Arbitrary OBJECTs can be embedded if DATA tag is used.
| Project: | Embed filter |
| Version: | 5.x-1.0 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | active |
Jump to:
function embedfilter_approve's default behavior is to return TRUE. Because the regex only scans for HREF and SRC elements to match against the whitelist, it is possible for an OBJECT or EMBED tag with a DATA element to pass through without the domain being checked, and subsequently render on page load. This allows users to embed content from third-party sites that are not on the whitelist, ie <OBJECT DATA="http://evilsite.com/evil.swf" scriptaccess="ALL">
To fix:
1. Return FALSE unless we've run the whitelist check. We can do this by changing line 259* from :
return TRUE;
to
return (!empty($matches[3]))?TRUE:FALSE instead of return TRUE;
2. Add 'data' to the list of tags that the regex scans for on line 250* and 276*
* actual line numbers may be inaccurate as I've made a number of changes to the core file in order to debug it.
#1
My "fix" breaks youtube support because youtube does NOT embed a data tag in its object tag. What I've done with my version of embed filter is to make sure I'm matching data, value, src and href elements for the param, object, embed and script tags.
It's not ideal, seeing as how it could be compromised if there's a tag I'm missing, but it works for now. if it's helpful, later on when I get some downtime, I'll add a full patch that will bring the distro version of the embed filter up to the version we are using on our prod server.