some much needed work on oembed security

Zotlabs/Module/Admin.php

@@ -568,25 +568,25 @@ class Admin extends \Zotlabs\Web\Controller {
 		$block_public         = ((x($_POST,'block_public'))		? True	: False);
 		set_config('system','block_public',$block_public);
 	
-		$ws = trim_array_elems(explode("\n",$_POST['whitelisted_sites']));
+		$ws = $this->trim_array_elems(explode("\n",$_POST['whitelisted_sites']));
 		set_config('system','whitelisted_sites',$ws);
 	
-		$bs = trim_array_elems(explode("\n",$_POST['blacklisted_sites']));
+		$bs = $this->trim_array_elems(explode("\n",$_POST['blacklisted_sites']));
 		set_config('system','blacklisted_sites',$bs);
 	
-		$wc = trim_array_elems(explode("\n",$_POST['whitelisted_channels']));
+		$wc = $this->trim_array_elems(explode("\n",$_POST['whitelisted_channels']));
 		set_config('system','whitelisted_channels',$wc);
 	
-		$bc = trim_array_elems(explode("\n",$_POST['blacklisted_channels']));
+		$bc = $this->trim_array_elems(explode("\n",$_POST['blacklisted_channels']));
 		set_config('system','blacklisted_channels',$bc);
 	
 		$embed_coop         = ((x($_POST,'embed_coop'))		? True	: False);
 		set_config('system','embed_coop',$embed_coop);
 	
-		$we = trim_array_elems(explode("\n",$_POST['embed_allow']));
+		$we = $this->trim_array_elems(explode("\n",$_POST['embed_allow']));
 		set_config('system','embed_allow',$we);
 	
-		$be = trim_array_elems(explode("\n",$_POST['embed_deny']));
+		$be = $this->trim_array_elems(explode("\n",$_POST['embed_deny']));
 		set_config('system','embed_deny',$be);
 	
 		goaway(z_root() . '/admin/security');
@@ -708,9 +708,13 @@ class Admin extends \Zotlabs\Web\Controller {
 	
 		$embed_coop = intval(get_config('system','embed_coop'));
 	
-	// wait to implement this until we have a co-op in place. 
-	//	if((! $whiteembeds) && (! $blackembeds) && (! $embed_coop))
-	//		$whiteembeds_str = "youtube.com\nyoutu.be\ntwitter.com\nvimeo.com\nsoundcloud.com\nwikipedia.com";
+		if((! $whiteembeds) && (! $blackembeds)) {
+			$embedhelp1 = t("By default, unfiltered HTML is allowed in embedded media. This is inherently insecure.");
+		}
+
+		$embedhelp2 = t("The recommended setting is to only allow unfiltered HTML from the following sites:"); 
+		$embedhelp3 = t("youtube.com<br />youtu.be<br />twitter.com<br />vimeo.com<br />soundcloud.com<br />wikipedia.com<br />");
+		$embedhelp4 = t("All other embedded content will be filtered, <strong>unless</strong> embedded content from that site is explicitly blocked.");
 	
 		$t = get_markup_template('admin_security.tpl');
 		return replace_macros($t, array(
@@ -722,10 +726,15 @@ class Admin extends \Zotlabs\Web\Controller {
 			'$blacklisted_sites' => array('blacklisted_sites', t('Block communications from these sites'), $blacksites_str, ''),
 			'$whitelisted_channels' => array('whitelisted_channels', t('Allow communications only from these channels'), $whitechannels_str, t('One channel (hash) per line. Leave empty to allow from any channel by default')),
 			'$blacklisted_channels' => array('blacklisted_channels', t('Block communications from these channels'), $blackchannels_str, ''),
-			'$embed_allow' => array('embed_allow', t('Allow embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')),
+			'$embed_allow' => array('embed_allow', t('Allow unfiltered embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')),
 			'$embed_deny' => array('embed_deny', t('Block embedded HTML from these domains'), $blackembeds_str, ''),
 	
 //	        '$embed_coop'     => array('embed_coop', t('Cooperative embed security'), $embed_coop, t('Enable to share embed security with other compatible sites/hubs')),
+			'$embedhelp1' => $embedhelp1,
+			'$embedhelp2' => $embedhelp2,
+			'$embedhelp3' => $embedhelp3,
+			'$embedhelp4' => $embedhelp4,
+
 			'$submit' => t('Submit')
 		));
 	}

Zotlabs/Module/Oep.php

@@ -220,7 +220,7 @@ class Oep extends \Zotlabs\Web\Controller {
 		$ret['width'] = intval($width);
 		$ret['height'] = intval($height);
 	
