errors if downloading from S3 takes too long.
- MMR now requires Go 1.21 for compilation.
- ARM-supported Docker images are now available through GHCR.
- The Docker Hub (docker.io) builds are deprecated and will not receive updates starting with v1.4.0
- Docker Hub images are not guaranteed to have ARM compatibility.
- The
latest
Docker tag on both Docker Hub and GHCR now points to the latest release instead of the unstable development build.
- Exports created with
s3_urls
now contain valid URLs. - Exports no longer fail with "The requested range is not satisfiable".
- Exports no longer fail with "index out of range [0] with length 0".
- Requests requiring authentication, but lack a provided access token, will return HTTP 401 instead of HTTP 500 now.
- Downloads when using a self-hosted MinIO instance are no longer slower than expected.
- The
DELETE /_matrix/media/unstable/admin/export/:exportId
endpoint has been reinstated as described. - If a server's
downloads.maxSize
is greater than theuploads.maxSize
, remote media is no longer cut off atuploads.maxSize
. The media will instead be downloaded atdownloads.maxSize
and error if greater. Content-Type
on/download
and/thumbnail
is now brought in line with MSC2701.
1.3.3 - October 31, 2023
- Improved handling when encountering an error attempting to populate Redis during uploads.
- Fixed
Range
requests failing by default by internally setting a default chunk size of 10mb. - Stop logging "no exif data".
- Fixed admin API requests not working when authenticating as the shared secret user.
- Updated dependencies. Manually compiled deployments may need to recompile
libheif
as well.
1.3.2 - September 13, 2023
- Fixed thumbnail generation causing
thumbnails_index
errors in some circumstances.
1.3.1 - September 8, 2023
- Fixed media purge API not being able to delete thumbnails.
- Fixed thumbnails being attempted for disabled media types.
- Fixed SVG and other non-dimensional media failing to be usefully thumbnailed in some cases.
1.3.0 - September 8, 2023
Please see docs.t2bot.io for details.
- Fix improper usage of
Content-Disposition: inline
and relatedContent-Type
safety (CVE-2023-41318, GHSA-5crw-6j7v-xc72).
- The
GET /_matrix/media/unstable/local_copy/:server/:mediaId
(andunstable/io.t2bot.media
variant) endpoint is deprecated and scheduled for removal. If you are using this endpoint, please comment on this issue to explain your use case.
- Added a
federation.ignoredHosts
config option to block media from individual homeservers. - Support for MSC2246 (async uploads) is added, with per-user quota limiting options.
- Support for MSC4034 (self-serve usage information) is added, alongside a new "maximum file count" quota limit.
- The
GET /_synapse/admin/v1/statistics/users/media
endpoint from Synapse is now supported at the same path for local server admins. - Thumbnailing support for:
- BMP images.
- TIFF images.
- HEIC images.
- New metrics:
- HTTP response times.
- Age of downloaded/accessed media.
- Support for PGO builds has been enabled via pgo-fleet.
- IPFS support has been removed due to maintenance burden.
- Exports initiated through the admin API no longer support
?include_data=false
. Exports will always contain data. - Server-side blurhash calculation has been removed. Clients and bridges already calculate blurhashes locally where applicable.
- Mandatory configuration change: You must add datastore IDs to your datastore configuration, as matrix-media-repo will no longer manage datastores for you.
- If compiling
matrix-media-repo
, note that new external dependencies are required. See the docs.- Docker images already contain these dependencies.
- Datastores no longer use the
enabled
flag set on them. UseforKinds: []
instead to disable a datastore's usage. - Per-user upload quotas now do not allow users to exceed the maximum values, even by 1 byte. Previously, users could exceed the limits by a little bit.
- Updated to Go 1.19, then Go 1.20 in the same release cycle.
- New CGO dependencies are required. See docs.t2bot.io for details.
- Logs are now less noisy by default.
- Connected homeservers must support at least Matrix 1.1 on the Client-Server API. Servers over federation are not affected.
