From 3494663c15c520670a512e23e1a5a0100e6301c4 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Thu, 4 Jan 2018 11:57:41 -0500 Subject: [PATCH 1/6] Add allowed_domain generic function --- include/network.php | 37 +++++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/include/network.php b/include/network.php index 16c8185e1a..2f8b24b8b6 100644 --- a/include/network.php +++ b/include/network.php @@ -613,24 +613,37 @@ function allowed_email($email) return false; } - $str_allowed = Config::get('system', 'allowed_email'); - if (! $str_allowed) { - return true; - } - - $found = false; - - $fnmatch = function_exists('fnmatch'); + $str_allowed = Config::get('system', 'allowed_email', ''); $allowed = explode(',', $str_allowed); - if (count($allowed)) { - foreach ($allowed as $a) { - $pat = strtolower(trim($a)); - if (($fnmatch && fnmatch($pat, $domain)) || ($pat == $domain)) { + return allowed_domain($domain, $allowed); +} + +/** + * Checks for the existence of a domain in a domain list + * + * If strict is not set, an empty domain list counts as found + * + * @brief Checks for the existence of a domain in a domain list + * @param string $domain + * @param array $domain_list + * @param bool $strict + * @return boolean + */ +function allowed_domain($domain, array $domain_list, $strict = false) +{ + $found = false; + + if (count($domain_list)) { + foreach ($domain_list as $item) { + $pat = strtolower(trim($item)); + if (fnmatch($pat, $domain) || ($pat == $domain)) { $found = true; break; } } + } elseif(!$strict) { + $found = true; } return $found; } From 50e04d87c285e476573d89fa58565bfa778722a1 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Thu, 4 Jan 2018 11:58:32 -0500 Subject: [PATCH 2/6] Add no_oembed_rich_content and allowed_oembed admin settings --- mod/admin.php | 6 ++++++ view/templates/admin/site.tpl | 2 ++ 2 files changed, 8 insertions(+) diff --git a/mod/admin.php b/mod/admin.php index 9408aa31c6..0fab9647cb 100644 --- a/mod/admin.php +++ b/mod/admin.php @@ -907,6 +907,8 @@ function admin_page_site_post(App $a) $allowed_sites = ((x($_POST,'allowed_sites')) ? notags(trim($_POST['allowed_sites'])) : ''); $allowed_email = ((x($_POST,'allowed_email')) ? notags(trim($_POST['allowed_email'])) : ''); + $no_oembed_rich_content = x($_POST,'no_oembed_rich_content'); + $allowed_oembed = ((x($_POST,'allowed_embed')) ? notags(trim($_POST['allowed_embed'])) : ''); $block_public = ((x($_POST,'block_public')) ? True : False); $force_publish = ((x($_POST,'publish_all')) ? True : False); $global_directory = ((x($_POST,'directory')) ? notags(trim($_POST['directory'])) : ''); @@ -1063,6 +1065,8 @@ function admin_page_site_post(App $a) Config::set('config', 'register_text', $register_text); Config::set('system', 'allowed_sites', $allowed_sites); Config::set('system', 'allowed_email', $allowed_email); + Config::set('system', 'no_oembed_rich_content', $no_oembed_rich_content); + Config::set('system', 'allowed_oembed', $allowed_oembed); Config::set('system', 'block_public', $block_public); Config::set('system', 'publish_all', $force_publish); Config::set('system', 'newuser_private', $newuser_private); @@ -1300,6 +1304,8 @@ function admin_page_site(App $a) '$abandon_days' => array('abandon_days', t('Accounts abandoned after x days'), Config::get('system','account_abandon_days'), t('Will not waste system resources polling external sites for abandonded accounts. Enter 0 for no time limit.')), '$allowed_sites' => array('allowed_sites', t("Allowed friend domains"), Config::get('system','allowed_sites'), t("Comma separated list of domains which are allowed to establish friendships with this site. Wildcards are accepted. Empty to allow any domains")), '$allowed_email' => array('allowed_email', t("Allowed