fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-01-05 09:41:40 +09:00
Code Issues Projects Releases Packages Wiki Activity

Fix #1712 merge iframe whitelist and object/embed whitelist

Browse source
This commit is contained in:
Kijin Sung 2021-06-19 20:59:36 +09:00
parent 6a4d3d912c
commit c35d17c47e
8 changed files with 217 additions and 244 deletions
Download patch file Download diff file Expand all files Collapse all files

3
common/defaults/config.php
View file

@ -116,8 +116,7 @@ return array(
'og_use_timestamps' => false,
),
'mediafilter' => array(
'iframe' => array(),
'object' => array(),
'whitelist' => array(),
'classes' => array(),
),
'security' => array(

123
common/defaults/whitelist.php
View file

@ -7,78 +7,55 @@
*/
return array(
/**
* Allowed domains in <object> or <embed> tag
*/
'object' => array(
// YouTube
'www.youtube.com/',
'www.youtube-nocookie.com/',
// Daum
'flvs.daum.net/flvPlayer.swf',
'api.v.daum.net/',
'tvpot.daum.net/playlist/playlist.swf',
'videofarm.daum.net/',
// Naver
'serviceapi.nmv.naver.com/',
'scrap.ad.naver.com/',
'event.dn.naver.com/sbsplayer/vmplayer.xap',
'static.campaign.naver.com/',
'musicplayer.naver.com/naverPlayer/posting/',
'player.music.naver.com/naverPlayer/posting/',
// Mgoon
'play.mgoon.com/',
'doc.mgoon.com/player/',
// Pandora TV
'flvr.pandora.tv/flv2pan/',
'imgcdn.pandora.tv/gplayer/pandora_EGplayer.swf',
'imgcdn.pandora.tv/gplayer/flJal.swf',
// Tagstory
'play.tagstory.com/player/',
'www.tagstory.com/player/basic/',
// Cyworld
'dbi.video.cyworld.com/v.sk/',
// Egloos
'v.egloos.com/v.sk/',
// Nate
'v.nate.com/v.sk/',
'w.blogdoc.nate.com/',
'blogdoc.nate.com/flash/blogdoc_widget_reco.swf',
// KBS
'www.kbs.co.kr/zzim/vmplayer/vmplayer.xap',
'vmark.kbs.co.kr/zzim/vmplayer/vmplayer.xap',
// MBC
'onemore.imbc.com/ClientBin/oneplus.xap',
// SBS
'netv.sbs.co.kr/sbox/',
'news.sbs.co.kr/',
'wizard2.sbs.co.kr/',
'sbsplayer.sbs.co.kr/',
),
// YouTube
'www.youtube.com/',
'www.youtube-nocookie.com/',
/**
* Allowed domains in <iframe> tag
*/
'iframe' => array(
// YouTube
'www.youtube.com/',
'www.youtube-nocookie.com/',
// Google Maps
'www.google.com/maps/embed',
'maps.google.com/',
'maps.google.co.kr/',
// Daum TV Pot
'flvs.daum.net/',
'videofarm.daum.net/',
// NAVER TVCAST
'serviceapi.rmcnmv.naver.com/',
// SBS
'sbsplayer.sbs.co.kr/',
// Vimeo
'player.vimeo.com/',
// Afreeca
'afree.ca/',
// Soundcloud
'w.soundcloud.com/',
),
// Vimeo
'player.vimeo.com/',
// Soundcloud
'w.soundcloud.com/',
// Google Maps
'www.google.com/maps/embed',
'maps.google.com/',
'maps.google.co.kr/',
// Daum
'flvs.daum.net/',
'videofarm.daum.net/',
'api.v.daum.net/',
'videofarm.daum.net/',
// Naver
'serviceapi.rmcnmv.naver.com/',
'serviceapi.nmv.naver.com/',
'scrap.ad.naver.com/',
'static.campaign.naver.com/',
'musicplayer.naver.com/naverPlayer/posting/',
'player.music.naver.com/naverPlayer/posting/',
// Pandora TV
'www.pandora.tv/view/',
'flvr.pandora.tv/flv2pan/',
// Cyworld
'dbi.video.cyworld.com/v.sk/',
// Egloos
'v.egloos.com/v.sk/',
// Nate
'v.nate.com/v.sk/',
'w.blogdoc.nate.com/',
// SBS
'netv.sbs.co.kr/sbox/',
'news.sbs.co.kr/',
'wizard2.sbs.co.kr/',
'sbsplayer.sbs.co.kr/',
// Afreeca
'afree.ca/',
);

