diff options
author | redmatrix <git@macgirvin.com> | 2016-05-01 19:19:17 -0700 |
---|---|---|
committer | redmatrix <git@macgirvin.com> | 2016-05-01 19:19:17 -0700 |
commit | cd518625bf561f1ed42db0b78030b74c32435136 (patch) | |
tree | a0894903507417997833d6766d7ba6a1ffd23a30 | |
parent | 84d93cca6e2ac0b552a6f5c570fbcfce766200a1 (diff) | |
download | volse-hubzilla-cd518625bf561f1ed42db0b78030b74c32435136.tar.gz volse-hubzilla-cd518625bf561f1ed42db0b78030b74c32435136.tar.bz2 volse-hubzilla-cd518625bf561f1ed42db0b78030b74c32435136.zip |
some much needed work on oembed security
-rw-r--r-- | Zotlabs/Module/Admin.php | 29 | ||||
-rw-r--r-- | Zotlabs/Module/Oep.php | 2 | ||||
-rw-r--r-- | include/identity.php | 62 | ||||
-rwxr-xr-x | include/oembed.php | 177 | ||||
-rw-r--r-- | include/text.php | 31 | ||||
-rw-r--r-- | version.inc | 2 | ||||
-rwxr-xr-x | view/tpl/admin_security.tpl | 12 | ||||
-rw-r--r-- | view/tpl/zcard_embed.tpl | 8 |
8 files changed, 255 insertions, 68 deletions
diff --git a/Zotlabs/Module/Admin.php b/Zotlabs/Module/Admin.php index 1d37b41bc..b22931b1a 100644 --- a/Zotlabs/Module/Admin.php +++ b/Zotlabs/Module/Admin.php @@ -568,25 +568,25 @@ class Admin extends \Zotlabs\Web\Controller { $block_public = ((x($_POST,'block_public')) ? True : False); set_config('system','block_public',$block_public); - $ws = trim_array_elems(explode("\n",$_POST['whitelisted_sites'])); + $ws = $this->trim_array_elems(explode("\n",$_POST['whitelisted_sites'])); set_config('system','whitelisted_sites',$ws); - $bs = trim_array_elems(explode("\n",$_POST['blacklisted_sites'])); + $bs = $this->trim_array_elems(explode("\n",$_POST['blacklisted_sites'])); set_config('system','blacklisted_sites',$bs); - $wc = trim_array_elems(explode("\n",$_POST['whitelisted_channels'])); + $wc = $this->trim_array_elems(explode("\n",$_POST['whitelisted_channels'])); set_config('system','whitelisted_channels',$wc); - $bc = trim_array_elems(explode("\n",$_POST['blacklisted_channels'])); + $bc = $this->trim_array_elems(explode("\n",$_POST['blacklisted_channels'])); set_config('system','blacklisted_channels',$bc); $embed_coop = ((x($_POST,'embed_coop')) ? True : False); set_config('system','embed_coop',$embed_coop); - $we = trim_array_elems(explode("\n",$_POST['embed_allow'])); + $we = $this->trim_array_elems(explode("\n",$_POST['embed_allow'])); set_config('system','embed_allow',$we); - $be = trim_array_elems(explode("\n",$_POST['embed_deny'])); + $be = $this->trim_array_elems(explode("\n",$_POST['embed_deny'])); set_config('system','embed_deny',$be); goaway(z_root() . '/admin/security'); @@ -708,9 +708,13 @@ class Admin extends \Zotlabs\Web\Controller { $embed_coop = intval(get_config('system','embed_coop')); - // wait to implement this until we have a co-op in place. - // if((! $whiteembeds) && (! $blackembeds) && (! $embed_coop)) - // $whiteembeds_str = "youtube.com\nyoutu.be\ntwitter.com\nvimeo.com\nsoundcloud.com\nwikipedia.com"; + if((! $whiteembeds) && (! $blackembeds)) { + $embedhelp1 = t("By default, unfiltered HTML is allowed in embedded media. This is inherently insecure."); + } + + $embedhelp2 = t("The recommended setting is to only allow unfiltered HTML from the following sites:"); + $embedhelp3 = t("youtube.com<br />youtu.be<br />twitter.com<br />vimeo.com<br />soundcloud.com<br />wikipedia.com<br />"); + $embedhelp4 = t("All other embedded content will be filtered, <strong>unless</strong> embedded content from that site is explicitly blocked."); $t = get_markup_template('admin_security.tpl'); return replace_macros($t, array( @@ -722,10 +726,15 @@ class Admin extends \Zotlabs\Web\Controller { '$blacklisted_sites' => array('blacklisted_sites', t('Block communications from these sites'), $blacksites_str, ''), '$whitelisted_channels' => array('whitelisted_channels', t('Allow communications only from these channels'), $whitechannels_str, t('One channel (hash) per line. Leave empty to allow from any channel by default')), '$blacklisted_channels' => array('blacklisted_channels', t('Block communications from these channels'), $blackchannels_str, ''), - '$embed_allow' => array('embed_allow', t('Allow embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')), + '$embed_allow' => array('embed_allow', t('Allow unfiltered embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')), '$embed_deny' => array('embed_deny', t('Block embedded HTML from these domains'), $blackembeds_str, ''), // '$embed_coop' => array('embed_coop', t('Cooperative embed security'), $embed_coop, t('Enable to share embed security with other compatible sites/hubs')), + '$embedhelp1' => $embedhelp1, + '$embedhelp2' => $embedhelp2, + '$embedhelp3' => $embedhelp3, + '$embedhelp4' => $embedhelp4, + '$submit' => t('Submit') )); } diff --git a/Zotlabs/Module/Oep.php b/Zotlabs/Module/Oep.php index f36a452e8..638ea7e2d 100644 --- a/Zotlabs/Module/Oep.php +++ b/Zotlabs/Module/Oep.php @@ -220,7 +220,7 @@ class Oep extends \Zotlabs\Web\Controller { $ret['width'] = intval($width); $ret['height'] = intval($height); - $ret['html'] = get_zcard($c,get_observer_hash(),array('width' => $width, 'height' => $height)); + $ret['html'] = get_zcard_embed($c,get_observer_hash(),array('width' => $width, 'height' => $height)); return $ret; diff --git a/include/identity.php b/include/identity.php index 1c899048a..f50c497cd 100644 --- a/include/identity.php +++ b/include/identity.php @@ -1878,3 +1878,65 @@ function get_zcard($channel,$observer_hash = '',$args = array()) { return $o; } + + +function get_zcard_embed($channel,$observer_hash = '',$args = array()) { + + logger('get_zcard_embed'); + + $maxwidth = (($args['width']) ? intval($args['width']) : 0); + $maxheight = (($args['height']) ? intval($args['height']) : 0); + + + if(($maxwidth > 1200) || ($maxwidth < 1)) + $maxwidth = 1200; + + if($maxwidth <= 425) { + $width = 425; + $size = 'hz_small'; + $cover_size = PHOTO_RES_COVER_425; + $pphoto = array('type' => $channel['xchan_photo_mimetype'], 'width' => 80 , 'height' => 80, 'href' => $channel['xchan_photo_m']); + } + elseif($maxwidth <= 900) { + $width = 900; + $size = 'hz_medium'; + $cover_size = PHOTO_RES_COVER_850; + $pphoto = array('type' => $channel['xchan_photo_mimetype'], 'width' => 160 , 'height' => 160, 'href' => $channel['xchan_photo_l']); + } + elseif($maxwidth <= 1200) { + $width = 1200; + $size = 'hz_large'; + $cover_size = PHOTO_RES_COVER_1200; + $pphoto = array('type' => $channel['xchan_photo_mimetype'], 'width' => 300 , 'height' => 300, 'href' => $channel['xchan_photo_l']); + } + + $channel['channel_addr'] = $channel['channel_address'] . '@' . App::get_hostname(); + $zcard = array('chan' => $channel); + + $r = q("select height, width, resource_id, scale, type from photo where uid = %d and scale = %d and photo_usage = %d", + intval($channel['channel_id']), + intval($cover_size), + intval(PHOTO_COVER) + ); + + if($r) { + $cover = $r[0]; + $cover['href'] = z_root() . '/photo/' . $r[0]['resource_id'] . '-' . $r[0]['scale']; + } + else { + $cover = $pphoto; + } + + $o .= replace_macros(get_markup_template('zcard_embed.tpl'),array( + '$maxwidth' => $maxwidth, + '$scale' => $scale, + '$translate' => $translate, + '$size' => $size, + '$cover' => $cover, + '$pphoto' => $pphoto, + '$zcard' => $zcard + )); + + return $o; + +} diff --git a/include/oembed.php b/include/oembed.php index 3994af0fb..356b9f961 100755 --- a/include/oembed.php +++ b/include/oembed.php @@ -3,67 +3,117 @@ function oembed_replacecb($matches){ $embedurl=$matches[1]; + $action = oembed_action($embedurl); + if($action === 'block') { + return '<a href="' . $embedurl . '">' . $embedurl . '</a>'; + } + + $j = oembed_fetch_url($embedurl); + $s = oembed_format_object($j); + return $s; +} + + +function oembed_action($embedurl) { + + $host = ''; + + $action = 'allow'; + + // The default action is 'allow'. This is insecure. We might want to + // change this to 'filter' except it will be a support burden because + // then youtube videos won't work out of the box and will need to be + // explicitly enabled. + + $embedurl = str_replace('&','&', $embedurl); + + logger('oembed_action: ' . $embedurl); + + $p = parse_url($embedurl); + + if($p) + $host = $p['host']; + + // These media files should now be caught in bbcode.php + // left here as a fallback in case this is called from another source + + $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus"); + $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION); + // site white/black list if(($x = get_config('system','embed_deny'))) { - $l = explode("\n",$x); - if($l) { - foreach($l as $ll) { - if(trim($ll) && strpos($embedurl,trim($ll)) !