-		$ret['html'] = get_zcard($c,get_observer_hash(),array('width' => $width, 'height' => $height));
+		$ret['html'] = get_zcard_embed($c,get_observer_hash(),array('width' => $width, 'height' => $height));
 	
 		return $ret;
 	

include/identity.php

@@ -1878,3 +1878,65 @@ function get_zcard($channel,$observer_hash = '',$args = array()) {
 	return $o;
 		
 }
+
+
+function get_zcard_embed($channel,$observer_hash = '',$args = array()) {
+
+	logger('get_zcard_embed');
+
+	$maxwidth = (($args['width']) ? intval($args['width']) : 0);
+	$maxheight = (($args['height']) ? intval($args['height']) : 0);
+
+
+	if(($maxwidth > 1200) || ($maxwidth < 1))
+		$maxwidth = 1200;
+
+	if($maxwidth <= 425) {
+		$width = 425;
+		$size = 'hz_small';
+		$cover_size = PHOTO_RES_COVER_425;
+		$pphoto = array('type' => $channel['xchan_photo_mimetype'],  'width' => 80 , 'height' => 80, 'href' => $channel['xchan_photo_m']);
+	}
+	elseif($maxwidth <= 900) {
+		$width = 900;
+		$size = 'hz_medium';
+		$cover_size = PHOTO_RES_COVER_850;
+		$pphoto = array('type' => $channel['xchan_photo_mimetype'],  'width' => 160 , 'height' => 160, 'href' => $channel['xchan_photo_l']);
+	}
+	elseif($maxwidth <= 1200) {
+		$width = 1200;
+		$size = 'hz_large';
+		$cover_size = PHOTO_RES_COVER_1200;
+		$pphoto = array('type' => $channel['xchan_photo_mimetype'],  'width' => 300 , 'height' => 300, 'href' => $channel['xchan_photo_l']);
+	}
+
+	$channel['channel_addr'] = $channel['channel_address'] . '@' . App::get_hostname();
+	$zcard = array('chan' => $channel);
+
+	$r = q("select height, width, resource_id, scale, type from photo where uid = %d and scale = %d and photo_usage = %d",
+		intval($channel['channel_id']),
+		intval($cover_size),
+		intval(PHOTO_COVER)
+	);
+
+	if($r) {
+		$cover = $r[0];
+		$cover['href'] = z_root() . '/photo/' . $r[0]['resource_id'] . '-' . $r[0]['scale'];
+	}		
+	else {
+		$cover = $pphoto;
+	}
+	
+	$o .= replace_macros(get_markup_template('zcard_embed.tpl'),array(
+		'$maxwidth' => $maxwidth,
+		'$scale' => $scale,
+		'$translate' => $translate,
+		'$size' => $size,
+		'$cover' => $cover,
+		'$pphoto' => $pphoto,
+		'$zcard' => $zcard
+	));		
+	
+	return $o;
+		
+}

include/oembed.php

@@ -3,60 +3,9 @@ function oembed_replacecb($matches){
 
 	$embedurl=$matches[1];
 
-
-	// site white/black list
-
-	if(($x = get_config('system','embed_deny'))) {
-		$l = explode("\n",$x);
-		if($l) {
-			foreach($l as $ll) {
-				if(trim($ll) && strpos($embedurl,trim($ll)) !== false)
-					return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
-			}
-		}
-	}
-	if(($x = get_config('system','embed_allow'))) {
-		$found = false;
-		$l = explode("\n",$x);
-		if($l) {
-			foreach($l as $ll) {
-				if(trim($ll) && strpos($embedurl,trim($ll)) !== false) {
-					$found = true;
-					break;
-				}
-			}
-		}
-		if(! $found) {
-			return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
-		}
-	}
-
-	// implements a personal embed white/black list for logged in members
-	if(local_channel()) {
-		if(($x = get_pconfig(local_channel(),'system','embed_deny'))) {
-			$l = explode("\n",$x);
-			if($l) {
-				foreach($l as $ll) {
-					if(trim($ll) && strpos($embedurl,trim($ll)) !== false)
-						return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
-				}
-			}
-		}
-		if(($x = get_pconfig(local_channel(),'system','embed_allow'))) {
-			$found = false;
-			$l = explode("\n",$x);
-			if($l) {
-				foreach($l as $ll) {
-					if(trim($ll) && strpos($embedurl,trim($ll)) !== false) {
-						$found = true;
-						break;
-					}
-				}
-			}
-			if(! $found) {
-				return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
-			}
-		}
+	$action = oembed_action($embedurl);
+	if($action === 'block') {
+		return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
 	}
 
 	$j = oembed_fetch_url($embedurl);
@@ -65,6 +14,107 @@ function oembed_replacecb($matches){
 }
 
