diff --git a/plugins/StoreRemoteMedia/README b/plugins/StoreRemoteMedia/README index a6bd91f605..2de4ce4541 100644 --- a/plugins/StoreRemoteMedia/README +++ b/plugins/StoreRemoteMedia/README @@ -7,9 +7,19 @@ to the bottom of your config.php Settings ======== +domain_blacklist: Array of regular expressions. Always escape your dots and end your strings. +check_blacklist: Whether to check the domain_blacklist. + domain_whitelist: Array of regular expressions. Always escape your dots and end your strings. check_whitelist: Whether to check the domain_whitelist. +When check_whitelist is set, only images from URLs matching a regex in the +domain_whitelist array are accepted for local storage. When check_blacklist +is set, images from URLs matching any regex in the domain_blacklist are +denied local storage. When both lists are checked, only images from URLs +that match a regex in the domain_whitelist and that match no regexen in the +domain_blacklist are accepted for local storage. + Example ======= addPlugin('StoreRemoteMedia', array( @@ -17,6 +27,6 @@ addPlugin('StoreRemoteMedia', array( '^i\d*\.ytimg\.com$' => 'YouTube', '^i\d*\.vimeocdn\.com$' => 'Vimeo' ), - 'check_whitelist' => true + 'check_whitelist' => true, )); diff --git a/plugins/StoreRemoteMedia/StoreRemoteMediaPlugin.php b/plugins/StoreRemoteMedia/StoreRemoteMediaPlugin.php index a08ae92572..f38ca4713e 100644 --- a/plugins/StoreRemoteMedia/StoreRemoteMediaPlugin.php +++ b/plugins/StoreRemoteMedia/StoreRemoteMediaPlugin.php @@ -15,6 +15,9 @@ class StoreRemoteMediaPlugin extends Plugin public $append_whitelist = array(); // fill this array as domain_whitelist to add more trusted sources public $check_whitelist = false; // security/abuse precaution + public $domain_blacklist = array(); + public $check_blacklist = false; + protected $imgData = array(); // these should be declared protected everywhere @@ -74,7 +77,10 @@ class StoreRemoteMediaPlugin extends Plugin return true; } - $this->checkWhitelist($file->getUrl()); + if (!$this->checkWhiteList($file->getUrl()) || + !$this->checkBlackList($file->getUrl())) { + return true; + } // First we download the file to memory and test whether it's actually an image file common_debug(sprintf('Downloading remote file id==%u with URL: %s', $file->getID(), _ve($file->getUrl()))); @@ -124,23 +130,39 @@ class StoreRemoteMediaPlugin extends Plugin } /** - * @return boolean false on no check made, provider name on success - * @throws ServerException if check is made but fails + * @return boolean true if given url passes blacklist check */ - protected function checkWhitelist($url) + protected function checkBlackList($url) { - if (!$this->check_whitelist) { - return false; // indicates "no check made" + if (!$this->check_blacklist) { + return true; } - $host = parse_url($url, PHP_URL_HOST); - foreach ($this->domain_whitelist as $regex => $provider) { + foreach ($this->domain_blacklist as $regex => $provider) { if (preg_match("/$regex/", $host)) { - return $provider; // we trust this source, return provider name + return false; } } - throw new ServerException(sprintf(_('Domain not in remote source whitelist: %s'), $host)); + return true; + } + + /*** + * @return boolean true if given url passes whitelist check + */ + protected function checkWhiteList($url) + { + if (!$this->check_whitelist) { + return true; + } + $host = parse_url($url, PHP_URL_HOST); + foreach ($this->domain_whitelist as $regex => $provider) { + if (preg_match("/$regex/", $host)) { + return true; + } + } + + return false; } public function onPluginVersion(array &$versions)