From: Hypolite Petovan Date: Thu, 4 Jan 2018 17:01:46 +0000 (-0500) Subject: Add check for allowed URL in OEmbed X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=d416243964032d914174e4ae5e1c491b2efaafc7;p=friendica.git Add check for allowed URL in OEmbed - Add mixed-content mitigating --- diff --git a/src/Content/OEmbed.php b/src/Content/OEmbed.php index 70be8fd738..30493e1b8b 100644 --- a/src/Content/OEmbed.php +++ b/src/Content/OEmbed.php @@ -8,9 +8,9 @@ namespace Friendica\Content; use Friendica\Core\Cache; use Friendica\Core\System; -use Friendica\ParseUrl; use Friendica\Core\Config; use Friendica\Database\DBM; +use Friendica\ParseUrl; use dba; use DOMDocument; use DOMXPath; @@ -193,8 +193,8 @@ class OEmbed break; case "rich": // not so safe.. - if (!Config::get("system", "no_oembed_rich_content")) { - $ret.= proxy_parse_html($jhtml); + if (self::isAllowedURL($embedurl)) { + $ret .= proxy_parse_html($jhtml); } break; } @@ -315,7 +315,10 @@ class OEmbed } $width = '100%'; - $s = System::baseUrl() . '/oembed/' . base64url_encode($src); + // Only proxy OEmbed URLs to avoid mixed-content errors + if (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL && parse_url($src, PHP_URL_SCHEME) !== 'https') { + $src = System::baseUrl() . '/oembed/' . base64url_encode($src); + } return ''; } @@ -352,4 +355,25 @@ class OEmbed } return $innerHTML; } + + /** + * Determines if rich content OEmbed is allowed for the provided URL + * + * @brief Determines if rich content OEmbed is allowed for the provided URL + * @param string $url + * @return boolean + */ + private static function isAllowedURL($url) + { + if (!Config::get('system', 'no_oembed_rich_content')) { + return true; + } + + $domain = parse_url($url, PHP_URL_HOST); + + $str_allowed = Config::get('system', 'allowed_oembed', ''); + $allowed = explode(',', $str_allowed); + + return allowed_domain($domain, $allowed, true); + } }