diff options
author | redmatrix <git@macgirvin.com> | 2016-05-02 13:31:14 -0700 |
---|---|---|
committer | redmatrix <git@macgirvin.com> | 2016-05-02 13:31:14 -0700 |
commit | 2b7b26f4c0d6527f9cfe6b852e7b210c0406d9d2 (patch) | |
tree | 3f3fafe29d1908d8fff86820735db43115bc0647 | |
parent | 559ed3f0a8cbe90b6c20cc4ada649bc063f41c25 (diff) | |
download | volse-hubzilla-2b7b26f4c0d6527f9cfe6b852e7b210c0406d9d2.tar.gz volse-hubzilla-2b7b26f4c0d6527f9cfe6b852e7b210c0406d9d2.tar.bz2 volse-hubzilla-2b7b26f4c0d6527f9cfe6b852e7b210c0406d9d2.zip |
a bit more oembed security - and document the shortcomings of this approach
-rwxr-xr-x | include/oembed.php | 36 |
1 files changed, 20 insertions, 16 deletions
diff --git a/include/oembed.php b/include/oembed.php index 356b9f961..af5e51a6f 100755 --- a/include/oembed.php +++ b/include/oembed.php @@ -49,11 +49,7 @@ function oembed_action($embedurl) { if($x) { foreach($x as $ll) { $t = trim($ll); - - // don't allow somebody to provide a url like https://foobar.com/something/youtube - // to bypass a block or allow of youtube - - if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) { + if(($t) && (strpos($embedurl,$t) !== false)) { $action = 'block'; break; } @@ -69,14 +65,26 @@ function oembed_action($embedurl) { if($x) { foreach($x as $ll) { $t = trim($ll); + $has_slash = ((strpos($t,'/') !== false) ? true : false); // don't allow somebody to provide a url like https://foobar.com/something/youtube - // to bypass a block or allow of youtube - - if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) { - $found = true; - $action = 'allow'; - break; + // to bypass an allow of youtube. Note they could still get through this + // with something like https://youtube.com.foobar.com/something so this is tagged with + // @FIXME, otherwise to fully secure a site will require every possible variation + // of every allowed service base URL. http vs. https, www. vs nothing, + // youtube.[com|org|whatever], youtu.be, and this is just for one service. + + if($t) { + if(strpos($t,$host) !== false) { + $found = true; + $action = 'allow'; + break; + } + elseif(($has_slash) && (strpos($embedurl,$t) !== false)) { + $found = true; + $action = 'allow'; + break; + } } } } @@ -96,11 +104,7 @@ function oembed_action($embedurl) { if($x) { foreach($x as $ll) { $t = trim($ll); - - // don't allow somebody to provide a url like https://foobar.com/something/youtube - // to bypass a block or allow of youtube - - if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) { + if(($t) && (strpos($embedurl,$t) !== false)) { $action = 'block'; break; } |