Install

Works with Drupal: 8.x

Using Composer to manage Drupal site dependencies

Alternative installation files

Download matrix_api-8.x-1.0-alpha1.tar.gztar.gz 12.52 KB
MD5: 41e30fda9513acf20955f42313299d82
SHA-1: 4c69fc538d4e399f1977b73adcd0c0928f6829ff
SHA-256: c9b409d2e6ec4e4afcf5dada1c30c93d25b7914b28a6d82ba41c23548a002d06
Download matrix_api-8.x-1.0-alpha1.zipzip 17.03 KB
MD5: eab89775ab14e149ea0fe636705419c7
SHA-1: dd6f2ab03492b692e1413e0641c1c9014fbffeb7
SHA-256: 113b0381732987adaaf84306571aee513a38190f471fd4f5e78a862cfd7849e3
Downloads are for manual installation, which is not recommended when using Drupal 8 or later.

Release notes

This initial Alpha release fixes an information disclosure issue, and should be considered a Security release.

When a message is posted to Matrix, if there is any kind of error or problem with the request, Guzzle throws an exception with the URL of the request -- e.g. if there's a 502 Gateway timeout. If this happens, Guzzle includes the access_token in the exception.

This might get revealed to a caller -- for example, when a JSONAPI request creates an entity and triggers this error, the Matrix user's access_token is sent back to the caller in the exception.

Today's release moves the access_token to the Authorization header where it is not so trivially revealed, and is highly recommended.

Matrix API is still considered Alpha, with the following potentially breaking change coming:

- Support for multiple Matrix accounts

In addition, this incident suggests that we may need to queue messages for later processing instead of handling them synchronously.

Created by: freelock
Created on: 14 Apr 2018 at 22:25 UTC
Last updated: 14 Apr 2018 at 22:28 UTC
Git tag 8.x-1.0-alpha1
Bug fixes

Other releases