harukin/core
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

some much needed work on oembed security

Browse Source
This commit is contained in:
redmatrix 2016-05-01 19:19:17 -07:00
parent 84d93cca6e
commit cd518625bf
8 changed files with 279 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
Zotlabs/Module/Admin.php
View File

@ -568,25 +568,25 @@ class Admin extends \Zotlabs\Web\Controller {
$block_public = ((x($_POST,'block_public')) ? True : False); $block_public = ((x($_POST,'block_public')) ? True : False);
set_config('system','block_public',$block_public); set_config('system','block_public',$block_public);
$ws = trim_array_elems(explode("\n",$_POST['whitelisted_sites'])); $ws = $this->trim_array_elems(explode("\n",$_POST['whitelisted_sites']));
set_config('system','whitelisted_sites',$ws); set_config('system','whitelisted_sites',$ws);
$bs = trim_array_elems(explode("\n",$_POST['blacklisted_sites'])); $bs = $this->trim_array_elems(explode("\n",$_POST['blacklisted_sites']));
set_config('system','blacklisted_sites',$bs); set_config('system','blacklisted_sites',$bs);
$wc = trim_array_elems(explode("\n",$_POST['whitelisted_channels'])); $wc = $this->trim_array_elems(explode("\n",$_POST['whitelisted_channels']));
set_config('system','whitelisted_channels',$wc); set_config('system','whitelisted_channels',$wc);
$bc = trim_array_elems(explode("\n",$_POST['blacklisted_channels'])); $bc = $this->trim_array_elems(explode("\n",$_POST['blacklisted_channels']));
set_config('system','blacklisted_channels',$bc); set_config('system','blacklisted_channels',$bc);
$embed_coop = ((x($_POST,'embed_coop')) ? True : False); $embed_coop = ((x($_POST,'embed_coop')) ? True : False);
set_config('system','embed_coop',$embed_coop); set_config('system','embed_coop',$embed_coop);
$we = trim_array_elems(explode("\n",$_POST['embed_allow'])); $we = $this->trim_array_elems(explode("\n",$_POST['embed_allow']));
set_config('system','embed_allow',$we); set_config('system','embed_allow',$we);
$be = trim_array_elems(explode("\n",$_POST['embed_deny'])); $be = $this->trim_array_elems(explode("\n",$_POST['embed_deny']));
set_config('system','embed_deny',$be); set_config('system','embed_deny',$be);
goaway(z_root() . '/admin/security'); goaway(z_root() . '/admin/security');
@ -708,9 +708,13 @@ class Admin extends \Zotlabs\Web\Controller {
$embed_coop = intval(get_config('system','embed_coop')); $embed_coop = intval(get_config('system','embed_coop'));
// wait to implement this until we have a co-op in place. if((! $whiteembeds) && (! $blackembeds)) {
// if((! $whiteembeds) && (! $blackembeds) && (! $embed_coop)) $embedhelp1 = t("By default, unfiltered HTML is allowed in embedded media. This is inherently insecure.");
// $whiteembeds_str = "youtube.com\nyoutu.be\ntwitter.com\nvimeo.com\nsoundcloud.com\nwikipedia.com"; }
$embedhelp2 = t("The recommended setting is to only allow unfiltered HTML from the following sites:");
$embedhelp3 = t("youtube.com<br />youtu.be<br />twitter.com<br />vimeo.com<br />soundcloud.com<br />wikipedia.com<br />");
$embedhelp4 = t("All other embedded content will be filtered, <strong>unless</strong> embedded content from that site is explicitly blocked.");
$t = get_markup_template('admin_security.tpl'); $t = get_markup_template('admin_security.tpl');
return replace_macros($t, array( return replace_macros($t, array(
@ -722,10 +726,15 @@ class Admin extends \Zotlabs\Web\Controller {
'$blacklisted_sites' => array('blacklisted_sites', t('Block communications from these sites'), $blacksites_str, ''), '$blacklisted_sites' => array('blacklisted_sites', t('Block communications from these sites'), $blacksites_str, ''),
'$whitelisted_channels' => array('whitelisted_channels', t('Allow communications only from these channels'), $whitechannels_str, t('One channel (hash) per line. Leave empty to allow from any channel by default')), '$whitelisted_channels' => array('whitelisted_channels', t('Allow communications only from these channels'), $whitechannels_str, t('One channel (hash) per line. Leave empty to allow from any channel by default')),
'$blacklisted_channels' => array('blacklisted_channels', t('Block communications from these channels'), $blackchannels_str, ''), '$blacklisted_channels' => array('blacklisted_channels', t('Block communications from these channels'), $blackchannels_str, ''),
'$embed_allow' => array('embed_allow', t('Allow embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')), '$embed_allow' => array('embed_allow', t('Allow unfiltered embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')),
'$embed_deny' => array('embed_deny', t('Block embedded HTML from these domains'), $blackembeds_str, ''), '$embed_deny' => array('embed_deny', t('Block embedded HTML from these domains'), $blackembeds_str, ''),
// '$embed_coop' => array('embed_coop', t('Cooperative embed security'), $embed_coop, t('Enable to share embed security with other compatible sites/hubs')), // '$embed_coop' => array('embed_coop', t('Cooperative embed security'), $embed_coop, t('Enable to share embed security with other compatible sites/hubs')),
'$embedhelp1' => $embedhelp1,
'$embedhelp2' => $embedhelp2,
'$embedhelp3' => $embedhelp3,
'$embedhelp4' => $embedhelp4,
'$submit' => t('Submit') '$submit' => t('Submit')
)); ));
} }

