Improve middleware for rejecting unknown Client-Server API versions

Related to:
- https://matrix.org/blog/2021/11/09/matrix-v-1-1-release
- matrix-org/synapse#11318
- spantaleev/matrix-docker-ansible-deploy#1404

Our `denyUnsupportedApiVersionsMiddleware` middleware was trying to
match `rXXX` versions and reject unsupported ones (anything besides
`r0`), but now that the prefix is changing (`vXXX`) we were not matching
the new one correctly and were letting `vXXX` requests go through.

This is not a security issue yet, as no stable version of a homeserver
supports v3-prefixed APIs yet, but an upcoming Synapse v1.48.0 is slated
to add support for those. An old matrix-corporal version (lacking this
patch) combined with Synapse v1.48.0+ will let such v3 requests go through,
effectively circuimventing matrix-corporal's protections.

Author: spantaleev

corporal/httpgateway/middleware.go

@@ -13,11 +13,14 @@ var regexApiVersionFromUri *regexp.Regexp
 var supportedApiVersions []string
 
 func init() {
-	regexApiVersionFromUri = regexp.MustCompile("/_matrix/client/r([^/]+)")
+	// We'd like to match things like:
+	// - `/_matrix/client/r0`
+	// - `/_matrix/client/v3` (and other v-prefixed versions in the future)
+	// but not match things like: `/_matrix/client/versions`
+	regexApiVersionFromUri = regexp.MustCompile(`/_matrix/client/((?:r|v)\d+)`)
 
 	supportedApiVersions = []string{
-		//We only support r0 for the time being.
-		"0",
+		"r0",
 	}
 }
 
@@ -30,7 +33,7 @@ func denyUnsupportedApiVersionsMiddleware(next http.Handler) http.Handler {
 			return
 		}
 
-		releaseVersion := matches[1] // Something like `0`
+		releaseVersion := matches[1] // Something like `r0`
 
 		if util.IsStringInArray(releaseVersion, supportedApiVersions) {
 			// We do support this version and can safely let our gateway