email domains"), Config::get('system','allowed_email'), t("Comma separated list of domains which are allowed in email addresses for registrations to this site. Wildcards are accepted. Empty to allow any domains")), + '$no_oembed_rich_content' => array('no_oembed_rich_content', t("No OEmbed rich content"), Config::get('system','no_oembed_rich_content'), t("Don't show the rich content (e.g. embedded PDF), except from the domains listed below.")), + '$allowed_oembed' => array('allowed_oembed', t("Allowed OEmbed domains"), Config::get('system','allowed_oembed'), t("Comma separated list of domains which oembed content is allowed to be displayed. Wildcards are accepted.")), '$block_public' => array('block_public', t("Block public"), Config::get('system','block_public'), t("Check to block public access to all otherwise public personal pages on this site unless you are currently logged in.")), '$force_publish' => array('publish_all', t("Force publish"), Config::get('system','publish_all'), t("Check to force all profiles on this site to be listed in the site directory.")), '$global_directory' => array('directory', t("Global directory URL"), Config::get('system','directory'), t("URL to the global directory. If this is not set, the global directory is completely unavailable to the application.")), diff --git a/view/templates/admin/site.tpl b/view/templates/admin/site.tpl index 9f7b3601e5..160804f624 100644 --- a/view/templates/admin/site.tpl +++ b/view/templates/admin/site.tpl @@ -78,6 +78,8 @@

{{$corporate}}

{{include file="field_input.tpl" field=$allowed_sites}} {{include file="field_input.tpl" field=$allowed_email}} + {{include file="field_checkbox.tpl" field=$no_oembed_rich_content}} + {{include file="field_input.tpl" field=$allowed_oembed}} {{include file="field_checkbox.tpl" field=$block_public}} {{include file="field_checkbox.tpl" field=$force_publish}} {{include file="field_select.tpl" field=$community_page_style}} From d416243964032d914174e4ae5e1c491b2efaafc7 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Thu, 4 Jan 2018 12:01:46 -0500 Subject: [PATCH 3/6] Add check for allowed URL in OEmbed - Add mixed-content mitigating --- src/Content/OEmbed.php | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/src/Content/OEmbed.php b/src/Content/OEmbed.php index 70be8fd738..30493e1b8b 100644 --- a/src/Content/OEmbed.php +++ b/src/Content/OEmbed.php @@ -8,9 +8,9 @@ namespace Friendica\Content; use Friendica\Core\Cache; use Friendica\Core\System; -use Friendica\ParseUrl; use Friendica\Core\Config; use Friendica\Database\DBM; +use Friendica\ParseUrl; use dba; use DOMDocument; use DOMXPath; @@ -193,8 +193,8 @@ class OEmbed break; case "rich": // not so safe.. - if (!Config::get("system", "no_oembed_rich_content")) { - $ret.= proxy_parse_html($jhtml); + if (self::isAllowedURL($embedurl)) { + $ret .= proxy_parse_html($jhtml); } break; } @@ -315,7 +315,10 @@ class OEmbed } $width = '100%'; - $s = System::baseUrl() . '/oembed/' . base64url_encode($src); + // Only proxy OEmbed URLs to avoid mixed-content errors + if (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL && parse_url($src, PHP_URL_SCHEME) !== 'https') { + $src = System::baseUrl() . '/oembed/' . base64url_encode($src); + } return ''; } @@ -352,4 +355,25 @@ class OEmbed } return $innerHTML; } + + /** + * Determines if rich content OEmbed is allowed for the provided URL + * + * @brief Determines if rich content OEmbed is allowed for the provided URL + * @param string $url + * @return boolean + */ + private static function isAllowedURL($url) + { + if (!Config::get('system', 'no_oembed_rich_content')) { + return true; + } + + $domain = parse_url($url, PHP_URL_HOST); + + $str_allowed = Config::get('system', 'allowed_oembed', ''); + $allowed = explode(',', $str_allowed); + + return allowed_domain($domain, $allowed, true); + } } From 1f805da94fce43067cfd97997706d39e965ab035 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Thu, 4 Jan 2018 12:03:15 -0500 Subject: [PATCH 4/6] Move ParseUrl to Util namespace --- include/items.php | 2 +- include/plaintext.php | 2 +- mod/parse_url.php | 2 +- src/Content/OEmbed.php | 2 +- src/{ => Util}/ParseUrl.php | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) rename src/{ => Util}/ParseUrl.php (99%) diff --git a/include/items.php b/include/items.php index 8f15f94799..4bb00cdddd 100644 --- a/include/items.php +++ b/include/items.php @@ -3,7 +3,6 @@ * @file include/items.php */ use Friendica\App; -use Friendica\ParseUrl; use Friendica\Content\Feature; use Friendica\Core\Config; use Friendica\Core\PConfig; @@ -18,6 +17,7 @@ use Friendica\Object\Image; use Friendica\Protocol\DFRN; use Friendica\Protocol\OStatus; use Friendica\Protocol\Feed; +use Friendica\Util\ParseUrl; require_once 'include/bbcode.php'; require_once 'include/tags.php'; diff --git a/include/plaintext.php b/include/plaintext.php index 39dcc9ecdb..5931cba573 100644 --- a/include/plaintext.php +++ b/include/plaintext.php @@ -3,9 +3,9 @@ * @file include/plaintext.php */ use Friendica\App; -use Friendica\ParseUrl; use Friendica\Core\PConfig; use Friendica\Object\Image; +use Friendica\Util\ParseUrl; require_once "include/bbcode.php"; require_once "include/html2plain.php"; diff --git a/mod/parse_url.php b/mod/parse_url.php index 4fe9256349..4fabba6c7e 100644 --- a/mod/parse_url.php +++ b/mod/parse_url.php @@ -11,7 +11,7 @@ */ use Friendica\App; -use Friendica\ParseUrl; +use Friendica\Util\ParseUrl; require_once("include/items.php"); diff --git a/src/Content/OEmbed.php b/src/Content/OEmbed.php index 30493e1b8b..51c987755e 100644 --- a/src/Content/OEmbed.php +++ b/src/Content/OEmbed.php @@ -10,7 +10,7 @@ use Friendica\Core\Cache; use Friendica\Core\System; use Friendica\Core\Config; use Friendica\Database\DBM; -use Friendica\ParseUrl; +use Friendica\Util\ParseUrl; use dba; use DOMDocument; use DOMXPath; diff --git a/src/ParseUrl.php b/src/Util/ParseUrl.php similarity index 99% rename from src/ParseUrl.php rename to src/Util/ParseUrl.php index 0c67589ddf..7154e0f4af 100644 --- a/src/ParseUrl.php +++ b/src/Util/ParseUrl.php @@ -1,9 +1,9 @@ Date: Thu, 4 Jan 2018 12:05:46 -0500 Subject: [PATCH 5/6] Updated Composer class maps --- vendor/composer/autoload_classmap.php | 4 +--- vendor/composer/autoload_static.php | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/vendor/composer/autoload_classmap.php b/vendor/composer/autoload_classmap.php index 9160418948..6aa0273ecf 100644 --- a/vendor/composer/autoload_classmap.php +++ b/vendor/composer/autoload_classmap.php @@ -31,8 +31,6 @@ return array( 'Friendica\\Model\\Profile' => $baseDir . '/src/Model/Profile.php', 'Friendica\\Model\\User' => $baseDir . '/src/Model/User.php', 'Friendica\\Module\\Feed' => $baseDir . '/src/Module/Feed.php', - 'Friendica\\Module\\Login' => $baseDir . '/src/Module/Login.php', - 'Friendica\\Module\\Logout' => $baseDir . '/src/Module/Logout.php', 'Friendica\\Module\\Oembed' => $baseDir . '/src/Module/Oembed.php', 'Friendica\\Network\\FKOAuth1' => $baseDir . '/src/Network/FKOAuth1.php', 'Friendica\\Network\\FKOAuthDataStore' => $baseDir . '/src/Network/FKOAuthDataStore.php', @@ -61,7 +59,6 @@ return array( 'Friendica\\Object\\Image' => $baseDir . '/src/Object/Image.php', 'Friendica\\Object\\Post' => $baseDir . '/src/Object/Post.php', 'Friendica\\Object\\Thread' => $baseDir . '/src/Object/Thread.php', - 'Friendica\\ParseUrl' => $baseDir . '/src/ParseUrl.php', 'Friendica\\Protocol\\DFRN' => $baseDir . '/src/Protocol/DFRN.php', 'Friendica\\Protocol\\Diaspora' => $baseDir . '/src/Protocol/Diaspora.php', 'Friendica\\Protocol\\Email' => $baseDir . '/src/Protocol/Email.php', @@ -75,6 +72,7 @@ return array( 'Friendica\\Util\\ExAuth' => $baseDir . '/src/Util/ExAuth.php', 'Friendica\\Util\\Lock' => $baseDir . '/src/Util/Lock.php', 'Friendica\\Util\\Map' => $baseDir . '/src/Util/Map.php', + 'Friendica\\Util\\ParseUrl' => $baseDir . '/src/Util/ParseUrl.php', 'Friendica\\Util\\PidFile' => $baseDir . '/src/Util/Pidfile.php', 'Friendica\\Util\\XML' => $baseDir . '/src/Util/XML.php', 'Friendica\\Worker\\CheckVersion' => $baseDir . '/src/Worker/CheckVersion.php', diff --git a/vendor/composer/autoload_static.php b/vendor/composer/autoload_static.php index 45ba7e769a..d09872de5c 100644 --- a/vendor/composer/autoload_static.php +++ b/vendor/composer/autoload_static.php @@ -84,8 +84,6 @@ class ComposerStaticInitFriendica 'Friendica\\Model\\Profile' => __DIR__ . '/../..' . '/src/Model/Profile.php', 'Friendica\\Model\\User' => __DIR__ . '/../..' . '/src/Model/User.php', 'Friendica\\Module\\Feed' => __DIR__ . '/../..' . '/src/Module/Feed.php', - 'Friendica\\Module\\Login' => __DIR__ . '/../..' . '/src/Module/Login.php', - 'Friendica\\Module\\Logout' => __DIR__ . '/../..' . '/src/Module/Logout.php', 'Friendica\\Module\\Oembed' => __DIR__ . '/../..' . '/src/Module/Oembed.php', 'Friendica\\Network\\FKOAuth1' => __DIR__ . '/../..' . '/src/Network/FKOAuth1.php', 'Friendica\\Network\\FKOAuthDataStore' => __DIR__ . '/../..' . '/src/Network/FKOAuthDataStore.php', @@ -114,7 +112,6 @@ class ComposerStaticInitFriendica 'Friendica\\Object\\Image' => __DIR__ . '/../..' . '/src/Object/Image.php', 'Friendica\\Object\\Post' => __DIR__ . '/../..' . '/src/Object/Post.php', 'Friendica\\Object\\Thread' => __DIR__ . '/../..' . '/src/Object/Thread.php', - 'Friendica\\ParseUrl' => __DIR__ . '/../..' . '/src/ParseUrl.php', 'Friendica\\Protocol\\DFRN' => __DIR__ . '/../..' . '/src/Protocol/DFRN.php', 'Friendica\\Protocol\\Diaspora' => __DIR__ . '/../..' . '/src/Protocol/Diaspora.php', 'Friendica\\Protocol\\Email' => __DIR__ . '/../..' . '/src/Protocol/Email.php', @@ -128,6 +125,7 @@ class ComposerStaticInitFriendica 'Friendica\\Util\\ExAuth' => __DIR__ . '/../..' . '/src/Util/ExAuth.php', 'Friendica\\Util\\Lock' => __DIR__ . '/../..' . '/src/Util/Lock.php', 'Friendica\\Util\\Map' => __DIR__ . '/../..' . '/src/Util/Map.php', + 'Friendica\\Util\\ParseUrl' => __DIR__ . '/../..' . '/src/Util/ParseUrl.php', 'Friendica\\Util\\PidFile' => __DIR__ . '/../..' . '/src/Util/Pidfile.php', 'Friendica\\Util\\XML' => __DIR__ . '/../..' . '/src/Util/XML.php', 'Friendica\\Worker\\CheckVersion' => __DIR__ . '/../..' . '/src/Worker/CheckVersion.php', From 0dd664f54b473971d3ed7f86cb2999d0ae4da350 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Thu, 4 Jan 2018 13:27:59 -0500 Subject: [PATCH 6/6] Review change - Remove htconfig doc for admin panel setting --- doc/htconfig.md | 1 - 1 file changed, 1 deletion(-) diff --git a/doc/htconfig.md b/doc/htconfig.md index 34045e5c12..c2c2f536bc 100644 --- a/doc/htconfig.md +++ b/doc/htconfig.md @@ -65,7 +65,6 @@ Example: To set the directory value please add this line to your .htconfig.php: * **memcache_port** - Portnumber of the memcache daemon. Default is 11211. * **no_count** (Boolean) - Don't do count calculations (currently only when showing albums) * **no_oembed** (Boolean) - Don't use OEmbed to fetch more information about a link. -* **no_oembed_rich_content** (Boolean) - Don't show the rich content (e.g. embedded PDF). * **no_smilies** (Boolean) - Don't show smilies. * **no_view_full_size** (Boolean) - Don't add the link "View full size" under a resized image. * **optimize_items** (Boolean) - Triggers an SQL command to optimize the item table before expiring items.