== false) - return '<a href="' . $embedurl . '">' . $embedurl . '</a>'; + if(($x) && (! is_array($x))) + $x = explode("\n",$x); + if($x) { + foreach($x as $ll) { + $t = trim($ll); + + // don't allow somebody to provide a url like https://foobar.com/something/youtube + // to bypass a block or allow of youtube + + if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) { + $action = 'block'; + break; + } } } } + + $found = false; + if(($x = get_config('system','embed_allow'))) { - $found = false; - $l = explode("\n",$x); - if($l) { - foreach($l as $ll) { - if(trim($ll) && strpos($embedurl,trim($ll)) !== false) { + if(($x) && (! is_array($x))) + $x = explode("\n",$x); + if($x) { + foreach($x as $ll) { + $t = trim($ll); + + // don't allow somebody to provide a url like https://foobar.com/something/youtube + // to bypass a block or allow of youtube + + if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) { $found = true; + $action = 'allow'; break; } } } - if(! $found) { - return '<a href="' . $embedurl . '">' . $embedurl . '</a>'; + if((! $found) && ($action !== 'block')) { + $action = 'filter'; } } - // implements a personal embed white/black list for logged in members + // allow individual members to block something that wasn't blocked already. + // They cannot over-ride the site to allow or change the filtering on an + // embed that is not allowed by the site. + if(local_channel()) { if(($x = get_pconfig(local_channel(),'system','embed_deny'))) { - $l = explode("\n",$x); - if($l) { - foreach($l as $ll) { - if(trim($ll) && strpos($embedurl,trim($ll)) !== false) - return '<a href="' . $embedurl . '">' . $embedurl . '</a>'; - } - } - } - if(($x = get_pconfig(local_channel(),'system','embed_allow'))) { - $found = false; - $l = explode("\n",$x); - if($l) { - foreach($l as $ll) { - if(trim($ll) && strpos($embedurl,trim($ll)) !== false) { - $found = true; + if(($x) && (! is_array($x))) + $x = explode("\n",$x); + if($x) { + foreach($x as $ll) { + $t = trim($ll); + + // don't allow somebody to provide a url like https://foobar.com/something/youtube + // to bypass a block or allow of youtube + + if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) { + $action = 'block'; break; } } } - if(! $found) { - return '<a href="' . $embedurl . '">' . $embedurl . '</a>'; - } } } - $j = oembed_fetch_url($embedurl); - $s = oembed_format_object($j); - return $s; -} + logger('action: ' . $action . ' url: ' . $embedurl, LOGGER_DEBUG,LOG_DEBUG); + return $action; + +} // if the url is embeddable with oembed, return the bbcode link. @@ -79,42 +129,48 @@ function oembed_process($url) { function oembed_fetch_url($embedurl){ - $a = get_app(); + // These media files should now be caught in bbcode.php + // left here as a fallback in case this is called from another source + + $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus"); + $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION); + + $action = oembed_action($embedurl); $embedurl = str_replace('&','&', $embedurl); -// logger('fetch: ' . $embedurl); + $txt = null; - $txt = Cache::get(App::$videowidth . $embedurl); + if($action !== 'block') { + $txt = Cache::get(App::$videowidth . $embedurl); - if(strstr($txt,'youtu') && strstr(z_root(),'https:')) { - $txt = str_replace('http:','https:',$txt); + if(strstr($txt,'youtu') && strstr(z_root(),'https:')) { + $txt = str_replace('http:','https:',$txt); + } } + + if(is_null($txt)) { - // These media files should now be caught in bbcode.php - // left here as a fallback in case this is called from another source - - $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus"); - $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION); - - - if(is_null($txt)){ $txt = ""; - - if (in_array($ext, $noexts)) { + $furl = $embedurl; + $zrl = false; + + if(local_channel()) { require_once('include/hubloc.php'); - $zrl = is_matrix_url($embedurl); + $zrl = is_matrix_url($furl); if($zrl) - $embedurl = zid($embedurl); + $furl = zid($furl); } - else { + + + if (! in_array($ext, $noexts) && $action !