Add check for allowed URL in OEmbed

- Add mixed-content mitigating
This commit is contained in:
Hypolite Petovan 2018-01-04 12:01:46 -05:00
parent 50e04d87c2
commit d416243964

View file

@ -8,9 +8,9 @@ namespace Friendica\Content;
use Friendica\Core\Cache;
use Friendica\Core\System;
use Friendica\ParseUrl;
use Friendica\Core\Config;
use Friendica\Database\DBM;
use Friendica\ParseUrl;
use dba;
use DOMDocument;
use DOMXPath;
@ -193,7 +193,7 @@ class OEmbed
break;
case "rich":
// not so safe..
if (!Config::get("system", "no_oembed_rich_content")) {
if (self::isAllowedURL($embedurl)) {
$ret .= proxy_parse_html($jhtml);
}
break;
@ -315,7 +315,10 @@ class OEmbed
}
$width = '100%';
$s = System::baseUrl() . '/oembed/' . base64url_encode($src);
// Only proxy OEmbed URLs to avoid mixed-content errors
if (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL && parse_url($src, PHP_URL_SCHEME) !== 'https') {
$src = System::baseUrl() . '/oembed/' . base64url_encode($src);
}
return '<iframe onload="resizeIframe(this);" class="embed_rich" height="' . $height . '" width="' . $width . '" src="' . $s . '" allowfullscreen scrolling="no" frameborder="no">' . t('Embedded content') . '</iframe>';
}
@ -352,4 +355,25 @@ class OEmbed
}
return $innerHTML;
}
/**
* Determines if rich content OEmbed is allowed for the provided URL
*
* @brief Determines if rich content OEmbed is allowed for the provided URL
* @param string $url
* @return boolean
*/
private static function isAllowedURL($url)
{
if (!Config::get('system', 'no_oembed_rich_content')) {
return true;
}
$domain = parse_url($url, PHP_URL_HOST);
$str_allowed = Config::get('system', 'allowed_oembed', '');
$allowed = explode(',', $str_allowed);
return allowed_domain($domain, $allowed, true);
}
}