From 31e6a7f1932c11d9b5b682ad06a5b8db9d74a44f Mon Sep 17 00:00:00 2001
From: Sid Karunaratne <sid@karunaratne.net>
Date: Wed, 13 May 2020 19:04:54 +0800
Subject: [PATCH] Enforce `mediaIDRegex` to be only valid `mediaIDCharacters`
 (#1020)

Error messages indicate that:
> mediaId must be a non-empty string using only characters in `mediaIDCharacters`

However the regex used only required that some characters in the filename match
the restriction, not that the entire filename does. This commit ensures that
the filename must entirely fullfill the `mediaIDCharacters` restriction

Signed-off-by: Sid Karunaratne <sid@karunaratne.net>

Co-authored-by: Kegsay <kegan@matrix.org>
---
 mediaapi/routing/download.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mediaapi/routing/download.go b/mediaapi/routing/download.go
index 9feca90e..75df313f 100644
--- a/mediaapi/routing/download.go
+++ b/mediaapi/routing/download.go
@@ -43,7 +43,7 @@ import (
 const mediaIDCharacters = "A-Za-z0-9_=-"
 
 // Note: unfortunately regex.MustCompile() cannot be assigned to a const
-var mediaIDRegex = regexp.MustCompile("[" + mediaIDCharacters + "]+")
+var mediaIDRegex = regexp.MustCompile("^[" + mediaIDCharacters + "]+$")
 
 // downloadRequest metadata included in or derivable from a download or thumbnail request
 // https://matrix.org/docs/spec/client_server/r0.2.0.html#get-matrix-media-r0-download-servername-mediaid