From 2b7b26f4c0d6527f9cfe6b852e7b210c0406d9d2 Mon Sep 17 00:00:00 2001
From: redmatrix <git@macgirvin.com>
Date: Mon, 2 May 2016 13:31:14 -0700
Subject: a bit more oembed security - and document the shortcomings of this
 approach

---
 include/oembed.php | 36 ++++++++++++++++++++----------------
 1 file changed, 20 insertions(+), 16 deletions(-)

diff --git a/include/oembed.php b/include/oembed.php
index 356b9f961..af5e51a6f 100755
--- a/include/oembed.php
+++ b/include/oembed.php
@@ -49,11 +49,7 @@ function oembed_action($embedurl) {
 		if($x) {
 			foreach($x as $ll) {
 				$t = trim($ll);
-
-				// don't allow somebody to provide a url like https://foobar.com/something/youtube 
-				// to bypass a block or allow of youtube
-
-				if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
+				if(($t) && (strpos($embedurl,$t) !== false)) {
 					$action = 'block';
 					break;
 				}
@@ -69,14 +65,26 @@ function oembed_action($embedurl) {
 		if($x) {
 			foreach($x as $ll) {
 				$t = trim($ll);
+				$has_slash = ((strpos($t,'/') !== false) ? true : false);
 
 				// don't allow somebody to provide a url like https://foobar.com/something/youtube 
-				// to bypass a block or allow of youtube
-
-				if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
-					$found = true;
-					$action = 'allow';
-					break;
+				// to bypass an allow of youtube. Note they could still get through this
+				// with something like https://youtube.com.foobar.com/something so this is tagged with
+				// @FIXME, otherwise to fully secure a site will require every possible variation
+				// of every allowed service base URL. http vs. https, www. vs nothing, 
+				// youtube.[com|org|whatever], youtu.be, and this is just for one service. 
+
+				if($t) {
+					if(strpos($t,$host) !== false) {
+						$found = true;
+						$action = 'allow';
+						break;
+					}
+					elseif(($has_slash) && (strpos($embedurl,$t) !== false)) {
+						$found = true;
+						$action = 'allow';
+						break;
+					}
 				}
 			}
 		}
@@ -96,11 +104,7 @@ function oembed_action($embedurl) {
 			if($x) {
 				foreach($x as $ll) {
 					$t = trim($ll);
-
-					// don't allow somebody to provide a url like https://foobar.com/something/youtube 
-					// to bypass a block or allow of youtube
-
-					if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
+					if(($t) && (strpos($embedurl,$t) !== false)) {
 						$action = 'block';
 						break;
 					}
-- 
cgit v1.2.3