 
+function oembed_action($embedurl) {
+
+	$host = '';
+
+	$action = 'allow';
+
+	// The default action is 'allow'. This is insecure. We might want to 
+	// change this to 'filter' except it will be a support burden because
+	// then youtube videos won't work out of the box and will need to be
+	// explicitly enabled.
+
+	$embedurl = str_replace('&amp;','&', $embedurl);
+
+	logger('oembed_action: ' . $embedurl);
+
+	$p = parse_url($embedurl);
+
+	if($p)
+		$host = $p['host'];
+
+	// These media files should now be caught in bbcode.php
+	// left here as a fallback in case this is called from another source
+
+	$noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus");
+	$ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION);
+
+
+	// site white/black list
+
+	if(($x = get_config('system','embed_deny'))) {
+		if(($x) && (! is_array($x)))
+			$x = explode("\n",$x);
+		if($x) {
+			foreach($x as $ll) {
+				$t = trim($ll);
+
+				// don't allow somebody to provide a url like https://foobar.com/something/youtube 
+				// to bypass a block or allow of youtube
+
+				if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
+					$action = 'block';
+					break;
+				}
+			}
+		}
+	}
+	
+	$found = false;
+
+	if(($x = get_config('system','embed_allow'))) {
+		if(($x) && (! is_array($x)))
+			$x = explode("\n",$x);
+		if($x) {
+			foreach($x as $ll) {
+				$t = trim($ll);
+
+				// don't allow somebody to provide a url like https://foobar.com/something/youtube 
+				// to bypass a block or allow of youtube
+
+				if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
+					$found = true;
+					$action = 'allow';
+					break;
+				}
+			}
+		}
+		if((! $found) && ($action !== 'block')) {
+			$action = 'filter';
+		}
+	}
+
+	// allow individual members to block something that wasn't blocked already.
+	// They cannot over-ride the site to allow or change the filtering on an 
+	// embed that is not allowed by the site.
+
+	if(local_channel()) {
+		if(($x = get_pconfig(local_channel(),'system','embed_deny'))) {
+			if(($x) && (! is_array($x)))
+				$x = explode("\n",$x);
+			if($x) {
+				foreach($x as $ll) {
+					$t = trim($ll);
+
+					// don't allow somebody to provide a url like https://foobar.com/something/youtube 
+					// to bypass a block or allow of youtube
+
+					if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
+						$action = 'block';
+						break;
+					}
+				}
+			}
+		}
+	}
+
+	logger('action: ' . $action . ' url: ' . $embedurl, LOGGER_DEBUG,LOG_DEBUG); 
+
+	return $action;
+
+}
+
 // if the url is embeddable with oembed, return the bbcode link.
 
 function oembed_process($url) {
@@ -79,42 +129,48 @@ function oembed_process($url) {
 
 function oembed_fetch_url($embedurl){
 
-	$a = get_app();
-
-	$embedurl = str_replace('&amp;','&', $embedurl);
-
-// logger('fetch: ' . $embedurl);
-
-	$txt = Cache::get(App::$videowidth . $embedurl);
-
-	if(strstr($txt,'youtu') && strstr(z_root(),'https:')) {
-		$txt = str_replace('http:','https:',$txt);
-	}
-
 	// These media files should now be caught in bbcode.php
 	// left here as a fallback in case this is called from another source
 
 	$noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus");
 	$ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION);
-	
-				
-	if(is_null($txt)){
-		$txt = "";
-		
-		if (in_array($ext, $noexts)) {
-			require_once('include/hubloc.php');
-			$zrl = is_matrix_url($embedurl);
-			if($zrl) 
-				$embedurl = zid($embedurl);	
+
+	$action = oembed_action($embedurl); 
+
+	$embedurl = str_replace('&amp;','&', $embedurl);
+
+	$txt = null;
+
+	if($action !== 'block') {
+		$txt = Cache::get(App::$videowidth . $embedurl);
+
+		if(strstr($txt,'youtu') && strstr(z_root(),'https:')) {
+			$txt = str_replace('http:','https:',$txt);
 		}
-		else {
+	}
+		
+	if(is_null($txt)) {
+
+		$txt = "";
+		$furl = $embedurl;
+		$zrl = false;
+
+		if(local_channel()) {
+			require_once('include/hubloc.php');
+			$zrl = is_matrix_url($furl);
+			if($zrl) 
+				$furl = zid($furl);	
+		}
+
+
+		if (! in_array($ext, $noexts) && $action !== 'block') {
 			// try oembed autodiscovery
 			$redirects = 0;
-			$result = z_fetch_url($embedurl, false, $redirects, array('timeout' => 15, 'accept_content' => "text/*", 'novalidate' => true ));
+			$result = z_fetch_url($furl, false, $redirects, array('timeout' => 15, 'accept_content' => "text/*", 'novalidate' => true ));
 			if($result['success'])
 				$html_text = $result['body'];
 
