aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-05-01 19:19:17 -0700
committerredmatrix <git@macgirvin.com>2016-05-01 19:19:17 -0700
commitcd518625bf561f1ed42db0b78030b74c32435136 (patch)
treea0894903507417997833d6766d7ba6a1ffd23a30 /include
parent84d93cca6e2ac0b552a6f5c570fbcfce766200a1 (diff)
downloadvolse-hubzilla-cd518625bf561f1ed42db0b78030b74c32435136.tar.gz
volse-hubzilla-cd518625bf561f1ed42db0b78030b74c32435136.tar.bz2
volse-hubzilla-cd518625bf561f1ed42db0b78030b74c32435136.zip
some much needed work on oembed security
Diffstat (limited to 'include')
-rw-r--r--include/identity.php62
-rwxr-xr-xinclude/oembed.php177
-rw-r--r--include/text.php31
3 files changed, 214 insertions, 56 deletions
diff --git a/include/identity.php b/include/identity.php
index 1c899048a..f50c497cd 100644
--- a/include/identity.php
+++ b/include/identity.php
@@ -1878,3 +1878,65 @@ function get_zcard($channel,$observer_hash = '',$args = array()) {
return $o;
}
+
+
+function get_zcard_embed($channel,$observer_hash = '',$args = array()) {
+
+ logger('get_zcard_embed');
+
+ $maxwidth = (($args['width']) ? intval($args['width']) : 0);
+ $maxheight = (($args['height']) ? intval($args['height']) : 0);
+
+
+ if(($maxwidth > 1200) || ($maxwidth < 1))
+ $maxwidth = 1200;
+
+ if($maxwidth <= 425) {
+ $width = 425;
+ $size = 'hz_small';
+ $cover_size = PHOTO_RES_COVER_425;
+ $pphoto = array('type' => $channel['xchan_photo_mimetype'], 'width' => 80 , 'height' => 80, 'href' => $channel['xchan_photo_m']);
+ }
+ elseif($maxwidth <= 900) {
+ $width = 900;
+ $size = 'hz_medium';
+ $cover_size = PHOTO_RES_COVER_850;
+ $pphoto = array('type' => $channel['xchan_photo_mimetype'], 'width' => 160 , 'height' => 160, 'href' => $channel['xchan_photo_l']);
+ }
+ elseif($maxwidth <= 1200) {
+ $width = 1200;
+ $size = 'hz_large';
+ $cover_size = PHOTO_RES_COVER_1200;
+ $pphoto = array('type' => $channel['xchan_photo_mimetype'], 'width' => 300 , 'height' => 300, 'href' => $channel['xchan_photo_l']);
+ }
+
+ $channel['channel_addr'] = $channel['channel_address'] . '@' . App::get_hostname();
+ $zcard = array('chan' => $channel);
+
+ $r = q("select height, width, resource_id, scale, type from photo where uid = %d and scale = %d and photo_usage = %d",
+ intval($channel['channel_id']),
+ intval($cover_size),
+ intval(PHOTO_COVER)
+ );
+
+ if($r) {
+ $cover = $r[0];
+ $cover['href'] = z_root() . '/photo/' . $r[0]['resource_id'] . '-' . $r[0]['scale'];
+ }
+ else {
+ $cover = $pphoto;
+ }
+
+ $o .= replace_macros(get_markup_template('zcard_embed.tpl'),array(
+ '$maxwidth' => $maxwidth,
+ '$scale' => $scale,
+ '$translate' => $translate,
+ '$size' => $size,
+ '$cover' => $cover,
+ '$pphoto' => $pphoto,
+ '$zcard' => $zcard
+ ));
+
+ return $o;
+
+}
diff --git a/include/oembed.php b/include/oembed.php
index 3994af0fb..356b9f961 100755
--- a/include/oembed.php
+++ b/include/oembed.php
@@ -3,67 +3,117 @@ function oembed_replacecb($matches){
$embedurl=$matches[1];
+ $action = oembed_action($embedurl);
+ if($action === 'block') {
+ return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
+ }
+
+ $j = oembed_fetch_url($embedurl);
+ $s = oembed_format_object($j);
+ return $s;
+}
+
+
+function oembed_action($embedurl) {
+
+ $host = '';
+
+ $action = 'allow';
+
+ // The default action is 'allow'. This is insecure. We might want to
+ // change this to 'filter' except it will be a support burden because
+ // then youtube videos won't work out of the box and will need to be
+ // explicitly enabled.
