Allowed iframe check doesn't handle URLs with a question mark immediately after the domain name

Bug #1286935 reported by Aaron Wells on 2014-03-02
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Medium
Aaron Wells
1.10
Medium
Aaron Wells
1.8
Medium
Unassigned
1.9
Medium
Unassigned
15.04
Medium
Unassigned

Bug Description

See https://mahara.org/interaction/forum/topic.php?id=6124

In the Mahara forums, a user reported this issue with an embed code for hapyak.com. The full embed code:

<iframe src="//hapyak.com?embed=true&amp;edit=false&amp;startInEditMode=false&amp;track=15572&amp;project=3162&amp;key=2a69d0613a6a43b5a613&amp;source=youtube&amp;source_id=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DNWjso1EqSXc&amp;controls=true&amp;nativeControls=false&amp;reset_variables=true&amp;autoplay=false&amp;aspect_ratio=1.3328" class="hapyak-embed" marginwidth="0" marginheight="0" allowfullscreen="" webkitallowfullscreen="" mozallowfullscreen="" frameborder="no" height="699" scrolling="no" width="853"></iframe>

Note that the URL starts with "//hapyak.com?embed=true...". If you change that to "//hapyak.com/?embed=true..." then it works. It looks like the problem is that the regular expression we use to identify iframes with a valid URL, doesn't handle the scenario of a URL where there's a query component but no path component. In other words, a "?" immediately after the domain name.

Robert Lyon (robertl-9) on 2014-04-03
Changed in mahara:
milestone: 1.8.2 → 1.8.3
Robert Lyon (robertl-9) wrote :

The problem here is when you first add a allowed iframe source to the system it appends a / to the end of the url - but it doesn't need to.

I've added a patch 4638 to deal with that.

To test:

1) Add hapyak.com to the allowed iframe sources

2) Add an externalmedia block to a page and add the iframe content from above.

Before patch the iframe won't load content

3) Check out patch and delete the hapyak.com allowed iframe sources and re-add it

Now the page should load the iframe content.

Reviewed: https://reviews.mahara.org/4638
Committed: http://gitorious.org/mahara/mahara/commit/c5851d8f1debac9a3862cc48c2ccda2b19275f7a
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit c5851d8f1debac9a3862cc48c2ccda2b19275f7a
Author: Robert Lyon <email address hidden>
Date: Thu Apr 16 11:31:53 2015 +1200

Allow prefixes that end in / to try ? and # as well

Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Patch for "1.10_STABLE" branch: https://reviews.mahara.org/4658

Reviewed: https://reviews.mahara.org/4657
Committed: http://gitorious.org/mahara/mahara/commit/da9c6043ed6cb4d3de9e9dae8d93b80b266fd004
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit da9c6043ed6cb4d3de9e9dae8d93b80b266fd004
Author: Robert Lyon <email address hidden>
Date: Thu Apr 16 11:31:53 2015 +1200

Allow prefixes that end in / to try ? and # as well

Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4658
Committed: http://gitorious.org/mahara/mahara/commit/3b4f216858f8ab5fec76f8553f9f8602778a48c9
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.10_STABLE

commit 3b4f216858f8ab5fec76f8553f9f8602778a48c9
Author: Robert Lyon <email address hidden>
Date: Thu Apr 16 11:31:53 2015 +1200

Allow prefixes that end in / to try ? and # as well

Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Patch for "1.8_STABLE" branch: https://reviews.mahara.org/4660

Reviewed: https://reviews.mahara.org/4659
Committed: http://gitorious.org/mahara/mahara/commit/ff97447cdafdad82030f3291b0f2fbc563a9ef34
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.9_STABLE

commit ff97447cdafdad82030f3291b0f2fbc563a9ef34
Author: Robert Lyon <email address hidden>
Date: Thu Apr 16 11:31:53 2015 +1200

Allow prefixes that end in / to try ? and # as well

Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4660
Committed: http://gitorious.org/mahara/mahara/commit/277c4e1736f8b1d91ad6b92bc5c10e7be417952f
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE

commit 277c4e1736f8b1d91ad6b92bc5c10e7be417952f
Author: Robert Lyon <email address hidden>
Date: Thu Apr 16 11:31:53 2015 +1200

Allow prefixes that end in / to try ? and # as well

Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon <email address hidden>

Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers