aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-05-02 22:28:27 -0700
committerredmatrix <git@macgirvin.com>2016-05-02 22:28:27 -0700
commitb371c028ad31180b4c73f92b45c4ca8f5fff259e (patch)
tree48340e58f0a8aec3ed03a37f0f810b9380a84c3d /include
parentb017f8f2ab0154f895a2a960479ee44baf042dc2 (diff)
downloadvolse-hubzilla-b371c028ad31180b4c73f92b45c4ca8f5fff259e.tar.gz
volse-hubzilla-b371c028ad31180b4c73f92b45c4ca8f5fff259e.tar.bz2
volse-hubzilla-b371c028ad31180b4c73f92b45c4ca8f5fff259e.zip
more security stuff
Diffstat (limited to 'include')
-rw-r--r--include/bbcode.php2
-rwxr-xr-xinclude/oembed.php84
2 files changed, 36 insertions, 50 deletions
diff --git a/include/bbcode.php b/include/bbcode.php
index 5bd5301cc..7a7ea8ce6 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -629,7 +629,7 @@ function bbcode($Text, $preserve_nl = false, $tryoembed = true, $cache = false)
}
if($tryoembed) {
if (strpos($Text,'[/url]') !== false) {
- $Text = preg_replace_callback("/\[url\]([$URLSearchString]*)\[\/url\]/ism", 'tryoembed', $Text);
+ $Text = preg_replace_callback("/[^\^]\[url\]([$URLSearchString]*)\[\/url\]/ism", 'tryoembed', $Text);
}
}
if (strpos($Text,'[/url]') !== false) {
diff --git a/include/oembed.php b/include/oembed.php
index af5e51a6f..1e5c51172 100755
--- a/include/oembed.php
+++ b/include/oembed.php
@@ -1,14 +1,16 @@
<?php /** @file */
+
+
function oembed_replacecb($matches){
$embedurl=$matches[1];
- $action = oembed_action($embedurl);
- if($action === 'block') {
- return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
+ $result = oembed_action($embedurl);
+ if($result['action'] === 'block') {
+ return '<a href="' . $result['url'] . '">' . $result['url'] . '</a>';
}
- $j = oembed_fetch_url($embedurl);
+ $j = oembed_fetch_url($result['url']);
$s = oembed_format_object($j);
return $s;
}
@@ -17,22 +19,11 @@ function oembed_replacecb($matches){
function oembed_action($embedurl) {
$host = '';
+ $action = 'filter';
- $action = 'allow';
-
- // The default action is 'allow'. This is insecure. We might want to
- // change this to 'filter' except it will be a support burden because
- // then youtube videos won't work out of the box and will need to be
- // explicitly enabled.
-
- $embedurl = str_replace('&amp;','&', $embedurl);
+ $embedurl = trim(str_replace('&amp;','&', $embedurl));
- logger('oembed_action: ' . $embedurl);
-
- $p = parse_url($embedurl);
-
- if($p)
- $host = $p['host'];
+ logger('oembed_action: ' . $embedurl, LOGGER_DEBUG, LOG_INFO);
// These media files should now be caught in bbcode.php
// left here as a fallback in case this is called from another source
@@ -40,6 +31,11 @@ function oembed_action($embedurl) {
$noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus");
$ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION);
+ if(strpos($embedurl,'http://') === 0) {
+ if(intval(get_config('system','embed_sslonly'))) {
+ $action = 'block';
+ }
+ }
// site white/black list
@@ -65,26 +61,10 @@ function oembed_action($embedurl) {
if($x) {
foreach($x as $ll) {
$t = trim($ll);
- $has_slash = ((strpos($t,'/') !== false) ? true : false);
-
- // don't allow somebody to provide a url like https://foobar.com/something/youtube
- // to bypass an allow of youtube. Note they could still get through this
- // with something like https://youtube.com.foobar.com/something so this is tagged with
- // @FIXME, otherwise to fully secure a site will require every possible variation
- // of every allowed service base URL. http vs. https, www. vs nothing,
- // youtube.[com|org|whatever], youtu.be, and this is just for one service.
-
- if($t) {
- if(strpos($t,$host) !== false) {
- $found = true;
- $action = 'allow';
- break;
- }
- elseif(($has_slash) && (strpos($embedurl,$t) !== false)) {
- $found = true;
- $action = 'allow';
- break;
- }
+ if(($t) && (strpos($embedurl,$t) !== false) && ($action !== 'block')) {
+ $found = true;
+ $action = 'allow';
+ break;
}
}
}
@@ -95,7 +75,7 @@ function oembed_action($embedurl) {
// allow individual members to block something that wasn't blocked already.
// They cannot over-ride the site to allow or change the filtering on an
- // embed that is not allowed by the site.
+ // embed that is not allowed by the site admin.
if(local_channel()) {
if(($x = get_pconfig(local_channel(),'system','embed_deny'))) {
@@ -113,9 +93,12 @@ function oembed_action($embedurl) {
}
}
- logger('action: ' . $action . ' url: ' . $embedurl, LOGGER_DEBUG,LOG_DEBUG);
+ $arr = array('url' => $embedurl, 'action' => $action);
+ call_hooks('oembed_action',$arr);
+
+ logger('action: ' . $arr['action'] . ' url: ' . $arr['url'], LOGGER_DEBUG,LOG_DEBUG);
- return $action;
+ return $arr;
}
@@ -139,9 +122,10 @@ function oembed_fetch_url($embedurl){
$noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus");
$ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION);
- $action = oembed_action($embedurl);
+ $result = oembed_action($embedurl);
- $embedurl = str_replace('&amp;','&', $embedurl);
+ $embedurl = $result['url'];
+ $action = $result['action'];
$txt = null;
@@ -222,12 +206,14 @@ function oembed_fetch_url($embedurl){
$j = json_decode($txt);
- if($j->html && $action === 'filter') {
- $orig = $j->html;
- $allow_position = (($zrl) ? true : false);
- $j->html = purify_html($j->html,$allow_position);
- if($j->html != $orig) {
- logger('oembed html was purified. original: ' . $orig . ' purified: ' . $j->html, LOGGER_DEBUG, LOG_INFO);
+ if($action === 'filter') {
+ if($j->html) {
+ $orig = $j->html;
+ $allow_position = (($zrl) ? true : false);
+ $j->html = purify_html($j->html,$allow_position);
+ if($j->html != $orig) {
+ logger('oembed html was purified. original: ' . $orig . ' purified: ' . $j->html, LOGGER_DEBUG, LOG_INFO);
+ }
}
}