+
+ $embedurl = str_replace('&amp;','&', $embedurl);
+
+ logger('oembed_action: ' . $embedurl);
+
+ $p = parse_url($embedurl);
+
+ if($p)
+ $host = $p['host'];
+
+ // These media files should now be caught in bbcode.php
+ // left here as a fallback in case this is called from another source
+
+ $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus");
+ $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION);
+
// site white/black list
if(($x = get_config('system','embed_deny'))) {
- $l = explode("\n",$x);
- if($l) {
- foreach($l as $ll) {
- if(trim($ll) && strpos($embedurl,trim($ll)) !== false)
- return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
+ if(($x) && (! is_array($x)))
+ $x = explode("\n",$x);
+ if($x) {
+ foreach($x as $ll) {
+ $t = trim($ll);
+
+ // don't allow somebody to provide a url like https://foobar.com/something/youtube
+ // to bypass a block or allow of youtube
+
+ if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
+ $action = 'block';
+ break;
+ }
}
}
}
+
+ $found = false;
+
if(($x = get_config('system','embed_allow'))) {
- $found = false;
- $l = explode("\n",$x);
- if($l) {
- foreach($l as $ll) {
- if(trim($ll) && strpos($embedurl,trim($ll)) !== false) {
+ if(($x) && (! is_array($x)))
+ $x = explode("\n",$x);
+ if($x) {
+ foreach($x as $ll) {
+ $t = trim($ll);
+
+ // don't allow somebody to provide a url like https://foobar.com/something/youtube
+ // to bypass a block or allow of youtube
+
+ if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
$found = true;
+ $action = 'allow';
break;
}
}
}
- if(! $found) {
- return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
+ if((! $found) && ($action !== 'block')) {
+ $action = 'filter';
}
}
- // implements a personal embed white/black list for logged in members
+ // allow individual members to block something that wasn't blocked already.
+ // They cannot over-ride the site to allow or change the filtering on an
+ // embed that is not allowed by the site.
+
if(local_channel()) {
if(($x = get_pconfig(local_channel(),'system','embed_deny'))) {
- $l = explode("\n",$x);
- if($l) {
- foreach($l as $ll) {
- if(trim($ll) && strpos($embedurl,trim($ll)) !== false)
- return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
- }
- }
- }
- if(($x = get_pconfig(local_channel(),'system','embed_allow'))) {
- $found = false;
- $l = explode("\n",$x);
- if($l) {
- foreach($l as $ll) {
- if(trim($ll) && strpos($embedurl,trim($ll)) !== false) {
- $found = true;
+ if(($x) && (! is_array($x)))
+ $x = explode("\n",$x);
+ if($x) {
+ foreach($x as $ll) {
+ $t = trim($ll);
+
+ // don't allow somebody to provide a url like https://foobar.com/something/youtube
+ // to bypass a block or allow of youtube
+
+ if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
+ $action = 'block';
break;
}
}
}
- if(! $found) {
- return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
- }
}
}
- $j = oembed_fetch_url($embedurl);
- $s = oembed_format_object($j);
- return $s;
-}
+ logger('action: ' . $action . ' url: ' . $embedurl, LOGGER_DEBUG,LOG_DEBUG);
+ return $action;
+
+}
// if the url is embeddable with oembed, return the bbcode link.
