You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I wonder whether Synapse / the Python lib it uses has similar limitations. One could try creating a test room and posting a custom event with a content like { "foo": [[[[[[[[[[[[<500 more pairs of brackets>]]]]]]]]]]]] }.
serde_json has a feature flag called unbounded_depth that can be used to disable this limitation, but at least for homeservers that would open a super simple DOS attack vector.
Maybe we can provide the same feature flag as well? And then add it to any crate that uses serde, it'll be off by default, though for any homeserver or application that needs to enable it, it's there.
At https://github.com/serde-rs/json/blob/7ca63e7d5acac348db55c4345cb199f9d658669f/src/error.rs#L240-L241;
I feel this is possible to encounter in the wild in matrix, unintentional or not, so ruma should be able to handle this sorta thing, i'd guess.
The text was updated successfully, but these errors were encountered: