Denial of service attack via .well-known lookups

Impact

A malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to a denial of service attack where homeservers will consume significantly more resources when requesting the .well-known file of a malicious homeserver.

This affects any server which accepts federation requests from untrusted servers.

Patches

Issue is resolved by #8950. A bug not affecting the security aspects of this was fixed in #9108.

Workarounds

The federation_domain_whitelist setting can be used to restrict the homeservers communicated with over federation.