@@ -79,42 +129,48 @@ function oembed_process($url) {
function oembed_fetch_url($embedurl){
- $a = get_app();
+ // These media files should now be caught in bbcode.php
+ // left here as a fallback in case this is called from another source
+
+ $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus");
+ $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION);
+
+ $action = oembed_action($embedurl);
$embedurl = str_replace('&amp;','&', $embedurl);
-// logger('fetch: ' . $embedurl);
+ $txt = null;
- $txt = Cache::get(App::$videowidth . $embedurl);
+ if($action !== 'block') {
+ $txt = Cache::get(App::$videowidth . $embedurl);
- if(strstr($txt,'youtu') && strstr(z_root(),'https:')) {
- $txt = str_replace('http:','https:',$txt);
+ if(strstr($txt,'youtu') && strstr(z_root(),'https:')) {
+ $txt = str_replace('http:','https:',$txt);
+ }
}
+
+ if(is_null($txt)) {
- // These media files should now be caught in bbcode.php
- // left here as a fallback in case this is called from another source
-
- $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus");
- $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION);
-
-
- if(is_null($txt)){
$txt = "";
-
- if (in_array($ext, $noexts)) {
+ $furl = $embedurl;
+ $zrl = false;
+
+ if(local_channel()) {
require_once('include/hubloc.php');
- $zrl = is_matrix_url($embedurl);
+ $zrl = is_matrix_url($furl);
if($zrl)
- $embedurl = zid($embedurl);
+ $furl = zid($furl);
}
- else {
+
+
+ if (! in_array($ext, $noexts) && $action !== 'block') {
// try oembed autodiscovery
$redirects = 0;
- $result = z_fetch_url($embedurl, false, $redirects, array('timeout' => 15, 'accept_content' => "text/*", 'novalidate' => true ));
+ $result = z_fetch_url($furl, false, $redirects, array('timeout' => 15, 'accept_content' => "text/*", 'novalidate' => true ));
if($result['success'])
$html_text = $result['body'];
- if($html_text){
+ if($html_text) {
$dom = @DOMDocument::loadHTML($html_text);
if ($dom){
$xpath = new DOMXPath($dom);
@@ -149,6 +205,7 @@ function oembed_fetch_url($embedurl){
}
$txt=trim($txt);
+
if ($txt[0]!="{") $txt='{"type":"error"}';
//save in cache
@@ -160,6 +217,16 @@ function oembed_fetch_url($embedurl){
$j = json_decode($txt);
+
+ if($j->html && $action === 'filter') {
+ $orig = $j->html;
+ $allow_position = (($zrl) ? true : false);
+ $j->html = purify_html($j->html,$allow_position);
+ if($j->html != $orig) {
+ logger('oembed html was purified. original: ' . $orig . ' purified: ' . $j->html, LOGGER_DEBUG, LOG_INFO);
+ }
+ }
+
$j->embedurl = $embedurl;
// logger('fetch return: ' . print_r($j,true));
diff --git a/include/text.php b/include/text.php
index c61c5fbd4..cf2f777aa 100644
--- a/include/text.php
+++ b/include/text.php
@@ -122,7 +122,7 @@ function z_input_filter($channel_id,$s,$type = 'text/bbcode') {
-function purify_html($s) {
+function purify_html($s, $allow_position) {
require_once('library/HTMLPurifier.auto.php');
require_once('include/html2bbcode.php');
@@ -202,6 +202,35 @@ function purify_html($s) {
$def->addElement('header', 'Block', 'Flow', 'Common');
$def->addElement('footer', 'Block', 'Flow', 'Common');
+
+ if($allow_position) {
+ $cssDefinition = $config->getCSSDefinition();
+
+ $cssDefinition->info['position'] = new HTMLPurifier_AttrDef_Enum(array('absolute', 'fixed', 'relative', 'static', 'inherit'), false);
+
+ $cssDefinition->info['left'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
+ new HTMLPurifier_AttrDef_CSS_Length(),
+ new HTMLPurifier_AttrDef_CSS_Percentage()
+ ));
+
+ $cssDefinition->info['right'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
+ new HTMLPurifier_AttrDef_CSS_Length(),
+ new HTMLPurifier_AttrDef_CSS_Percentage()
+ ));
+
+ $cssDefinition->info['top'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
+ new HTMLPurifier_AttrDef_CSS_Length(),
+ new HTMLPurifier_AttrDef_CSS_Percentage()
+ ));
+
+ $cssDefinition->info['bottom'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
+ new HTMLPurifier_AttrDef_CSS_Length(),
+ new HTMLPurifier_AttrDef_CSS_Percentage()
+ ));
+
+ }
+
+
$purifier = new HTMLPurifier($config);
return $purifier->purify($s);