aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-05-02 13:31:14 -0700
committerredmatrix <git@macgirvin.com>2016-05-02 13:31:14 -0700
commit2b7b26f4c0d6527f9cfe6b852e7b210c0406d9d2 (patch)
tree3f3fafe29d1908d8fff86820735db43115bc0647
parent559ed3f0a8cbe90b6c20cc4ada649bc063f41c25 (diff)
downloadvolse-hubzilla-2b7b26f4c0d6527f9cfe6b852e7b210c0406d9d2.tar.gz
volse-hubzilla-2b7b26f4c0d6527f9cfe6b852e7b210c0406d9d2.tar.bz2
volse-hubzilla-2b7b26f4c0d6527f9cfe6b852e7b210c0406d9d2.zip
a bit more oembed security - and document the shortcomings of this approach
-rwxr-xr-xinclude/oembed.php36
1 files changed, 20 insertions, 16 deletions
diff --git a/include/oembed.php b/include/oembed.php
index 356b9f961..af5e51a6f 100755
--- a/include/oembed.php
+++ b/include/oembed.php
@@ -49,11 +49,7 @@ function oembed_action($embedurl) {
if($x) {
foreach($x as $ll) {
$t = trim($ll);
-
- // don't allow somebody to provide a url like https://foobar.com/something/youtube
- // to bypass a block or allow of youtube
-
- if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
+ if(($t) && (strpos($embedurl,$t) !== false)) {
$action = 'block';
break;
}
@@ -69,14 +65,26 @@ function oembed_action($embedurl) {
if($x) {
foreach($x as $ll) {
$t = trim($ll);
+ $has_slash = ((strpos($t,'/') !== false) ? true : false);
// don't allow somebody to provide a url like https://foobar.com/something/youtube
- // to bypass a block or allow of youtube
-
- if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
- $found = true;
- $action = 'allow';
- break;
+ // to bypass an allow of youtube. Note they could still get through this
+ // with something like https://youtube.com.foobar.com/something so this is tagged with
+ // @FIXME, otherwise to fully secure a site will require every possible variation
+ // of every allowed service base URL. http vs. https, www. vs nothing,
+ // youtube.[com|org|whatever], youtu.be, and this is just for one service.
+
+ if($t) {
+ if(strpos($t,$host) !== false) {
+ $found = true;
+ $action = 'allow';
+ break;
+ }
+ elseif(($has_slash) && (strpos($embedurl,$t) !== false)) {
+ $found = true;
+ $action = 'allow';
+ break;
+ }
}
}
}
@@ -96,11 +104,7 @@ function oembed_action($embedurl) {
if($x) {
foreach($x as $ll) {
$t = trim($ll);
-
- // don't allow somebody to provide a url like https://foobar.com/something/youtube
- // to bypass a block or allow of youtube
-
- if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
+ if(($t) && (strpos($embedurl,$t) !== false)) {
$action = 'block';
break;
}