- The example Grafana dashboard has been updated.
- URL previews now follow redirects properly.
- Overall memory usage is improved, particularly during media uploads and API-initiated imports.
- Note: If you use plugins then memory usage will still be somewhat high due to temporary caching of uploads.
- Note: This affects RSS primarily. VSZ and other memory metrics may be higher than expected due to how Go releases memory to the OS. This is fixed when there's memory pressure.
- Fixed shutdown stall if the config was reloaded more than once while running.
1.2.13 - February 12, 2023
- In version 1.3.0, IPFS will no longer be supported as a datastore. Please migrate your data if you are using the IPFS support.
- Added the
Cross-Origin-Resource-Policy: cross-origin
header to all downloads, as per MSC3828. - Added metrics for tracking which S3 operations are performed against datastores.
- Swap out the HEIF library for better support towards ARM64 Docker Images.
- The development environment now uses Synapse as a homeserver. Test accounts will need recreating.
- Updated to Go 1.18
- Improved error message when thumbnailer cannot determine image dimensions.
- Return default media attributes if none have been explicitly set.
1.2.12 - March 31, 2022
- Fixed a permissions check issue on the new statistics endpoint released in v1.2.11
1.2.11 - March 31, 2022
- New config option to set user agent when requesting URL previews.
- Added support for
image/jxl
thumbnailing. - Built-in early support for content ranges (being able to skip around in audio and video). This is only available if caching is enabled.
- New config option for changing the log level.
- New (currently undocumented) binary
s3_consistency_check
to find objects in S3 which might not be referenced by the media repo database. Note that this can include uploads in progress. - Admin endpoint to GET users' usage statistics for a server.
- Support for the in-memory cache has been removed. Redis or having no cache are now the only options.
- Support for the Redis config under
features
has been removed. It is now only available at the top level of the config. See the sample config for more details.
- Fixed media being permanently lost when transferring to an (effectively) readonly S3 datastore.
- Purging non-existent files now won't cause errors.
- Fixed HEIF/HEIC thumbnailing. Note that this thumbnail type might cause increased memory usage.
- Ensure endpoints register in a stable way, making them predictably available.
- Reduced download hits to datastores when using Redis cache.
- Updated support for post-MSC3069 homeservers.
- Updated the built-in oEmbed
providers.json
1.2.10 - December 23rd, 2021
In a future version (likely the next), the in-memory cache support will be removed. Instead, please use the Redis caching that is now supported properly by this release, or disable caching if not applicable for your deployment.
- Added support for setting the Redis database number.
- Fixed an issue with the Redis config not being recognized at the root level.
1.2.9 - December 22nd, 2021
In a future version (likely the next), the in-memory cache support will be removed. Instead, please use the Redis caching that is now supported properly by this release, or disable caching if not applicable for your deployment.
- Added support for
HEAD
at the/healthz
endpoint. - Added
X-Content-Security-Policy: sandbox
in contexts where the normal CSP header would be served. This is a limited, pre-standard form of CSP supported by IE11, in order to have at least some mitigation of XSS attacks. - Added support for the
org.matrix.msc2705.animated
query parameter. - Added support for S3 storage classes (optional).
- Added support for listening on Matrix 1.1 endpoints (
/_matrix/media/v3/*
).
- Support the Redis config at the root level of the config, promoting it to a proper feature.
- Improved performance of datastore selection when only one datastore is eligible to contain media.
- Fixed blurhash not enabling itself.
- Fixed blurhash implementation to match MSC.
1.2.8 - April 30th, 2021
- Fixed crashes when internal workers encounter panics.
This release includes a fix for CVE-2021-29453.
Server administrators are recommended to upgrade as soon as possible. This issue is considered to be exploited in the wild due to some deployments being affected unexpectedly.
- Added support for structured logging (JSON).
- Turned color-coded logs off by default. This can be changed in the config.
- Fixed memory exhaustion when thumbnailing maliciously crafted images.
1.2.6 - March 25th, 2021
- Added ffmpeg and ImageMagick to Docker image to support specialized thumbnail types.
- Handle guest accounts properly. Previously they were still declined, though by coincidence.
1.2.5 - March 17th, 2021
- Added a
-verify
mode to imports to determine if large imports were successful. - Added optional support for Sentry (error reporting).
Content-Disposition
of plain text files now defaults toinline
.
- Fixed rich oEmbed URL previews (Twitter).
- Fixed photo oEmbed URL previews (Giphy).
- Fixed orientation parsing for some thumbnails.
- Fixed file name being incorrect on the first download from remote servers.
- Fixed a download inefficiency where remote downloads could use extra bandwidth.
- Fixed a problem where secondary imports can never finish.
- Fixed imports not handling duplicate media IDs.
- Fixed some database connection errors not being handled correctly.
1.2.4 - March 5th, 2021
- Fixed build error for modern versions of Go, improving IPFS implementation.
1.2.3 - March 4th, 2021
- Introduced early plugin support (only for antispam for now).
- Includes a simple OCR plugin to help mitigate text-based image spam.
- Added an
X-Robots-Tag
header to help prevent indexing. Thanks @jellykells!
- Fixed crash when generating some thumbnails of audio.
- Fixed various artifact problems with APNG and GIF thumbnails. Thanks @Sorunome!
- Fixed a missing "unlimited size" check for thumbnails. Thanks @Sorunome!
1.2.2 - December 8th, 2020
- Generate JPEG thumbnails for JPEG for reduced file size. Thanks @Sorunome!
- Strip
charset
parameter off binary media for better compatibility with other homeservers.
1.2.1 - October 27th, 2020
- Added a new tool,
export_synapse_for_import
, which can be used to do an offline import from Synapse.- After running this tool, use the
gdpr_import
tool to bring the export into the media repo.
- After running this tool, use the
- Added thumbnailing support for some audio waveforms (MP3, WAV, OGG, and FLAC).
- Added audio metadata (duration, etc) to the unstable
/info
endpoint. Aligns with MSC2380. - Added simple thumbnailing for MP4 videos.
- Added an
asAttachment
query parameter to download requests per MSC2702.
- Fixed thumbnails for invalid JPEGs.
- Fixed incorrect metrics being published when using the Redis cache.
- Fixed errors generating thumbnails when bad EXIF headers were provided.
- Use
r0
instead ofv1
for federation requests. No changes should be needed to configurations or routing - it'll just work.
1.2.0 - August 2nd, 2020
This release contains a database change which might take a while. In order to support quotas, this release tracks how much a user has uploaded, which might take a while to initially calculate. If you have a large database (more than about 100k uploaded files), run the following steps before upgrading:
- The PostgreSQL script described here. This can be run while the server is running.
- If you have no intention of using stats or quotas, you're done (the stats table will be inaccurate). If
you do plan on using either, run
INSERT INTO user_stats SELECT user_id, SUM(size_bytes) FROM media GROUP BY user_id;
which may take a while. - Change the owner of the table and function to your media repo's postgresql user. For example, if your postgres
user is
media
, then run:ALTER TABLE user_stats OWNER TO media; ALTER FUNCTION track_update_user_media() OWNER TO media;
- Add webp image support. Thanks @Sorunome!
- Add apng image support. Thanks @Sorunome!
- Experimental support for Redis as a cache (in preparation for proper load balancing/HA support).
- Added oEmbed URL preview support.
- Added support for dynamic thumbnails.
- Added a way to prevent certain media from being quarantined (attributes API).
- Added support for quotas.
- Remove deprecated support for restricting uploads to certain mime types.
- Remove deprecated support for
forUploads
. - Clarified what
uploads.minBytes
is intended to be used for.
- GIFs now thumbnail correctly. Thanks @Sorunome!
- Fixed empty Content-Type header on retrieved remote media. Thanks @silkeh!