4
common/framework/filters/htmlfilter.php
View file

@ -161,7 +161,7 @@ class HTMLFilter
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeIframe', true);
$config->set('HTML.SafeObject', true);
$config->set('URI.SafeIframeRegexp', MediaFilter::getIframeWhitelistRegex());
$config->set('URI.SafeIframeRegexp', MediaFilter::getWhitelistRegex());
// Set the serializer path.
$config->set('Cache.SerializerPath', \RX_BASEDIR . 'files/cache/htmlpurifier');
@ -457,7 +457,7 @@ class HTMLFilter
}, $content);
// Remove object and embed URLs that are not allowed.
$whitelist = MediaFilter::getObjectWhitelistRegex();
$whitelist = MediaFilter::getWhitelistRegex();
$content = preg_replace_callback('!<(object|embed|param|audio|video|source|track)([^>]+)>!i', function($matches) use($whitelist) {
return preg_replace_callback('!([a-zA-Z0-9_-]+)="([^"]+)"!', function($attr) use($whitelist) {
if (in_array($attr[1], array('data', 'src', 'href', 'url', 'movie', 'source')))

235
common/framework/filters/mediafilter.php
View file

@ -12,8 +12,7 @@ class MediaFilter
/**
* Whitelists are cached here.
*/
protected static $_iframe_whitelist;
protected static $_object_whitelist;
protected static $_whitelist = [];
/**
* Add a prefix to the iframe whitelist.
@ -22,22 +21,24 @@ class MediaFilter
* @parsm bool $permanently
* @return void
*/
public static function addIframePrefix($prefix, $permanently = false)
public static function addPrefix($prefix, $permanently = false)
{
if (!self::$_iframe_whitelist)
if (!self::$_whitelist)
{
self::_loadWhitelists();
}
$prefix = self::formatPrefix($prefix);
if (!in_array($prefix, self::$_iframe_whitelist))
if (!in_array($prefix, self::$_whitelist))
{
self::$_iframe_whitelist[] = $prefix;
natcasesort(self::$_iframe_whitelist);
self::$_whitelist[] = $prefix;
natcasesort(self::$_whitelist);
if ($permanently)
{
Config::set('mediafilter.iframe', self::$_iframe_whitelist);
Config::set('mediafilter.whitelist', self::$_whitelist);
Config::set('mediafilter.iframe', []);
Config::set('mediafilter.object', []);
Config::save();
}
}
@ -46,29 +47,21 @@ class MediaFilter
/**
* Add a prefix to the object whitelist.
*
* @param string $prefix
* @parsm bool $permanently
* @return void
* @deprecated
*/
public static function addObjectPrefix($prefix, $permanently = false)
public static function addIframePrefix($prefix, $permanently = false)
{
self::addPrefix($prefix, $permanently);
}
/**
* Add a prefix to the object whitelist.
*
* @deprecated
*/
public static function addObjectPrefix()
{
if (!self::$_object_whitelist)
{
self::_loadWhitelists();
}
$prefix = self::formatPrefix($prefix);
if (!in_array($prefix, self::$_object_whitelist))
{
self::$_object_whitelist[] = $prefix;
natcasesort(self::$_object_whitelist);
if ($permanently)
{
Config::set('mediafilter.object', self::$_object_whitelist);
Config::save();
}
}
}
/**
@ -90,15 +83,15 @@ class MediaFilter
/**
* Get the iframe whitelist.
*
* @return string
* @return array
*/
public static function getIframeWhitelist()
public static function getWhitelist()
{
if (!self::$_iframe_whitelist)
if (!self::$_whitelist)
{
self::_loadWhitelists();
}
return self::$_iframe_whitelist;
return self::$_whitelist;
}
/**
@ -106,47 +99,14 @@ class MediaFilter
*
* @return string
*/
public static function getIframeWhitelistRegex()
public static function getWhitelistRegex()
{
if (!self::$_iframe_whitelist)
if (!self::$_whitelist)
{
self::_loadWhitelists();
}
$result = array();
foreach(self::$_iframe_whitelist as $domain)
{
$result[] = str_replace('\*\.', '[a-z0-9-]+\.', preg_quote($domain, '%'));
}
return '%^(?:https?:)?//(' . implode('|', $result) . ')%';
}
/**
* Get the object whitelist.
*
* @return string
*/
public static function getObjectWhitelist()
{
if (!self::$_object_whitelist)
{
self::_loadWhitelists();
}
return self::$_object_whitelist;
}
/**
* Get the object whitelist as a regular expression.
*
* @return string
*/
public static function getObjectWhitelistRegex()
{
if (!self::$_object_whitelist)
{
self::_loadWhitelists();
}
$result = array();
foreach(self::$_object_whitelist as $domain)
foreach(self::$_whitelist as $domain)
{
$result[] = str_replace('\*\.', '[a-z0-9-]+\.', preg_quote($domain, '%'));
}
@ -159,20 +119,9 @@ class MediaFilter
