From 5e112b395ddb80b72891361b259b4d3fafa7efc2 Mon Sep 17 00:00:00 2001
From: Mario <mario@mariovavti.com>
Date: Fri, 3 Jun 2022 08:51:54 +0000
Subject: oembed: implement a max oembed size which defaults to 1MB and do not
 try to oembed text previews

---
 include/oembed.php | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'include')

diff --git a/include/oembed.php b/include/oembed.php
index 36938c577..bcf5d525c 100644
--- a/include/oembed.php
+++ b/include/oembed.php
@@ -163,6 +163,25 @@ function oembed_fetch_url($embedurl){
 
 		$txt = EMPTY_STR;
 
+		if ($action !== 'block') {
+			$max_oembed_size = get_config('system', 'oembed_max_size', 1 * 1024 * 1024 /* 1MB */);
+
+			stream_context_set_default(
+				[
+					'http' => [
+						'method' => 'HEAD',
+						'timeout' => 5
+					]
+				]
+			);
+
+			$headers = get_headers($furl, true);
+
+			if (isset($headers['Content-Length']) && $headers['Content-Length'] > $max_oembed_size) {
+				$action = 'block';
+			}
+		}
+
 		if ($action !== 'block') {
 			// try oembed autodiscovery
 			$redirects = 0;
-- 
cgit v1.2.3