added checks for valid URL schemes in the preview URL of OER materials, fixes #3253

Closes #3253 Merge request studip/studip!2209

added checks for valid URL schemes in the preview URL of OER materials, fixes #3253
aae07fa4 · Moritz Strohm · Jan-Hendrik Willms · ade925d5 · aae07fa4 · aae07fa4
Commit aae07fa4 authored 1 year ago by Moritz Strohm Committed by Jan-Hendrik Willms 1 year ago
--- a/app/controllers/oer/mymaterial.php
+++ b/app/controllers/oer/mymaterial.php
@@ -36,7 +36,12 @@ class Oer_MymaterialController extends AuthenticatedController
        } elseif (Request::isPost()) {
            $was_new = $material->isNew();
            $was_on_twillo = (bool) $material['published_id_on_twillo'];
-            $material->setData(Request::getArray('data'));
+            $data = Request::getArray('data');
+            $material->setData($data);
+            if ($data['player_url'] && !$material->hasValidPreviewUrl()) {
+                PageLayout::postWarning(_('Die angegebene URL muss mit http(s) beginnen.'));
+                $material->player_url = '';
+            }
            $material['host_id'] = null;
            $material['license_identifier'] = Request::get('license', 'CC-BY-SA-4.0');
            if (!empty($_FILES['file']['tmp_name'])) {

--- a/app/views/oer/embed/url.php
+++ b/app/views/oer/embed/url.php
@@ -5,7 +5,8 @@ if ($material['player_url']) {
 }
 $htmlid = "oercampus_".$material->id."_".uniqid();
 ?>
-<iframe id='<?= $htmlid ?>'
+<iframe sandbox="allow-forms allow-popups allow-pointer-lock allow-same-origin allow-scripts"
+        id='<?= $htmlid ?>'
        src="<?= htmlReady($url) ?>"
        style="width: 100%; height: 70vh; border: none;"></iframe>
 <?= $this->render_partial("oer/embed/_link") ?>
--- a/app/views/oer/market/details.php
+++ b/app/views/oer/market/details.php
@@ -2,7 +2,7 @@

 <? $url = $material->getDownloadUrl() ?>

-<? if ($material['player_url']) : ?>
+<? if ($material->hasValidPreviewUrl()) : ?>
    <iframe src="<?= htmlReady($material['player_url']) ?>"
            class="lernmarktplatz_player"></iframe>
    <? OERDownloadcounter::addCounter($material->id) ?>

--- a/app/views/oer/mymaterial/edit.php
+++ b/app/views/oer/mymaterial/edit.php
@@ -120,7 +120,7 @@

            <label>
                <?= _('Vorschau-URL (optional)') ?>
-                <input type="text" name="data[player_url]"
+                <input type="url" name="data[player_url]" pattern="^https?://.*"
                       value="<?= htmlReady($material['player_url'] ?: $template['player_url'] ?? '') ?>">
            </label>


--- a/lib/models/OERMaterial.php
+++ b/lib/models/OERMaterial.php
@@ -187,19 +187,19 @@ class OERMaterial extends SimpleORMap

        $url = $material->getDownloadUrl();

-        if ($material['player_url'] || $material->isPDF()) {
-            if ($material['player_url']) {
+        if ($material->hasValidPreviewUrl() || $material->isPDF()) {
+            if ($material->hasValidPreviewUrl()) {
                OERDownloadcounter::addCounter($material->id);
                $url = $material['player_url'];
            }
            $htmlid = "oercampus_".$material->id."_".uniqid();
-            $output = "<iframe id='".$htmlid."' src=\"". htmlReady($url). "\" style=\"width: 100%; height: 70vh; border: none;\"></iframe>";
+            $output = "<iframe sandbox=\"allow-forms allow-popups allow-pointer-lock allow-same-origin allow-scripts\" id='".$htmlid."' src=\"". htmlReady($url). "\" style=\"width: 100%; height: 70vh; border: none;\"></iframe>";

            return $output;
        }

        $tf = new Flexi_TemplateFactory($GLOBALS['STUDIP_BASE_PATH']."/app/views");
-        if ($material['player_url'] || $material->isPDF()) {
+        if ($material->hasValidPreviewUrl() || $material->isPDF()) {
            $template = $tf->open("oer/embed/url");
        } elseif ($material->isVideo()) {
            $template = $tf->open("oer/embed/video");
@@ -363,6 +363,24 @@ class OERMaterial extends SimpleORMap
        return (bool) $this['structure'];
    }

+    /**
+     * Checks the URL scheme of the preview URL (player_url).
+     * HTTP, HTTPS, Gopher and Gemini are supported schemes.
+     *
+     * @return bool True, if the URL scheme matches the allowced ones,
+     *     false otherwise.
+     */
+    public function hasValidPreviewUrl() : bool
+    {
+        if ($this->player_url) {
+            $scheme = parse_url($this->player_url, PHP_URL_SCHEME);
+            if (in_array($scheme, ['http', 'https'])) {
+                return true;
+            }
+        }
+        return false;
+    }
+
    public function isImage()
    {
        return stripos($this['content_type'], "image") === 0;