* @param string $url
* @return bool
*/
public static function matchIframeWhitelist($url)
public static function matchWhitelist($url)
{
return preg_match(self::getIframeWhitelistRegex(), $url) ? true : false;
}
/**
* Check if a URL matches the iframe whitelist.
*
* @param string $url
* @return bool
*/
public static function matchObjectWhitelist($url)
{
return preg_match(self::getObjectWhitelistRegex(), $url) ? true : false;
return preg_match(self::getWhitelistRegex(), $url) ? true : false;
}
/**
@ -199,56 +148,132 @@ class MediaFilter
protected static function _loadWhitelists($custom_whitelist = array())
{
$default_whitelist = (include \RX_BASEDIR . 'common/defaults/whitelist.php');
self::$_object_whitelist = array();
self::$_iframe_whitelist = array();
self::$_whitelist = [];
if(count($custom_whitelist))
if($custom_whitelist)
{
if(!is_array($custom_whitelist) || !isset($custom_whitelist['iframe']) || !isset($custom_whitelist['object']))
{
$whitelist = array(
'iframe' => isset($whitelist->iframe) ? $whitelist->iframe : array(),
'object' => isset($whitelist->object) ? $whitelist->object : array(),
$custom_whitelist = array(
'iframe' => isset($custom_whitelist->iframe) ? $custom_whitelist->iframe : array(),
'object' => isset($custom_whitelist->object) ? $custom_whitelist->object : array(),
);
}
foreach ($custom_whitelist['iframe'] as $prefix)
{
self::$_iframe_whitelist[] = self::formatPrefix($prefix);
self::$_whitelist[] = self::formatPrefix($prefix);
}
foreach ($custom_whitelist['object'] as $prefix)
{
self::$_object_whitelist[] = self::formatPrefix($prefix);
self::$_whitelist[] = self::formatPrefix($prefix);
}
}
else
{
foreach ($default_whitelist['iframe'] as $prefix)
foreach ($default_whitelist as $prefix)
{
self::$_iframe_whitelist[] = $prefix;
self::$_whitelist[] = $prefix;
}
foreach ($default_whitelist['object'] as $prefix)
if ($whitelist = config('mediafilter.whitelist'))
{
self::$_object_whitelist[] = $prefix;
}
if ($iframe_whitelist = config('mediafilter.iframe') ?: config('embedfilter.iframe'))
{
foreach ($iframe_whitelist as $prefix)
foreach ($whitelist as $prefix)
{
self::$_iframe_whitelist[] = self::formatPrefix($prefix);
self::$_whitelist[] = self::formatPrefix($prefix);
}
}
if ($object_whitelist = config('mediafilter.object') ?: config('embedfilter.object'))
else
{
foreach ($object_whitelist as $prefix)
if ($whitelist = config('mediafilter.iframe') ?: config('embedfilter.iframe'))
{
self::$_object_whitelist[] = self::formatPrefix($prefix);
foreach ($whitelist as $prefix)
{
self::$_whitelist[] = self::formatPrefix($prefix);
}
}
if ($whitelist = config('mediafilter.object') ?: config('embedfilter.object'))
{
foreach ($whitelist as $prefix)
{
self::$_whitelist[] = self::formatPrefix($prefix);
}
}
}
}
self::$_object_whitelist = array_unique(self::$_object_whitelist);
self::$_iframe_whitelist = array_unique(self::$_iframe_whitelist);
natcasesort(self::$_object_whitelist);
natcasesort(self::$_iframe_whitelist);
self::$_whitelist = array_unique(self::$_whitelist);
natcasesort(self::$_whitelist);
}
/**
* ========================== DEPRECATED METHODS ==========================
* ============== KEPT FOR COMPATIBILITY WITH OLDER VERSIONS ==============
*/
/**
* Get the iframe whitelist.
*
* @deprecated
* @return array
*/
public static function getIframeWhitelist()
{
return self::getWhitelist();
}
/**
* Get the iframe whitelist as a regular expression.
*
* @deprecated
* @return string
*/
public static function getIframeWhitelistRegex()
{
return self::getWhitelistRegex();
}
/**
* Check if a URL matches the iframe whitelist.
*
* @deprecated
* @param string $url
* @return bool
*/
public static function matchIframeWhitelist($url)
{
return self::matchWhitelist($url);
}
/**
* Get the object whitelist.
*
* @deprecated
* @return array
*/
public static function getObjectWhitelist()
{
return self::getWhitelist();
}
/**
* Get the object whitelist as a regular expression.
*
* @deprecated
* @return string
*/
public static function getObjectWhitelistRegex()
{
return self::getWhitelistRegex();
}
/**
* Check if a URL matches the iframe whitelist.
*
* @deprecated
* @param string $url
* @return bool
*/
public static function matchObjectWhitelist($url)
{
return self::matchWhitelist($url);
}
}

