more security stuff

This commit is contained in:
redmatrix
2016-05-02 22:28:27 -07:00
parent b017f8f2ab
commit b371c028ad
4 changed files with 52 additions and 71 deletions

View File

@@ -580,8 +580,8 @@ class Admin extends \Zotlabs\Web\Controller {
$bc = $this->trim_array_elems(explode("\n",$_POST['blacklisted_channels'])); $bc = $this->trim_array_elems(explode("\n",$_POST['blacklisted_channels']));
set_config('system','blacklisted_channels',$bc); set_config('system','blacklisted_channels',$bc);
$embed_coop = ((x($_POST,'embed_coop')) ? True : False); $embed_sslonly = ((x($_POST,'embed_sslonly')) ? True : False);
set_config('system','embed_coop',$embed_coop); set_config('system','embed_sslonly',$embed_sslonly);
$we = $this->trim_array_elems(explode("\n",$_POST['embed_allow'])); $we = $this->trim_array_elems(explode("\n",$_POST['embed_allow']));
set_config('system','embed_allow',$we); set_config('system','embed_allow',$we);
@@ -589,6 +589,12 @@ class Admin extends \Zotlabs\Web\Controller {
$be = $this->trim_array_elems(explode("\n",$_POST['embed_deny'])); $be = $this->trim_array_elems(explode("\n",$_POST['embed_deny']));
set_config('system','embed_deny',$be); set_config('system','embed_deny',$be);
$ts = ((x($_POST,'transport_security')) ? True : False);
set_config('system','transport_security_header',$ts);
$cs = ((x($_POST,'content_security')) ? True : False);
set_config('system','content_security_policy',$cs);
goaway(z_root() . '/admin/security'); goaway(z_root() . '/admin/security');
} }
@@ -713,7 +719,7 @@ class Admin extends \Zotlabs\Web\Controller {
} }
$embedhelp2 = t("The recommended setting is to only allow unfiltered HTML from the following sites:"); $embedhelp2 = t("The recommended setting is to only allow unfiltered HTML from the following sites:");
$embedhelp3 = t("youtube.com<br />youtu.be<br />twitter.com<br />vimeo.com<br />soundcloud.com<br />wikipedia.com<br />"); $embedhelp3 = t("https://youtube.com/<br />https://www.youtube.com/<br />https://youtu.be/<br />https://vimeo.com/<br />https://soundcloud.com/<br />");
$embedhelp4 = t("All other embedded content will be filtered, <strong>unless</strong> embedded content from that site is explicitly blocked."); $embedhelp4 = t("All other embedded content will be filtered, <strong>unless</strong> embedded content from that site is explicitly blocked.");
$t = get_markup_template('admin_security.tpl'); $t = get_markup_template('admin_security.tpl');
@@ -722,18 +728,17 @@ class Admin extends \Zotlabs\Web\Controller {
'$page' => t('Security'), '$page' => t('Security'),
'$form_security_token' => get_form_security_token('admin_security'), '$form_security_token' => get_form_security_token('admin_security'),
'$block_public' => array('block_public', t("Block public"), get_config('system','block_public'), t("Check to block public access to all otherwise public personal pages on this site unless you are currently authenticated.")), '$block_public' => array('block_public', t("Block public"), get_config('system','block_public'), t("Check to block public access to all otherwise public personal pages on this site unless you are currently authenticated.")),
'$transport_security' => array('transport_security', t('Set "Transport Security" HTTP header'),intval(get_config('system','transport_security_header')),''),
'$content_security' => array('content_security', t('Set "Content Security Policy" HTTP header'),intval(get_config('system','content_security_policy')),''),
'$whitelisted_sites' => array('whitelisted_sites', t('Allow communications only from these sites'), $whitesites_str, t('One site per line. Leave empty to allow communication from anywhere by default')), '$whitelisted_sites' => array('whitelisted_sites', t('Allow communications only from these sites'), $whitesites_str, t('One site per line. Leave empty to allow communication from anywhere by default')),
'$blacklisted_sites' => array('blacklisted_sites', t('Block communications from these sites'), $blacksites_str, ''), '$blacklisted_sites' => array('blacklisted_sites', t('Block communications from these sites'), $blacksites_str, ''),
'$whitelisted_channels' => array('whitelisted_channels', t('Allow communications only from these channels'), $whitechannels_str, t('One channel (hash) per line. Leave empty to allow from any channel by default')), '$whitelisted_channels' => array('whitelisted_channels', t('Allow communications only from these channels'), $whitechannels_str, t('One channel (hash) per line. Leave empty to allow from any channel by default')),
'$blacklisted_channels' => array('blacklisted_channels', t('Block communications from these channels'), $blackchannels_str, ''), '$blacklisted_channels' => array('blacklisted_channels', t('Block communications from these channels'), $blackchannels_str, ''),
'$embed_allow' => array('embed_allow', t('Allow unfiltered embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')), '$embed_sslonly' => array('embed_sslonly',t('Only allow embeds from secure (SSL) websites and links.'), intval(get_config('system','embed_sslonly')),''),
'$embed_allow' => array('embed_allow', t('Allow unfiltered embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. By default embedded content is filtered.')),
'$embed_deny' => array('embed_deny', t('Block embedded HTML from these domains'), $blackembeds_str, ''), '$embed_deny' => array('embed_deny', t('Block embedded HTML from these domains'), $blackembeds_str, ''),
// '$embed_coop' => array('embed_coop', t('Cooperative embed security'), $embed_coop, t('Enable to share embed security with other compatible sites/hubs')), // '$embed_coop' => array('embed_coop', t('Cooperative embed security'), $embed_coop, t('Enable to share embed security with other compatible sites/hubs')),
'$embedhelp1' => $embedhelp1,
'$embedhelp2' => $embedhelp2,
'$embedhelp3' => $embedhelp3,
'$embedhelp4' => $embedhelp4,
'$submit' => t('Submit') '$submit' => t('Submit')
)); ));

