From d416243964032d914174e4ae5e1c491b2efaafc7 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Thu, 4 Jan 2018 12:01:46 -0500 Subject: [PATCH] Add check for allowed URL in OEmbed - Add mixed-content mitigating --- src/Content/OEmbed.php | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/src/Content/OEmbed.php b/src/Content/OEmbed.php index 70be8fd738..30493e1b8b 100644 --- a/src/Content/OEmbed.php +++ b/src/Content/OEmbed.php @@ -8,9 +8,9 @@ namespace Friendica\Content; use Friendica\Core\Cache; use Friendica\Core\System; -use Friendica\ParseUrl; use Friendica\Core\Config; use Friendica\Database\DBM; +use Friendica\ParseUrl; use dba; use DOMDocument; use DOMXPath; @@ -193,8 +193,8 @@ class OEmbed break; case "rich": // not so safe.. - if (!Config::get("system", "no_oembed_rich_content")) { - $ret.= proxy_parse_html($jhtml); + if (self::isAllowedURL($embedurl)) { + $ret .= proxy_parse_html($jhtml); } break; } @@ -315,7 +315,10 @@ class OEmbed } $width = '100%'; - $s = System::baseUrl() . '/oembed/' . base64url_encode($src); + // Only proxy OEmbed URLs to avoid mixed-content errors + if (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL && parse_url($src, PHP_URL_SCHEME) !== 'https') { + $src = System::baseUrl() . '/oembed/' . base64url_encode($src); + } return ''; } @@ -352,4 +355,25 @@ class OEmbed } return $innerHTML; } + + /** + * Determines if rich content OEmbed is allowed for the provided URL + * + * @brief Determines if rich content OEmbed is allowed for the provided URL + * @param string $url + * @return boolean + */ + private static function isAllowedURL($url) + { + if (!Config::get('system', 'no_oembed_rich_content')) { + return true; + } + + $domain = parse_url($url, PHP_URL_HOST); + + $str_allowed = Config::get('system', 'allowed_oembed', ''); + $allowed = explode(',', $str_allowed); + + return allowed_domain($domain, $allowed, true); + } } -- 2.39.5