- Fixed various issues with IPv6 handling. Thanks @silkeh!
- Fixed high database usage for uploads when only one datastore is present.
- Fixed incorrect HTTP status codes for bad thumbnail requests.
- Fixed dimension checking on thumbnails.
- Fixed handling of EXIF metadata. Thanks @sorunome!
- Fixed handling of URL previews for some encodings.
- Fixed
Cache-Control
headers being present on errors.
1.1.3 - July 15th, 2020
- Added options to cache access tokens for users. This prevents excessive calls to
/account/whoami
on your homeserver, particularly for appservices. - Documentation on how to set up delegation with the media repo and Traefik. Thanks @derEisele!
- Deprecated support for restricting uploads to certain mime types, due to inability to make it work correctly with encrypted media.
- Removed deprecated
storagePaths
config option. Please use datastores.
- Fixed federation with some homeserver setups (delegation with ports). Thanks @MatMaul!
- Fixed the Synapse import script to not skip duplicated media. Thanks @jaywink!
- Fixed requests to IPv6 hosts. Thanks @MatMaul!
- Removed excessive calls to the database during upload.
1.1.2 - April 21st, 2020
- Fixed templates being corrupt in the Docker image.
- Fixed
REPO_CONFIG
environment variable not being respected for auxiliary binaries in the Docker image.
- The Docker image now uses the migrations packed into the binary instead of the in-image ones.
- Reduced log spam when someone views an export.
1.1.1 - March 26th, 2020
- Added pprof endpoints for debugging performance. Only enabled with a
MEDIA_PPROF_SECRET_KEY
environment variable.
- Fixed a few very slow memory leaks when using S3 datastores.
1.1.0 - March 19th, 2020
- Added support for MSC2448.
- Added support for specifying a
region
to the S3 provider. - Pass-through the
Accept-Language
header for URL previews, with options to set a default. - Experimental support for IPFS.
- Consistent inclusion of a charset for certain text
Content-Type
s. - New metrics for the cache composition reality (
media_cache_num_live_bytes_used
andmedia_cache_num_live_items
).
- Fixed thumbnails producing the wrong result.
- Fixed
expireAfterDays
for thumbnails potentially deleting media under some conditions. - Fixed a bug where items could be double-counted (but not double-stored) in the cache.
- Fixed the cache metrics reporting inaccurate values.
- Fixed a general memory leak in the cache due to inaccurate counting of items in the cache.
- Updated to Go 1.14
- Updated the Grafana dashboard and moved it in-tree.
1.0.2 - March 3, 2020
- Added support for a
forKinds: ["all"]
option on datastores.
- Fixed a bug with the cache where it would never expire old entries unless it was pressed for space.
- Fixed a bug with the cache where the minimum cache time trigger would not work.
1.0.1 - February 27, 2020
- Fix a memory leak within the cache layers.
1.0.0 - January 4, 2020
- Compile assets (templates and migrations) into the binary for ease of deployment.
- Added binaries to make exports and imports easier.
- Fix error message when an invalid access token is provided.
- Fixed imports not starting in 1.0.0-rc.2.
1.0.0-rc.2 - January 3, 2020
- Fixed exports not starting in 1.0.0-rc.1.
1.0.0-rc.1 - December 29, 2019
- First ever release of matrix-media-repo.
- Deduplicate media from all sources.
- Support downloads, thumbnails, URL previews, identicons.
- Support for GDPR-style media exports.
- Support for importing from a previous export (for transferring data between repos).
- Admin utilities for clearing up space and undesirable content.
- Built-in S3 (and S3-like) support.
- Animated thumbnail generation.
- Importing media from an existing Synapse homeserver.
- Support for multiple datastores/locations to store different kinds of media.
- Federation for acquiring remote media.
- Media identification (MSC2380).
- Support for cloning media to the local homeserver.
- Various other features that would be expected like maximum/minimum size controls, rate limiting, etc. Check out the sample config for a better idea of what else is possible.