Merge branch 'remote-media-blacklist-mk2' into 'nightly'

add server blacklist to StoreRemoteMedia plugin

allows server admins to block local storage of remote media from particular servers while still allowing a default policy of acceptance

See merge request !114
This commit is contained in:
mmn 2016-03-03 20:17:23 +00:00
commit a9bdf761e8
2 changed files with 43 additions and 11 deletions

View File

@ -7,9 +7,19 @@ to the bottom of your config.php
Settings Settings
======== ========
domain_blacklist: Array of regular expressions. Always escape your dots and end your strings.
check_blacklist: Whether to check the domain_blacklist.
domain_whitelist: Array of regular expressions. Always escape your dots and end your strings. domain_whitelist: Array of regular expressions. Always escape your dots and end your strings.
check_whitelist: Whether to check the domain_whitelist. check_whitelist: Whether to check the domain_whitelist.
When check_whitelist is set, only images from URLs matching a regex in the
domain_whitelist array are accepted for local storage. When check_blacklist
is set, images from URLs matching any regex in the domain_blacklist are
denied local storage. When both lists are checked, only images from URLs
that match a regex in the domain_whitelist and that match no regexen in the
domain_blacklist are accepted for local storage.
Example Example
======= =======
addPlugin('StoreRemoteMedia', array( addPlugin('StoreRemoteMedia', array(
@ -17,6 +27,6 @@ addPlugin('StoreRemoteMedia', array(
'^i\d*\.ytimg\.com$' => 'YouTube', '^i\d*\.ytimg\.com$' => 'YouTube',
'^i\d*\.vimeocdn\.com$' => 'Vimeo' '^i\d*\.vimeocdn\.com$' => 'Vimeo'
), ),
'check_whitelist' => true 'check_whitelist' => true,
)); ));

View File

@ -15,6 +15,9 @@ class StoreRemoteMediaPlugin extends Plugin
public $append_whitelist = array(); // fill this array as domain_whitelist to add more trusted sources public $append_whitelist = array(); // fill this array as domain_whitelist to add more trusted sources
public $check_whitelist = false; // security/abuse precaution public $check_whitelist = false; // security/abuse precaution
public $domain_blacklist = array();
public $check_blacklist = false;
protected $imgData = array(); protected $imgData = array();
// these should be declared protected everywhere // these should be declared protected everywhere
@ -74,7 +77,10 @@ class StoreRemoteMediaPlugin extends Plugin
return true; return true;
} }
$this->checkWhitelist($file->getUrl()); if (!$this->checkWhiteList($file->getUrl()) ||
!$this->checkBlackList($file->getUrl())) {
return true;
}
// First we download the file to memory and test whether it's actually an image file // First we download the file to memory and test whether it's actually an image file
common_debug(sprintf('Downloading remote file id==%u with URL: %s', $file->getID(), _ve($file->getUrl()))); common_debug(sprintf('Downloading remote file id==%u with URL: %s', $file->getID(), _ve($file->getUrl())));
@ -124,23 +130,39 @@ class StoreRemoteMediaPlugin extends Plugin
} }
/** /**
* @return boolean false on no check made, provider name on success * @return boolean true if given url passes blacklist check
* @throws ServerException if check is made but fails
*/ */
protected function checkWhitelist($url) protected function checkBlackList($url)
{ {
if (!$this->check_whitelist) { if (!$this->check_blacklist) {
return false; // indicates "no check made" return true;
}
$host = parse_url($url, PHP_URL_HOST);
foreach ($this->domain_blacklist as $regex => $provider) {
if (preg_match("/$regex/", $host)) {
return false;
}
} }
return true;
}
/***
* @return boolean true if given url passes whitelist check
*/
protected function checkWhiteList($url)
{
if (!$this->check_whitelist) {
return true;
}
$host = parse_url($url, PHP_URL_HOST); $host = parse_url($url, PHP_URL_HOST);
foreach ($this->domain_whitelist as $regex => $provider) { foreach ($this->domain_whitelist as $regex => $provider) {
if (preg_match("/$regex/", $host)) { if (preg_match("/$regex/", $host)) {
return $provider; // we trust this source, return provider name return true;
} }
} }
throw new ServerException(sprintf(_('Domain not in remote source whitelist: %s'), $host)); return false;
} }
public function onPluginVersion(array &$versions) public function onPluginVersion(array &$versions)