View File

@@ -629,7 +629,7 @@ function bbcode($Text, $preserve_nl = false, $tryoembed = true, $cache = false)
} }
if($tryoembed) { if($tryoembed) {
if (strpos($Text,'[/url]') !== false) { if (strpos($Text,'[/url]') !== false) {
$Text = preg_replace_callback("/\[url\]([$URLSearchString]*)\[\/url\]/ism", 'tryoembed', $Text); $Text = preg_replace_callback("/[^\^]\[url\]([$URLSearchString]*)\[\/url\]/ism", 'tryoembed', $Text);
} }
} }
if (strpos($Text,'[/url]') !== false) { if (strpos($Text,'[/url]') !== false) {

View File

@@ -1,14 +1,16 @@
<?php /** @file */ <?php /** @file */
function oembed_replacecb($matches){ function oembed_replacecb($matches){
$embedurl=$matches[1]; $embedurl=$matches[1];
$action = oembed_action($embedurl); $result = oembed_action($embedurl);
if($action === 'block') { if($result['action'] === 'block') {
return '<a href="' . $embedurl . '">' . $embedurl . '</a>'; return '<a href="' . $result['url'] . '">' . $result['url'] . '</a>';
} }
$j = oembed_fetch_url($embedurl); $j = oembed_fetch_url($result['url']);
$s = oembed_format_object($j); $s = oembed_format_object($j);
return $s; return $s;
} }
@@ -17,22 +19,11 @@ function oembed_replacecb($matches){
function oembed_action($embedurl) { function oembed_action($embedurl) {
$host = ''; $host = '';
$action = 'filter';
$action = 'allow'; $embedurl = trim(str_replace('&amp;','&', $embedurl));
// The default action is 'allow'. This is insecure. We might want to logger('oembed_action: ' . $embedurl, LOGGER_DEBUG, LOG_INFO);
// change this to 'filter' except it will be a support burden because
// then youtube videos won't work out of the box and will need to be
// explicitly enabled.
$embedurl = str_replace('&amp;','&', $embedurl);
logger('oembed_action: ' . $embedurl);
$p = parse_url($embedurl);
if($p)
$host = $p['host'];
// These media files should now be caught in bbcode.php // These media files should now be caught in bbcode.php
// left here as a fallback in case this is called from another source // left here as a fallback in case this is called from another source
@@ -40,6 +31,11 @@ function oembed_action($embedurl) {
$noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus"); $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus");
$ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION); $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION);
if(strpos($embedurl,'http://') === 0) {
if(intval(get_config('system','embed_sslonly'))) {
$action = 'block';
}
}
// site white/black list // site white/black list
@@ -65,27 +61,11 @@ function oembed_action($embedurl) {
if($x) { if($x) {
foreach($x as $ll) { foreach($x as $ll) {
$t = trim($ll); $t = trim($ll);
$has_slash = ((strpos($t,'/') !== false) ? true : false); if(($t) && (strpos($embedurl,$t) !== false) && ($action !== 'block')) {
// don't allow somebody to provide a url like https://foobar.com/something/youtube
// to bypass an allow of youtube. Note they could still get through this
// with something like https://youtube.com.foobar.com/something so this is tagged with
// @FIXME, otherwise to fully secure a site will require every possible variation
// of every allowed service base URL. http vs. https, www. vs nothing,
// youtube.[com|org|whatever], youtu.be, and this is just for one service.
if($t) {
if(strpos($t,$host) !== false) {
$found = true; $found = true;
$action = 'allow'; $action = 'allow';
break; break;
} }
elseif(($has_slash) && (strpos($embedurl,$t) !== false)) {
$found = true;
$action = 'allow';
break;
}
}
} }
} }
if((! $found) && ($action !== 'block')) { if((! $found) && ($action !== 'block')) {