2
Zotlabs/Module/Oep.php
View File

@ -220,7 +220,7 @@ class Oep extends \Zotlabs\Web\Controller {
$ret['width'] = intval($width); $ret['width'] = intval($width);
$ret['height'] = intval($height); $ret['height'] = intval($height);
$ret['html'] = get_zcard($c,get_observer_hash(),array('width' => $width, 'height' => $height)); $ret['html'] = get_zcard_embed($c,get_observer_hash(),array('width' => $width, 'height' => $height));
return $ret; return $ret;

62
include/identity.php
View File

@ -1878,3 +1878,65 @@ function get_zcard($channel,$observer_hash = '',$args = array()) {
return $o; return $o;
} }
function get_zcard_embed($channel,$observer_hash = '',$args = array()) {
logger('get_zcard_embed');
$maxwidth = (($args['width']) ? intval($args['width']) : 0);
$maxheight = (($args['height']) ? intval($args['height']) : 0);
if(($maxwidth > 1200) || ($maxwidth < 1))
$maxwidth = 1200;
if($maxwidth <= 425) {
$width = 425;
$size = 'hz_small';
$cover_size = PHOTO_RES_COVER_425;
$pphoto = array('type' => $channel['xchan_photo_mimetype'], 'width' => 80 , 'height' => 80, 'href' => $channel['xchan_photo_m']);
}
elseif($maxwidth <= 900) {
$width = 900;
$size = 'hz_medium';
$cover_size = PHOTO_RES_COVER_850;
$pphoto = array('type' => $channel['xchan_photo_mimetype'], 'width' => 160 , 'height' => 160, 'href' => $channel['xchan_photo_l']);
}
elseif($maxwidth <= 1200) {
$width = 1200;
$size = 'hz_large';
$cover_size = PHOTO_RES_COVER_1200;
$pphoto = array('type' => $channel['xchan_photo_mimetype'], 'width' => 300 , 'height' => 300, 'href' => $channel['xchan_photo_l']);
}
$channel['channel_addr'] = $channel['channel_address'] . '@' . App::get_hostname();
$zcard = array('chan' => $channel);
$r = q("select height, width, resource_id, scale, type from photo where uid = %d and scale = %d and photo_usage = %d",
intval($channel['channel_id']),
intval($cover_size),
intval(PHOTO_COVER)
);
if($r) {
$cover = $r[0];
$cover['href'] = z_root() . '/photo/' . $r[0]['resource_id'] . '-' . $r[0]['scale'];
}
else {
$cover = $pphoto;
}
$o .= replace_macros(get_markup_template('zcard_embed.tpl'),array(
'$maxwidth' => $maxwidth,
'$scale' => $scale,
'$translate' => $translate,
'$size' => $size,
'$cover' => $cover,
'$pphoto' => $pphoto,
'$zcard' => $zcard
));
return $o;
}

