diff options
author | redmatrix <git@macgirvin.com> | 2016-05-02 22:28:27 -0700 |
---|---|---|
committer | redmatrix <git@macgirvin.com> | 2016-05-02 22:28:27 -0700 |
commit | b371c028ad31180b4c73f92b45c4ca8f5fff259e (patch) | |
tree | 48340e58f0a8aec3ed03a37f0f810b9380a84c3d /include | |
parent | b017f8f2ab0154f895a2a960479ee44baf042dc2 (diff) | |
download | volse-hubzilla-b371c028ad31180b4c73f92b45c4ca8f5fff259e.tar.gz volse-hubzilla-b371c028ad31180b4c73f92b45c4ca8f5fff259e.tar.bz2 volse-hubzilla-b371c028ad31180b4c73f92b45c4ca8f5fff259e.zip |
more security stuff
Diffstat (limited to 'include')
-rw-r--r-- | include/bbcode.php | 2 | ||||
-rwxr-xr-x | include/oembed.php | 84 |
2 files changed, 36 insertions, 50 deletions
diff --git a/include/bbcode.php b/include/bbcode.php index 5bd5301cc..7a7ea8ce6 100644 --- a/include/bbcode.php +++ b/include/bbcode.php @@ -629,7 +629,7 @@ function bbcode($Text, $preserve_nl = false, $tryoembed = true, $cache = false) } if($tryoembed) { if (strpos($Text,'[/url]') !== false) { - $Text = preg_replace_callback("/\[url\]([$URLSearchString]*)\[\/url\]/ism", 'tryoembed', $Text); + $Text = preg_replace_callback("/[^\^]\[url\]([$URLSearchString]*)\[\/url\]/ism", 'tryoembed', $Text); } } if (strpos($Text,'[/url]') !== false) { diff --git a/include/oembed.php b/include/oembed.php index af5e51a6f..1e5c51172 100755 --- a/include/oembed.php +++ b/include/oembed.php @@ -1,14 +1,16 @@ <?php /** @file */ + + function oembed_replacecb($matches){ $embedurl=$matches[1]; - $action = oembed_action($embedurl); - if($action === 'block') { - return '<a href="' . $embedurl . '">' . $embedurl . '</a>'; + $result = oembed_action($embedurl); + if($result['action'] === 'block') { + return '<a href="' . $result['url'] . '">' . $result['url'] . '</a>'; } - $j = oembed_fetch_url($embedurl); + $j = oembed_fetch_url($result['url']); $s = oembed_format_object($j); return $s; } @@ -17,22 +19,11 @@ function oembed_replacecb($matches){ function oembed_action($embedurl) { $host = ''; + $action = 'filter'; - $action = 'allow'; - - // The default action is 'allow'. This is insecure. We might want to - // change this to 'filter' except it will be a support burden because - // then youtube videos won't work out of the box and will need to be - // explicitly enabled. - - $embedurl = str_replace('&','&', $embedurl); + $embedurl = trim(str_replace('&','&', $embedurl)); - logger('oembed_action: ' . $embedurl); - - $p = parse_url($embedurl); - - if($p) - $host = $p['host']; + logger('oembed_action: ' . $embedurl, LOGGER_DEBUG, LOG_INFO); // These media files should now be caught in bbcode.php // left here as a fallback in case this is called from another source @@ -40,6 +31,11 @@ function oembed_action($embedurl) { $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus"); $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION); + if(strpos($embedurl,'http://') === 0) { + if(intval(get_config('system','embed_sslonly'))) { + $action = 'block'; + } + } // site white/black list @@ -65,26 +61,10 @@ function oembed_action($embedurl) { if($x) { foreach($x as $ll) { $t = trim($ll); - $has_slash = ((strpos($t,'/') !== false) ? true : false); - - // don't allow somebody to provide a url like https://foobar.com/something/youtube - // to bypass an allow of youtube. Note they could still get through this - // with something like https://youtube.com.foobar.com/something so this is tagged with - // @FIXME, otherwise to fully secure a site will require every possible variation - // of every allowed service base URL. http vs. https, www. vs nothing, - // youtube.[com|org|whatever], youtu.be, and this is just for one service. - - if($t) { - if(strpos($t,$host) !== false) { - $found = true; - $action = 'allow'; - break; - } - elseif(($has_slash) && (strpos($embedurl,$t) !== false)) { - $found = true; - $action = 'allow'; - break; - } + if(($t) && (strpos($embedurl,$t) !== false) && ($action !== 'block')) { + $found = true; + $action = 'allow'; + break; } } } @@ -95,7 +75,7 @@ function oembed_action($embedurl) { // allow individual members to block something that wasn't blocked already. // They cannot over-ride the site to allow or change the filtering on an - // embed that is not allowed by the site. + // embed that is not allowed by the site admin. if(local_channel()) { if(($x = get_pconfig(local_channel(),'system','embed_deny'))) { @@ -113,9 +93,12 @@ function oembed_action($embedurl) { } } - logger('action: ' . $action . ' url: ' . $embedurl, LOGGER_DEBUG,LOG_DEBUG); + $arr = array('url' => $embedurl, 'action' => $action); + call_hooks('oembed_action',$arr); + + logger('action: ' . $arr['action'] . ' url: ' . $arr['url'], LOGGER_DEBUG,LOG_DEBUG); - return $action; + return $arr; } @@ -139,9 +122,10 @@ function oembed_fetch_url($embedurl){ $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus"); $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION); - $action = oembed_action($embedurl); + $result = oembed_action($embedurl); - $embedurl = str_replace('&','&', $embedurl); + $embedurl = $result['url']; + $action = $result['action']; $txt = null; @@ -222,12 +206,14 @@ function oembed_fetch_url($embedurl){ $j = json_decode($txt); - if($j->html && $action === 'filter') { - $orig = $j->html; - $allow_position = (($zrl) ? true : false); - $j->html = purify_html($j->html,$allow_position); - if($j->html != $orig) { - logger('oembed html was purified. original: ' . $orig . ' purified: ' . $j->html, LOGGER_DEBUG, LOG_INFO); + if($action === 'filter') { + if($j->html) { + $orig = $j->html; + $allow_position = (($zrl) ? true : false); + $j->html = purify_html($j->html,$allow_position); + if($j->html != $orig) { + logger('oembed html was purified. original: ' . $orig . ' purified: ' . $j->html, LOGGER_DEBUG, LOG_INFO); + } } } |