27
modules/admin/admin.admin.controller.php
View file

@ -702,27 +702,18 @@ class adminAdminController extends admin
{
$vars = Context::getRequestVars();
// iframe filter
$iframe_whitelist = $vars->mediafilter_iframe;
$iframe_whitelist = array_filter(array_map('trim', preg_split('/[\r\n]/', $iframe_whitelist)), function($item) {
// Media Filter iframe/embed whitelist
$whitelist = $vars->mediafilter_whitelist;
$whitelist = array_filter(array_map('trim', preg_split('/[\r\n]/', $whitelist)), function($item) {
return $item !== '';
});
$iframe_whitelist = array_unique(array_map(function($item) {
$whitelist = array_unique(array_map(function($item) {
return Rhymix\Framework\Filters\MediaFilter::formatPrefix($item);
}, $iframe_whitelist));
natcasesort($iframe_whitelist);
Rhymix\Framework\Config::set('mediafilter.iframe', array_values($iframe_whitelist));
// object filter
$object_whitelist = $vars->mediafilter_object;
$object_whitelist = array_filter(array_map('trim', preg_split('/[\r\n]/', $object_whitelist)), function($item) {
return $item !== '';
});
$object_whitelist = array_unique(array_map(function($item) {
return Rhymix\Framework\Filters\MediaFilter::formatPrefix($item);
}, $object_whitelist));
natcasesort($object_whitelist);
Rhymix\Framework\Config::set('mediafilter.object', array_values($object_whitelist));
}, $whitelist));
natcasesort($whitelist);
Rhymix\Framework\Config::set('mediafilter.whitelist', array_values($whitelist));
Rhymix\Framework\Config::set('mediafilter.iframe', []);
Rhymix\Framework\Config::set('mediafilter.object', []);
// HTML classes
$classes = $vars->mediafilter_classes;