217
include/oembed.php
View File

@ -3,61 +3,10 @@ function oembed_replacecb($matches){
$embedurl=$matches[1]; $embedurl=$matches[1];
$action = oembed_action($embedurl);
// site white/black list if($action === 'block') {
if(($x = get_config('system','embed_deny'))) {
$l = explode("\n",$x);
if($l) {
foreach($l as $ll) {
if(trim($ll) && strpos($embedurl,trim($ll)) !== false)
return '<a href="' . $embedurl . '">' . $embedurl . '</a>'; return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
} }
}
}
if(($x = get_config('system','embed_allow'))) {
$found = false;
$l = explode("\n",$x);
if($l) {
foreach($l as $ll) {
if(trim($ll) && strpos($embedurl,trim($ll)) !== false) {
$found = true;
break;
}
}
}
if(! $found) {
return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
}
}
// implements a personal embed white/black list for logged in members
if(local_channel()) {
if(($x = get_pconfig(local_channel(),'system','embed_deny'))) {
$l = explode("\n",$x);
if($l) {
foreach($l as $ll) {
if(trim($ll) && strpos($embedurl,trim($ll)) !== false)
return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
}
}
}
if(($x = get_pconfig(local_channel(),'system','embed_allow'))) {
$found = false;
$l = explode("\n",$x);
if($l) {
foreach($l as $ll) {
if(trim($ll) && strpos($embedurl,trim($ll)) !== false) {
$found = true;
break;
}
}
}
if(! $found) {
return '<a href="' . $embedurl . '">' . $embedurl . '</a>';
}
}
}
$j = oembed_fetch_url($embedurl); $j = oembed_fetch_url($embedurl);
$s = oembed_format_object($j); $s = oembed_format_object($j);
@ -65,6 +14,107 @@ function oembed_replacecb($matches){
} }
function oembed_action($embedurl) {
$host = '';
$action = 'allow';
// The default action is 'allow'. This is insecure. We might want to
// change this to 'filter' except it will be a support burden because
// then youtube videos won't work out of the box and will need to be
// explicitly enabled.
$embedurl = str_replace('&amp;','&', $embedurl);
logger('oembed_action: ' . $embedurl);
$p = parse_url($embedurl);
if($p)
$host = $p['host'];
// These media files should now be caught in bbcode.php
// left here as a fallback in case this is called from another source
$noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus");
$ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION);
// site white/black list
if(($x = get_config('system','embed_deny'))) {
if(($x) && (! is_array($x)))
$x = explode("\n",$x);
if($x) {
foreach($x as $ll) {
$t = trim($ll);
// don't allow somebody to provide a url like https://foobar.com/something/youtube
// to bypass a block or allow of youtube
if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
$action = 'block';
break;
}
}
}
}
$found = false;
if(($x = get_config('system','embed_allow'))) {
if(($x) && (! is_array($x)))
$x = explode("\n",$x);
if($x) {
foreach($x as $ll) {
$t = trim($ll);
// don't allow somebody to provide a url like https://foobar.com/something/youtube
// to bypass a block or allow of youtube
if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
$found = true;
$action = 'allow';
break;
}
}
}
if((! $found) && ($action !== 'block')) {
$action = 'filter';
}
}
// allow individual members to block something that wasn't blocked already.
// They cannot over-ride the site to allow or change the filtering on an
// embed that is not allowed by the site.
if(local_channel()) {
if(($x = get_pconfig(local_channel(),'system','embed_deny'))) {
if(($x) && (! is_array($x)))
$x = explode("\n",$x);
if($x) {
foreach($x as $ll) {
$t = trim($ll);