-			if($html_text){
+			if($html_text) {
 				$dom = @DOMDocument::loadHTML($html_text);
 				if ($dom){
 					$xpath = new DOMXPath($dom);
@@ -149,6 +205,7 @@ function oembed_fetch_url($embedurl){
 		}
 		
 		$txt=trim($txt);
+
 		if ($txt[0]!="{") $txt='{"type":"error"}';
 	
 		//save in cache
@@ -160,6 +217,16 @@ function oembed_fetch_url($embedurl){
 
 
 	$j = json_decode($txt);
+
+	if($j->html && $action === 'filter') {
+		$orig = $j->html;
+		$allow_position = (($zrl) ? true : false);
+		$j->html = purify_html($j->html,$allow_position);
+		if($j->html != $orig) {
+			logger('oembed html was purified. original: ' . $orig . ' purified: ' . $j->html, LOGGER_DEBUG, LOG_INFO); 
+		}
+	}
+
 	$j->embedurl = $embedurl;
 
 // logger('fetch return: ' . print_r($j,true));

include/text.php

@@ -122,7 +122,7 @@ function z_input_filter($channel_id,$s,$type = 'text/bbcode') {
 
 
 
-function purify_html($s) {
+function purify_html($s, $allow_position) {
 	require_once('library/HTMLPurifier.auto.php');
 	require_once('include/html2bbcode.php');
 
@@ -202,6 +202,35 @@ function purify_html($s) {
 	$def->addElement('header',  'Block', 'Flow', 'Common');
 	$def->addElement('footer',  'Block', 'Flow', 'Common');
 
+
+	if($allow_position) {
+		$cssDefinition = $config->getCSSDefinition();
+
+		$cssDefinition->info['position'] = new HTMLPurifier_AttrDef_Enum(array('absolute', 'fixed', 'relative', 'static', 'inherit'), false);
+
+		$cssDefinition->info['left'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
+			new HTMLPurifier_AttrDef_CSS_Length(),
+			new HTMLPurifier_AttrDef_CSS_Percentage()
+		));
+
+		$cssDefinition->info['right'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
+			new HTMLPurifier_AttrDef_CSS_Length(),
+			new HTMLPurifier_AttrDef_CSS_Percentage()
+		));
+
+		$cssDefinition->info['top'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
+			new HTMLPurifier_AttrDef_CSS_Length(),
+			new HTMLPurifier_AttrDef_CSS_Percentage()
+		));
+
+		$cssDefinition->info['bottom'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
+			new HTMLPurifier_AttrDef_CSS_Length(),
+			new HTMLPurifier_AttrDef_CSS_Percentage()
+		));
+
+	}
+
+
 	$purifier = new HTMLPurifier($config);
 
 	return $purifier->purify($s);

version.inc

@@ -1 +1 @@
-2016-04-29.1381H
+2016-05-01.1383H

view/tpl/admin_security.tpl

@@ -15,6 +15,18 @@
 	{{include file="field_textarea.tpl" field=$whitelisted_channels}}
 	{{include file="field_textarea.tpl" field=$blacklisted_channels}}
 
+	{{if $embedhelp1}}
+	<div class="section-content-info-wrapper">{{$embedhelp1}}</div>
+	{{/if}}
+
+	<div style="margin-left: 15px; margin-bottom: 10px;">
+	<div class="descriptive-text">{{$embedhelp2}}</div>
+	<div style="margin-left: 15px;">
+	<div class="descriptive-text">{{$embedhelp3}}</div>
+	</div>
+	<div class="descriptive-text">{{$embedhelp4}}</div>
+	</div>
+
 	{{include file="field_textarea.tpl" field=$embed_allow}}
 	{{include file="field_textarea.tpl" field=$embed_deny}}
 

view/tpl/zcard_embed.tpl

@@ -0,0 +1,8 @@
+<div class="hz_card {{$size}}">
+	<div class="hz_cover_photo" style="max-width: 100;"><img src="{{$cover.href}}" alt="{{$zcard.chan.xchan_name}}" />
+		<div style="position: relative;top: -40px;left: 120px;color: #fff;font-size: 18px;text-rendering: optimizelegibility;text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);" >{{$zcard.chan.xchan_name}}</div>
+		<div style="position: relative;top: -40px;left: 120px;color: #fff;font-size: 10px;text-rendering: optimizelegibility;text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);" >{{$zcard.chan.channel_addr}}</div>
+	</div>
+	<div style="position:relative;top: -75px;left: 20px;background-color: white;border: 1px solid #ddd;padding: 3px;width: 80px;height: 80px;"><img src="{{$pphoto.href}}" alt="{{$zcard.chan.xchan_name}}" /></div>
+</div>
+