3
modules/admin/admin.admin.view.php
View file

@ -488,8 +488,7 @@ class adminAdminView extends admin
function dispAdminConfigSecurity()
{
// Load embed filter.
context::set('mediafilter_iframe', implode(PHP_EOL, Rhymix\Framework\Filters\MediaFilter::getIframeWhitelist()));
context::set('mediafilter_object', implode(PHP_EOL, Rhymix\Framework\Filters\MediaFilter::getObjectWhitelist()));
context::set('mediafilter_whitelist', implode(PHP_EOL, Rhymix\Framework\Filters\MediaFilter::getWhitelist()));
context::set('mediafilter_classes', implode(PHP_EOL, Rhymix\Framework\Config::get('mediafilter.classes') ?: array()));
// Load robot user agents.

10
modules/admin/tpl/config_security.html
View file

@ -11,15 +11,9 @@
<input type="hidden" name="act" value="procAdminUpdateSecurity" />
<input type="hidden" name="xe_validator_id" value="modules/admin/tpl/config_security/1" />
<div class="x_control-group">
<label class="x_control-label" for="mediafilter_iframe">iframe</label>
<label class="x_control-label" for="mediafilter_whitelist">iframe/embed</label>
<div class="x_controls" style="margin-right:14px">
<textarea name="mediafilter_iframe" id="mediafilter_iframe" rows="8" style="width:100%;">{$mediafilter_iframe}</textarea>
</div>
</div>
<div class="x_control-group">
<label class="x_control-label" for="mediafilter_object">object/embed</label>
<div class="x_controls" style="margin-right:14px">
<textarea name="mediafilter_object" id="mediafilter_object" rows="8" style="width:100%;">{$mediafilter_object}</textarea>
<textarea name="mediafilter_whitelist" id="mediafilter_whitelist" rows="8" style="width:100%;">{$mediafilter_whitelist}</textarea>
</div>
</div>
<div class="x_control-group">