== 'block') { // try oembed autodiscovery $redirects = 0; - $result = z_fetch_url($embedurl, false, $redirects, array('timeout' => 15, 'accept_content' => "text/*", 'novalidate' => true )); + $result = z_fetch_url($furl, false, $redirects, array('timeout' => 15, 'accept_content' => "text/*", 'novalidate' => true )); if($result['success']) $html_text = $result['body']; - if($html_text){ + if($html_text) { $dom = @DOMDocument::loadHTML($html_text); if ($dom){ $xpath = new DOMXPath($dom); @@ -149,6 +205,7 @@ function oembed_fetch_url($embedurl){ } $txt=trim($txt); + if ($txt[0]!="{") $txt='{"type":"error"}'; //save in cache @@ -160,6 +217,16 @@ function oembed_fetch_url($embedurl){ $j = json_decode($txt); + + if($j->html && $action === 'filter') { + $orig = $j->html; + $allow_position = (($zrl) ? true : false); + $j->html = purify_html($j->html,$allow_position); + if($j->html != $orig) { + logger('oembed html was purified. original: ' . $orig . ' purified: ' . $j->html, LOGGER_DEBUG, LOG_INFO); + } + } + $j->embedurl = $embedurl; // logger('fetch return: ' . print_r($j,true)); diff --git a/include/text.php b/include/text.php index c61c5fbd4..cf2f777aa 100644 --- a/include/text.php +++ b/include/text.php @@ -122,7 +122,7 @@ function z_input_filter($channel_id,$s,$type = 'text/bbcode') { -function purify_html($s) { +function purify_html($s, $allow_position) { require_once('library/HTMLPurifier.auto.php'); require_once('include/html2bbcode.php'); @@ -202,6 +202,35 @@ function purify_html($s) { $def->addElement('header', 'Block', 'Flow', 'Common'); $def->addElement('footer', 'Block', 'Flow', 'Common'); + + if($allow_position) { + $cssDefinition = $config->getCSSDefinition(); + + $cssDefinition->info['position'] = new HTMLPurifier_AttrDef_Enum(array('absolute', 'fixed', 'relative', 'static', 'inherit'), false); + + $cssDefinition->info['left'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length(), + new HTMLPurifier_AttrDef_CSS_Percentage() + )); + + $cssDefinition->info['right'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length(), + new HTMLPurifier_AttrDef_CSS_Percentage() + )); + + $cssDefinition->info['top'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length(), + new HTMLPurifier_AttrDef_CSS_Percentage() + )); + + $cssDefinition->info['bottom'] = new HTMLPurifier_AttrDef_CSS_Composite(array( + new HTMLPurifier_AttrDef_CSS_Length(), + new HTMLPurifier_AttrDef_CSS_Percentage() + )); + + } + + $purifier = new HTMLPurifier($config); return $purifier->purify($s); diff --git a/version.inc b/version.inc index 8c803549a..aec5959ca 100644 --- a/version.inc +++ b/version.inc @@ -1 +1 @@ -2016-04-29.1381H +2016-05-01.1383H diff --git a/view/tpl/admin_security.tpl b/view/tpl/admin_security.tpl index 3823d8235..39f389e54 100755 --- a/view/tpl/admin_security.tpl +++ b/view/tpl/admin_security.tpl @@ -15,6 +15,18 @@ {{include file="field_textarea.tpl" field=$whitelisted_channels}} {{include file="field_textarea.tpl" field=$blacklisted_channels}} + {{if $embedhelp1}} + <div class="section-content-info-wrapper">{{$embedhelp1}}</div> + {{/if}} + + <div style="margin-left: 15px; margin-bottom: 10px;"> + <div class="descriptive-text">{{$embedhelp2}}</div> + <div style="margin-left: 15px;"> + <div class="descriptive-text">{{$embedhelp3}}</div> + </div> + <div class="descriptive-text">{{$embedhelp4}}</div> + </div> + {{include file="field_textarea.tpl" field=$embed_allow}} {{include file="field_textarea.tpl" field=$embed_deny}} diff --git a/view/tpl/zcard_embed.tpl b/view/tpl/zcard_embed.tpl new file mode 100644 index 000000000..7981e3b0b --- /dev/null +++ b/view/tpl/zcard_embed.tpl @@ -0,0 +1,8 @@ +<div class="hz_card {{$size}}"> + <div class="hz_cover_photo" style="max-width: 100;"><img src="{{$cover.href}}" alt="{{$zcard.chan.xchan_name}}" /> + <div style="position: relative;top: -40px;left: 120px;color: #fff;font-size: 18px;text-rendering: optimizelegibility;text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);" >{{$zcard.chan.xchan_name}}</div> + <div style="position: relative;top: -40px;left: 120px;color: #fff;font-size: 10px;text-rendering: optimizelegibility;text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);" >{{$zcard.chan.channel_addr}}</div> + </div> + <div style="position:relative;top: -75px;left: 20px;background-color: white;border: 1px solid #ddd;padding: 3px;width: 80px;height: 80px;"><img src="{{$pphoto.href}}" alt="{{$zcard.chan.xchan_name}}" /></div> +</div> + |