// don't allow somebody to provide a url like https://foobar.com/something/youtube
// to bypass a block or allow of youtube
if($t && (strpos($embedurl,$t) !== false || strpos($t,$host) !== false)) {
$action = 'block';
break;
}
}
}
}
}
logger('action: ' . $action . ' url: ' . $embedurl, LOGGER_DEBUG,LOG_DEBUG);
return $action;
}
// if the url is embeddable with oembed, return the bbcode link. // if the url is embeddable with oembed, return the bbcode link.
function oembed_process($url) { function oembed_process($url) {
@ -79,42 +129,48 @@ function oembed_process($url) {
function oembed_fetch_url($embedurl){ function oembed_fetch_url($embedurl){
$a = get_app();
$embedurl = str_replace('&amp;','&', $embedurl);
// logger('fetch: ' . $embedurl);
$txt = Cache::get(App::$videowidth . $embedurl);
if(strstr($txt,'youtu') && strstr(z_root(),'https:')) {
$txt = str_replace('http:','https:',$txt);
}
// These media files should now be caught in bbcode.php // These media files should now be caught in bbcode.php
// left here as a fallback in case this is called from another source // left here as a fallback in case this is called from another source
$noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus"); $noexts = array("mp3","mp4","ogg","ogv","oga","ogm","webm","opus");
$ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION); $ext = pathinfo(strtolower($embedurl),PATHINFO_EXTENSION);
$action = oembed_action($embedurl);
if(is_null($txt)){ $embedurl = str_replace('&amp;','&', $embedurl);
$txt = "";
if (in_array($ext, $noexts)) { $txt = null;
require_once('include/hubloc.php');
$zrl = is_matrix_url($embedurl); if($action !== 'block') {
if($zrl) $txt = Cache::get(App::$videowidth . $embedurl);
$embedurl = zid($embedurl);
if(strstr($txt,'youtu') && strstr(z_root(),'https:')) {
$txt = str_replace('http:','https:',$txt);
} }
else { }
if(is_null($txt)) {
$txt = "";
$furl = $embedurl;
$zrl = false;
if(local_channel()) {
require_once('include/hubloc.php');
$zrl = is_matrix_url($furl);
if($zrl)
$furl = zid($furl);
}
if (! in_array($ext, $noexts) && $action !== 'block') {
// try oembed autodiscovery // try oembed autodiscovery
$redirects = 0; $redirects = 0;
$result = z_fetch_url($embedurl, false, $redirects, array('timeout' => 15, 'accept_content' => "text/*", 'novalidate' => true )); $result = z_fetch_url($furl, false, $redirects, array('timeout' => 15, 'accept_content' => "text/*", 'novalidate' => true ));
if($result['success']) if($result['success'])
$html_text = $result['body']; $html_text = $result['body'];
if($html_text){ if($html_text) {
$dom = @DOMDocument::loadHTML($html_text); $dom = @DOMDocument::loadHTML($html_text);
if ($dom){ if ($dom){
$xpath = new DOMXPath($dom); $xpath = new DOMXPath($dom);
@ -149,6 +205,7 @@ function oembed_fetch_url($embedurl){
} }
$txt=trim($txt); $txt=trim($txt);
if ($txt[0]!="{") $txt='{"type":"error"}'; if ($txt[0]!="{") $txt='{"type":"error"}';
//save in cache //save in cache
@ -160,6 +217,16 @@ function oembed_fetch_url($embedurl){
$j = json_decode($txt); $j = json_decode($txt);
if($j->html && $action === 'filter') {
$orig = $j->html;
$allow_position = (($zrl) ? true : false);
$j->html = purify_html($j->html,$allow_position);
if($j->html != $orig) {
logger('oembed html was purified. original: ' . $orig . ' purified: ' . $j->html, LOGGER_DEBUG, LOG_INFO);
}
}
$j->embedurl = $embedurl; $j->embedurl = $embedurl;
// logger('fetch return: ' . print_r($j,true)); // logger('fetch return: ' . print_r($j,true));