@@ -95,7 +75,7 @@ function oembed_action($embedurl) {
// allow individual members to block something that wasn't blocked already. // allow individual members to block something that wasn't blocked already.
// They cannot over-ride the site to allow or change the filtering on an // They cannot over-ride the site to allow or change the filtering on an
// embed that is not allowed by the site. // embed that is not allowed by the site admin.
if(local_channel()) { if(local_channel()) {
if(($x = get_pconfig(local_channel(),'system','embed_deny'))) { if(($x = get_pconfig(local_channel(),'system','embed_deny'))) {
@@ -113,9 +93,12 @@ function oembed_action($embedurl) {
} }
} }
logger('action: ' . $action . ' url: ' . $embedurl, LOGGER_DEBUG,LOG_DEBUG); $arr = array('url' => $embedurl, 'action' => $action);
call_hooks('oembed_action',$arr);
return $action; logger('action: ' . $arr['action'] . ' url: ' . $arr['url'], LOGGER_DEBUG,LOG_DEBUG);
return $arr;
} }
@@ -139,9 +122,10 @@ function oembed_fetch_url($embedurl){
$noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus"); $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus");
$ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION); $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION);
$action = oembed_action($embedurl); $result = oembed_action($embedurl);
$embedurl = str_replace('&amp;','&', $embedurl); $embedurl = $result['url'];
$action = $result['action'];
$txt = null; $txt = null;
@@ -222,7 +206,8 @@ function oembed_fetch_url($embedurl){
$j = json_decode($txt); $j = json_decode($txt);
if($j->html && $action === 'filter') { if($action === 'filter') {
if($j->html) {
$orig = $j->html; $orig = $j->html;
$allow_position = (($zrl) ? true : false); $allow_position = (($zrl) ? true : false);
$j->html = purify_html($j->html,$allow_position); $j->html = purify_html($j->html,$allow_position);
@@ -230,6 +215,7 @@ function oembed_fetch_url($embedurl){
logger('oembed html was purified. original: ' . $orig . ' purified: ' . $j->html, LOGGER_DEBUG, LOG_INFO); logger('oembed html was purified. original: ' . $orig . ' purified: ' . $j->html, LOGGER_DEBUG, LOG_INFO);
} }
} }
}
$j->embedurl = $embedurl; $j->embedurl = $embedurl;

View File

@@ -7,7 +7,9 @@
{{include file="field_checkbox.tpl" field=$block_public}} {{include file="field_checkbox.tpl" field=$block_public}}
{{include file="field_checkbox.tpl" field=$transport_security}}
{{include file="field_checkbox.tpl" field=$content_security}}
{{include file="field_checkbox.tpl" field=$embed_sslonly}}
{{include file="field_textarea.tpl" field=$whitelisted_sites}} {{include file="field_textarea.tpl" field=$whitelisted_sites}}
{{include file="field_textarea.tpl" field=$blacklisted_sites}} {{include file="field_textarea.tpl" field=$blacklisted_sites}}
@@ -15,18 +17,6 @@
{{include file="field_textarea.tpl" field=$whitelisted_channels}} {{include file="field_textarea.tpl" field=$whitelisted_channels}}
{{include file="field_textarea.tpl" field=$blacklisted_channels}} {{include file="field_textarea.tpl" field=$blacklisted_channels}}
{{if $embedhelp1}}
<div class="section-content-info-wrapper">{{$embedhelp1}}</div>
{{/if}}
<div style="margin-left: 15px; margin-bottom: 10px;">
<div class="descriptive-text">{{$embedhelp2}}</div>
<div style="margin-left: 15px;">
<div class="descriptive-text">{{$embedhelp3}}</div>
</div>
<div class="descriptive-text">{{$embedhelp4}}</div>
</div>
{{include file="field_textarea.tpl" field=$embed_allow}} {{include file="field_textarea.tpl" field=$embed_allow}}
{{include file="field_textarea.tpl" field=$embed_deny}} {{include file="field_textarea.tpl" field=$embed_deny}}