forked from GNUsocial/gnu-social
Merge branch 'remote-media-blacklist-mk2' into 'nightly'
add server blacklist to StoreRemoteMedia plugin allows server admins to block local storage of remote media from particular servers while still allowing a default policy of acceptance See merge request !114
This commit is contained in:
commit
a9bdf761e8
@ -7,9 +7,19 @@ to the bottom of your config.php
|
|||||||
|
|
||||||
Settings
|
Settings
|
||||||
========
|
========
|
||||||
|
domain_blacklist: Array of regular expressions. Always escape your dots and end your strings.
|
||||||
|
check_blacklist: Whether to check the domain_blacklist.
|
||||||
|
|
||||||
domain_whitelist: Array of regular expressions. Always escape your dots and end your strings.
|
domain_whitelist: Array of regular expressions. Always escape your dots and end your strings.
|
||||||
check_whitelist: Whether to check the domain_whitelist.
|
check_whitelist: Whether to check the domain_whitelist.
|
||||||
|
|
||||||
|
When check_whitelist is set, only images from URLs matching a regex in the
|
||||||
|
domain_whitelist array are accepted for local storage. When check_blacklist
|
||||||
|
is set, images from URLs matching any regex in the domain_blacklist are
|
||||||
|
denied local storage. When both lists are checked, only images from URLs
|
||||||
|
that match a regex in the domain_whitelist and that match no regexen in the
|
||||||
|
domain_blacklist are accepted for local storage.
|
||||||
|
|
||||||
Example
|
Example
|
||||||
=======
|
=======
|
||||||
addPlugin('StoreRemoteMedia', array(
|
addPlugin('StoreRemoteMedia', array(
|
||||||
@ -17,6 +27,6 @@ addPlugin('StoreRemoteMedia', array(
|
|||||||
'^i\d*\.ytimg\.com$' => 'YouTube',
|
'^i\d*\.ytimg\.com$' => 'YouTube',
|
||||||
'^i\d*\.vimeocdn\.com$' => 'Vimeo'
|
'^i\d*\.vimeocdn\.com$' => 'Vimeo'
|
||||||
),
|
),
|
||||||
'check_whitelist' => true
|
'check_whitelist' => true,
|
||||||
));
|
));
|
||||||
|
|
||||||
|
@ -15,6 +15,9 @@ class StoreRemoteMediaPlugin extends Plugin
|
|||||||
public $append_whitelist = array(); // fill this array as domain_whitelist to add more trusted sources
|
public $append_whitelist = array(); // fill this array as domain_whitelist to add more trusted sources
|
||||||
public $check_whitelist = false; // security/abuse precaution
|
public $check_whitelist = false; // security/abuse precaution
|
||||||
|
|
||||||
|
public $domain_blacklist = array();
|
||||||
|
public $check_blacklist = false;
|
||||||
|
|
||||||
protected $imgData = array();
|
protected $imgData = array();
|
||||||
|
|
||||||
// these should be declared protected everywhere
|
// these should be declared protected everywhere
|
||||||
@ -74,7 +77,10 @@ class StoreRemoteMediaPlugin extends Plugin
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
$this->checkWhitelist($file->getUrl());
|
if (!$this->checkWhiteList($file->getUrl()) ||
|
||||||
|
!$this->checkBlackList($file->getUrl())) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
// First we download the file to memory and test whether it's actually an image file
|
// First we download the file to memory and test whether it's actually an image file
|
||||||
common_debug(sprintf('Downloading remote file id==%u with URL: %s', $file->getID(), _ve($file->getUrl())));
|
common_debug(sprintf('Downloading remote file id==%u with URL: %s', $file->getID(), _ve($file->getUrl())));
|
||||||
@ -124,23 +130,39 @@ class StoreRemoteMediaPlugin extends Plugin
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return boolean false on no check made, provider name on success
|
* @return boolean true if given url passes blacklist check
|
||||||
* @throws ServerException if check is made but fails
|
|
||||||
*/
|
*/
|
||||||
protected function checkWhitelist($url)
|
protected function checkBlackList($url)
|
||||||
{
|
{
|
||||||
if (!$this->check_whitelist) {
|
if (!$this->check_blacklist) {
|
||||||
return false; // indicates "no check made"
|
return true;
|
||||||
|
}
|
||||||
|
$host = parse_url($url, PHP_URL_HOST);
|
||||||
|
foreach ($this->domain_blacklist as $regex => $provider) {
|
||||||
|
if (preg_match("/$regex/", $host)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/***
|
||||||
|
* @return boolean true if given url passes whitelist check
|
||||||
|
*/
|
||||||
|
protected function checkWhiteList($url)
|
||||||
|
{
|
||||||
|
if (!$this->check_whitelist) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
$host = parse_url($url, PHP_URL_HOST);
|
$host = parse_url($url, PHP_URL_HOST);
|
||||||
foreach ($this->domain_whitelist as $regex => $provider) {
|
foreach ($this->domain_whitelist as $regex => $provider) {
|
||||||
if (preg_match("/$regex/", $host)) {
|
if (preg_match("/$regex/", $host)) {
|
||||||
return $provider; // we trust this source, return provider name
|
return true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
throw new ServerException(sprintf(_('Domain not in remote source whitelist: %s'), $host));
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function onPluginVersion(array &$versions)
|
public function onPluginVersion(array &$versions)
|
||||||
|
Loading…
Reference in New Issue
Block a user