getHttpUriForMxc no longer respects paths in baseUrl parameter

[begincalendar]

Prior to 00aba74, if the baseUrl parameter had a path in it, the returned URL would contain that base URL path.

The new URL() call here doesn't respect the path in baseUrl. E.g.

const url = new URL('/_matrix/media/v3/download/myhomeserver.com/abc1234', 'https://myhomeserver.com/basepath');

...gives you:

https://myhomeserver.com/_matrix/media/v3/download/myhomeserver.com/abc1234

...discarding the /basepath. I.e. the result should be: https://myhomeserver.com/basepath/_matrix/media/v3/download/myhomeserver.com/abc1234

[richvdh]

It's not obvious to me that baseUrls that contain a path component are valid; in particular there is no way to get working federation for a matrix server that does not expose /_matrix/federation at the root.

If you need this behaviour you'll probably have to work at getting it specced.

[richvdh]

See also: matrix-org/matrix-spec#693

[begincalendar]

What about in scenarios where federation is unnecessary/undesirable? This is a scenario I’ve been operating in.

I don’t want to divert Element’s resources from more important work, but the non-federated use-case seems like it might have been missed in this case (and the linked issue).

[richvdh]

In general, we're unlikely to expend effort fixing issues that only arise in exotic setups that don't support federation; and nor do I think we should complicate the code by doing so: it increases the risk of security issues. (Note that the fix here was introduced to fix a path traversal attack.)

[begincalendar]

Understood.

I’ll leave it up to you to decide what to do with this issue.