Allowed iframe check doesn't handle URLs with a question mark immediately after the domain name

Bug #1286935 reported by Aaron Wells
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Medium
Aaron Wells
1.10
Fix Released
Medium
Aaron Wells
1.8
Fix Released
Medium
Unassigned
1.9
Fix Released
Medium
Unassigned
15.04
Fix Released
Medium
Unassigned

Bug Description

See https://mahara.org/interaction/forum/topic.php?id=6124

In the Mahara forums, a user reported this issue with an embed code for hapyak.com. The full embed code:

<iframe src="//hapyak.com?embed=true&amp;edit=false&amp;startInEditMode=false&amp;track=15572&amp;project=3162&amp;key=2a69d0613a6a43b5a613&amp;source=youtube&amp;source_id=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DNWjso1EqSXc&amp;controls=true&amp;nativeControls=false&amp;reset_variables=true&amp;autoplay=false&amp;aspect_ratio=1.3328" class="hapyak-embed" marginwidth="0" marginheight="0" allowfullscreen="" webkitallowfullscreen="" mozallowfullscreen="" frameborder="no" height="699" scrolling="no" width="853"></iframe>

Note that the URL starts with "//hapyak.com?embed=true...". If you change that to "//hapyak.com/?embed=true..." then it works. It looks like the problem is that the regular expression we use to identify iframes with a valid URL, doesn't handle the scenario of a URL where there's a query component but no path component. In other words, a "?" immediately after the domain name.

Robert Lyon (robertl-9)
Changed in mahara:
milestone: 1.8.2 → 1.8.3
Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/4638

Revision history for this message
Robert Lyon (robertl-9) wrote :

The problem here is when you first add a allowed iframe source to the system it appends a / to the end of the url - but it doesn't need to.

I've added a patch 4638 to deal with that.

To test:

1) Add hapyak.com to the allowed iframe sources

2) Add an externalmedia block to a page and add the iframe content from above.

Before patch the iframe won't load content

3) Check out patch and delete the hapyak.com allowed iframe sources and re-add it

Now the page should load the iframe content.

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/4638
Committed: http://gitorious.org/mahara/mahara/commit/c5851d8f1debac9a3862cc48c2ccda2b19275f7a
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit c5851d8f1debac9a3862cc48c2ccda2b19275f7a
Author: Robert Lyon <email address hidden>
Date: Thu Apr 16 11:31:53 2015 +1200

Allow prefixes that end in / to try ? and # as well

Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "15.04_STABLE" branch: https://reviews.mahara.org/4657

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "1.10_STABLE" branch: https://reviews.mahara.org/4658

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/4657
Committed: http://gitorious.org/mahara/mahara/commit/da9c6043ed6cb4d3de9e9dae8d93b80b266fd004
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit da9c6043ed6cb4d3de9e9dae8d93b80b266fd004
Author: Robert Lyon <email address hidden>
Date: Thu Apr 16 11:31:53 2015 +1200

Allow prefixes that end in / to try ? and # as well

Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4658
Committed: http://gitorious.org/mahara/mahara/commit/3b4f216858f8ab5fec76f8553f9f8602778a48c9
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.10_STABLE

commit 3b4f216858f8ab5fec76f8553f9f8602778a48c9
Author: Robert Lyon <email address hidden>
Date: Thu Apr 16 11:31:53 2015 +1200

Allow prefixes that end in / to try ? and # as well

Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "1.9_STABLE" branch: https://reviews.mahara.org/4659

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/4660

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/4659
Committed: http://gitorious.org/mahara/mahara/commit/ff97447cdafdad82030f3291b0f2fbc563a9ef34
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.9_STABLE

commit ff97447cdafdad82030f3291b0f2fbc563a9ef34
Author: Robert Lyon <email address hidden>
Date: Thu Apr 16 11:31:53 2015 +1200

Allow prefixes that end in / to try ? and # as well

Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4660
Committed: http://gitorious.org/mahara/mahara/commit/277c4e1736f8b1d91ad6b92bc5c10e7be417952f
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE

commit 277c4e1736f8b1d91ad6b92bc5c10e7be417952f
Author: Robert Lyon <email address hidden>
Date: Thu Apr 16 11:31:53 2015 +1200

Allow prefixes that end in / to try ? and # as well

Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon <email address hidden>

Robert Lyon (robertl-9)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.