harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

a bit more oembed security - and document the shortcomings of this approach

Browse Source
This commit is contained in:
redmatrix 2016-05-02 13:31:14 -07:00
parent 559ed3f0a8
commit 2b7b26f4c0
1 changed files with 19 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
include/oembed.php
View File

@ -49,11 +49,7 @@ function oembed_action($embedurl) {
if($x) { if($x) {
foreach($x as $ll) { foreach($x as $ll) {
$t = trim($ll); $t = trim($ll);
if(($t) && (strpos($embedurl,$t) !== false)) {
// don't allow somebody to provide a url like https://foobar.com/something/youtube
// to bypass a block or allow of youtube
if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
$action = 'block'; $action = 'block';
break; break;
} }
@ -69,15 +65,27 @@ function oembed_action($embedurl) {
if($x) { if($x) {
foreach($x as $ll) { foreach($x as $ll) {
$t = trim($ll); $t = trim($ll);
$has_slash = ((strpos($t,'/') !== false) ? true : false);
// don't allow somebody to provide a url like https://foobar.com/something/youtube // don't allow somebody to provide a url like https://foobar.com/something/youtube
// to bypass a block or allow of youtube // to bypass an allow of youtube. Note they could still get through this
// with something like https://youtube.com.foobar.com/something so this is tagged with
// @FIXME, otherwise to fully secure a site will require every possible variation
// of every allowed service base URL. http vs. https, www. vs nothing,
// youtube.[com|org|whatever], youtu.be, and this is just for one service.
if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) { if($t) {
if(strpos($t,$host) !== false) {
$found = true; $found = true;
$action = 'allow'; $action = 'allow';
break; break;
} }
elseif(($has_slash) && (strpos($embedurl,$t) !== false)) {
$found = true;
$action = 'allow';
break;
}
}
} }
} }
if((! $found) && ($action !== 'block')) { if((! $found) && ($action !== 'block')) {
@ -96,11 +104,7 @@ function oembed_action($embedurl) {
if($x) { if($x) {
foreach($x as $ll) { foreach($x as $ll) {
$t = trim($ll); $t = trim($ll);
if(($t) && (strpos($embedurl,$t) !== false)) {
// don't allow somebody to provide a url like https://foobar.com/something/youtube
// to bypass a block or allow of youtube
if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
$action = 'block'; $action = 'block';
break; break;
} }