function embedfilter_approve's default behavior is to return TRUE. Because the regex only scans for HREF and SRC elements to match against the whitelist, it is possible for an OBJECT or EMBED tag with a DATA element to pass through without the domain being checked, and subsequently render on page load. This allows users to embed content from third-party sites that are not on the whitelist, ie <OBJECT DATA="http://evilsite.com/evil.swf" scriptaccess="ALL">

To fix:

1. Return FALSE unless we've run the whitelist check. We can do this by changing line 259* from :

return TRUE;

to

return (!empty($matches[3]))?TRUE:FALSE instead of return TRUE;

2. Add 'data' to the list of tags that the regex scans for on line 250* and 276*

* actual line numbers may be inaccurate as I've made a number of changes to the core file in order to debug it.

Comments

ragaskar’s picture

ragaskar CreditAttribution: ragaskar commented

My "fix" breaks youtube support because youtube does NOT embed a data tag in its object tag. What I've done with my version of embed filter is to make sure I'm matching data, value, src and href elements for the param, object, embed and script tags.

It's not ideal, seeing as how it could be compromised if there's a tag I'm missing, but it works for now. if it's helpful, later on when I get some downtime, I'll add a full patch that will bring the distro version of the embed filter up to the version we are using on our prod server.

KarenS’s picture

KarenS CreditAttribution: KarenS commented
Status: Active » Fixed

I tried #2 above and found no problems with YouTube when data is not defined, so I committed that fix to the D6 port. I am not making any changes to D5 tho.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.