31
include/text.php
View File

@ -122,7 +122,7 @@ function z_input_filter($channel_id,$s,$type = 'text/bbcode') {
function purify_html($s) { function purify_html($s, $allow_position) {
require_once('library/HTMLPurifier.auto.php'); require_once('library/HTMLPurifier.auto.php');
require_once('include/html2bbcode.php'); require_once('include/html2bbcode.php');
@ -202,6 +202,35 @@ function purify_html($s) {
$def->addElement('header', 'Block', 'Flow', 'Common'); $def->addElement('header', 'Block', 'Flow', 'Common');
$def->addElement('footer', 'Block', 'Flow', 'Common'); $def->addElement('footer', 'Block', 'Flow', 'Common');
if($allow_position) {
$cssDefinition = $config->getCSSDefinition();
$cssDefinition->info['position'] = new HTMLPurifier_AttrDef_Enum(array('absolute', 'fixed', 'relative', 'static', 'inherit'), false);
$cssDefinition->info['left'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
new HTMLPurifier_AttrDef_CSS_Length(),
new HTMLPurifier_AttrDef_CSS_Percentage()
));
$cssDefinition->info['right'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
new HTMLPurifier_AttrDef_CSS_Length(),
new HTMLPurifier_AttrDef_CSS_Percentage()
));
$cssDefinition->info['top'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
new HTMLPurifier_AttrDef_CSS_Length(),
new HTMLPurifier_AttrDef_CSS_Percentage()
));
$cssDefinition->info['bottom'] = new HTMLPurifier_AttrDef_CSS_Composite(array(
new HTMLPurifier_AttrDef_CSS_Length(),
new HTMLPurifier_AttrDef_CSS_Percentage()
));
}
$purifier = new HTMLPurifier($config); $purifier = new HTMLPurifier($config);
return $purifier->purify($s); return $purifier->purify($s);

2
version.inc
View File

@ -1 +1 @@
2016-04-29.1381H 2016-05-01.1383H

12
view/tpl/admin_security.tpl
View File

@ -15,6 +15,18 @@
{{include file="field_textarea.tpl" field=$whitelisted_channels}} {{include file="field_textarea.tpl" field=$whitelisted_channels}}
{{include file="field_textarea.tpl" field=$blacklisted_channels}} {{include file="field_textarea.tpl" field=$blacklisted_channels}}
{{if $embedhelp1}}
<div class="section-content-info-wrapper">{{$embedhelp1}}</div>
{{/if}}
<div style="margin-left: 15px; margin-bottom: 10px;">
<div class="descriptive-text">{{$embedhelp2}}</div>
<div style="margin-left: 15px;">
<div class="descriptive-text">{{$embedhelp3}}</div>
</div>
<div class="descriptive-text">{{$embedhelp4}}</div>
</div>
{{include file="field_textarea.tpl" field=$embed_allow}} {{include file="field_textarea.tpl" field=$embed_allow}}
{{include file="field_textarea.tpl" field=$embed_deny}} {{include file="field_textarea.tpl" field=$embed_deny}}

8
view/tpl/zcard_embed.tpl Normal file
View File

@ -0,0 +1,8 @@
<div class="hz_card {{$size}}">
<div class="hz_cover_photo" style="max-width: 100;"><img src="{{$cover.href}}" alt="{{$zcard.chan.xchan_name}}" />
<div style="position: relative;top: -40px;left: 120px;color: #fff;font-size: 18px;text-rendering: optimizelegibility;text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);" >{{$zcard.chan.xchan_name}}</div>
<div style="position: relative;top: -40px;left: 120px;color: #fff;font-size: 10px;text-rendering: optimizelegibility;text-shadow: 0 0 3px rgba(0, 0, 0, 0.8);" >{{$zcard.chan.channel_addr}}</div>
</div>
<div style="position:relative;top: -75px;left: 20px;background-color: white;border: 1px solid #ddd;padding: 3px;width: 80px;height: 80px;"><img src="{{$pphoto.href}}" alt="{{$zcard.chan.xchan_name}}" /></div>
</div>