Add wildcard support and customization method to media filter

2026-04-10 22:12:16 +09:00 · 2016-03-14 16:02:21 +09:00 · 2016-03-14 16:02:21 +09:00 · 6944b64643
commit 6944b64643
parent 26138c25da
2 changed files with 69 additions and 2 deletions
--- a/common/framework/security/mediafilter.php
+++ b/common/framework/security/mediafilter.php
@ -13,6 +13,62 @@ class MediaFilter
 	protected static $_iframe_whitelist;
 	protected static $_object_whitelist;
 	
+	/**
+	 * Add a prefix to the iframe whitelist.
+	 * 
+	 * @param string $prefix
+	 * @parsm bool $permanently
+	 * @return void
+	 */
+	public static function addIframePrefix($prefix, $permanently = false)
+	{
+		if (!count(self::$_iframe_whitelist))
+		{
+			self::_loadWhitelists();
+		}
+		
+		$prefix = preg_match('@^https?://(.*)$@i', $prefix, $matches) ? $matches[1] : $prefix;
+		if (!in_array($prefix, self::$_iframe_whitelist))
+		{
+			self::$_iframe_whitelist[] = $prefix;
+			natcasesort(self::$_iframe_whitelist);
+			
+			if ($permanently)
+			{
+				\Rhymix\Framework\Config::set('mediafilter.iframe', self::$_iframe_whitelist);
+				\Rhymix\Framework\Config::save();
+			}
+		}
+	}
+	
+	/**
+	 * Add a prefix to the object whitelist.
+	 * 
+	 * @param string $prefix
+	 * @parsm bool $permanently
+	 * @return void
+	 */
+	public static function addObjectPrefix($prefix, $permanently = false)
+	{
+		if (!count(self::$_object_whitelist))
+		{
+			self::_loadWhitelists();
+		}
+		
+		$prefix = preg_match('@^https?://(.*)$@i', $prefix, $matches) ? $matches[1] : $prefix;
+		if (!in_array($prefix, self::$_object_whitelist))
+		{
+			self::$_object_whitelist[] = $prefix;
+			natcasesort(self::$_object_whitelist);
+			
+			if ($permanently)
+			{
+				\Rhymix\Framework\Config::set('mediafilter.object', self::$_object_whitelist);
+				\Rhymix\Framework\Config::save();
+			}
+		}
+	}
+	
 	/**
 	 * Get the iframe whitelist.
 	 * 
@ -41,7 +97,7 @@ class MediaFilter
 		$result = array();
 		foreach(self::$_iframe_whitelist as $domain)
 		{
-			$result[] = preg_quote($domain, '%');
+			$result[] = str_replace('\*\.', '[a-z0-9-]+\.', preg_quote($domain, '%'));
 		}
 		return '%^https?://(' . implode('|', $result) . ')%';
 	}
@ -74,7 +130,7 @@ class MediaFilter
 		$result = array();
 		foreach(self::$_object_whitelist as $domain)
 		{
-			$result[] = preg_quote($domain, '%');
+			$result[] = str_replace('\*\.', '[a-z0-9-]+\.', preg_quote($domain, '%'));
 		}
 		return '%^https?://(' . implode('|', $result) . ')%';
 	}
--- a/tests/unit/framework/security/MediaFilterTest.php
+++ b/tests/unit/framework/security/MediaFilterTest.php
@ -29,6 +29,17 @@ class MediaFilterTest extends \Codeception\TestCase\Test
 		$this->assertFalse(Rhymix\Framework\Security\MediaFilter::matchObjectWhitelist('http://www-youtube.com/v'));
 	}
 	
+	public function testAddPrefix()
+	{
+		$this->assertFalse(Rhymix\Framework\Security\MediaFilter::matchIframeWhitelist('http://some.custom.website.com/video.mp4'));
+		Rhymix\Framework\Security\MediaFilter::addIframePrefix('*.custom.website.com/');
+		$this->assertTrue(Rhymix\Framework\Security\MediaFilter::matchIframeWhitelist('http://some.custom.website.com/video.mp4'));
+		
+		$this->assertFalse(Rhymix\Framework\Security\MediaFilter::matchObjectWhitelist('http://some.custom.website.com/video.mp4'));
+		Rhymix\Framework\Security\MediaFilter::addObjectPrefix('*.custom.website.com/');
+		$this->assertTrue(Rhymix\Framework\Security\MediaFilter::matchObjectWhitelist('http://some.custom.website.com/video.mp4'));
+	}
+	
 	public function testRemoveEmbeddedMedia()
 	{
 		$tests = array(