56
tests/unit/framework/filters/MediaFilterTest.php
View file

@ -4,48 +4,36 @@ class MediaFilterTest extends \Codeception\TestCase\Test
{
public function testWhitelists()
{
// iframe whitelist as array.
// whitelist as array.
$this->assertTrue(in_array('www.youtube.com/', Rhymix\Framework\Filters\MediaFilter::getWhitelist()));
$this->assertFalse(in_array('random-website.com/', Rhymix\Framework\Filters\MediaFilter::getWhitelist()));
// whitelist as regex.
$this->assertTrue(strpos(Rhymix\Framework\Filters\MediaFilter::getWhitelistRegex(), '|www\.youtube\.com/') !== false);
$this->assertFalse(strpos(Rhymix\Framework\Filters\MediaFilter::getWhitelistRegex(), 'www.youtube.com/') !== false);
// Match individual URL against whitelist.
$this->assertTrue(Rhymix\Framework\Filters\MediaFilter::matchWhitelist('https://www.youtube.com/v'));
$this->assertFalse(Rhymix\Framework\Filters\MediaFilter::matchWhitelist('http://www-youtube.com/v'));
// Match protocol-relative URLs.
$this->assertTrue(Rhymix\Framework\Filters\MediaFilter::matchWhitelist('//www.youtube.com/v'));
$this->assertFalse(Rhymix\Framework\Filters\MediaFilter::matchWhitelist('//www-youtube.com/v'));
// Check deprecated methods for compatibility.
$this->assertTrue(in_array('www.youtube.com/', Rhymix\Framework\Filters\MediaFilter::getIframeWhitelist()));
$this->assertFalse(in_array('random-website.com/', Rhymix\Framework\Filters\MediaFilter::getIframeWhitelist()));
// iframe whitelist as regex.
$this->assertTrue(strpos(Rhymix\Framework\Filters\MediaFilter::getIframeWhitelistRegex(), '|www\.youtube\.com/') !== false);
$this->assertFalse(strpos(Rhymix\Framework\Filters\MediaFilter::getIframeWhitelistRegex(), 'www.youtube.com/') !== false);
// Match individual URL against iframe whitelist.
$this->assertTrue(Rhymix\Framework\Filters\MediaFilter::matchIframeWhitelist('https://www.youtube.com/v'));
$this->assertFalse(Rhymix\Framework\Filters\MediaFilter::matchIframeWhitelist('http://www-youtube.com/v'));
// Match protocol-relative URLs.
$this->assertTrue(Rhymix\Framework\Filters\MediaFilter::matchIframeWhitelist('//www.youtube.com/v'));
$this->assertFalse(Rhymix\Framework\Filters\MediaFilter::matchIframeWhitelist('//www-youtube.com/v'));
// object whitelist as array.
$this->assertTrue(in_array('www.youtube.com/', Rhymix\Framework\Filters\MediaFilter::getObjectWhitelist()));
$this->assertFalse(in_array('random-website.com/', Rhymix\Framework\Filters\MediaFilter::getObjectWhitelist()));
// object whitelist as regex.
$this->assertTrue(strpos(Rhymix\Framework\Filters\MediaFilter::getObjectWhitelistRegex(), '|www\.youtube\.com/') !== false);
$this->assertFalse(strpos(Rhymix\Framework\Filters\MediaFilter::getObjectWhitelistRegex(), 'www.youtube.com/') !== false);
// Match individual URL against object whitelist.
$this->assertTrue(Rhymix\Framework\Filters\MediaFilter::matchObjectWhitelist('https://www.youtube.com/v'));
$this->assertTrue(Rhymix\Framework\Filters\MediaFilter::matchIframeWhitelist('https://www.youtube.com/v'));
$this->assertFalse(Rhymix\Framework\Filters\MediaFilter::matchObjectWhitelist('http://www-youtube.com/v'));
// Match protocol-relative URLs.
$this->assertTrue(Rhymix\Framework\Filters\MediaFilter::matchObjectWhitelist('//www.youtube.com/v'));
$this->assertTrue(Rhymix\Framework\Filters\MediaFilter::matchIframeWhitelist('//www.youtube.com/v'));
$this->assertFalse(Rhymix\Framework\Filters\MediaFilter::matchObjectWhitelist('//www-youtube.com/v'));
}
public function testAddPrefix()
{
$this->assertFalse(Rhymix\Framework\Filters\MediaFilter::matchIframeWhitelist('http://some.custom.website.com/video.mp4'));
Rhymix\Framework\Filters\MediaFilter::addIframePrefix('*.custom.website.com/');
$this->assertTrue(Rhymix\Framework\Filters\MediaFilter::matchIframeWhitelist('http://some.custom.website.com/video.mp4'));
$this->assertFalse(Rhymix\Framework\Filters\MediaFilter::matchObjectWhitelist('http://some.custom.website.com/video.mp4'));
Rhymix\Framework\Filters\MediaFilter::addObjectPrefix('*.custom.website.com/');
$this->assertTrue(Rhymix\Framework\Filters\MediaFilter::matchObjectWhitelist('http://some.custom.website.com/video.mp4'));
$this->assertFalse(Rhymix\Framework\Filters\MediaFilter::matchWhitelist('http://some.custom.website.com/video.mp4'));
Rhymix\Framework\Filters\MediaFilter::addPrefix('*.custom.website.com/');
$this->assertTrue(Rhymix\Framework\Filters\MediaFilter::matchWhitelist('http://some.custom.website.com/video.mp4'));
}
public function testRemoveEmbeddedMedia()