paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 21:43:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3922fb3a92cd6ee21ae2637bd3a6533a3a9d7339
zulip/zerver/lib/url_preview/oembed.py
Tim Abbott 4901dc3795 url_preview: Fix parsing of open graph tags. 
Our open graph parser logic sloppily mixed data obtained by parsing
open graph properties with trusted data set by our oembed parser.

We fix this by consistenly using our explicit whitelist of generic
properties (image, title, and description) in both places where we
interact with open graph properties.  The fixes are redundant with
each other, but doing both helps in making the intent of the code
clearer.

This issue fixed here was originally reported as an XSS vulnerability
in the upcoming Inline URL Previews feature found by Graham Bleaney
and Ibrahim Mohamed using Pysa.  The recent Oembed changes close that
vulnerability, but this change is still worth doing to make the
implementation do what it looks like it does.
2019-12-12 15:24:38 -08:00

48 lines
1.5 KiB
Python
Raw Blame History

from typing import Optional, Dict, Any
from pyoembed import oEmbed, PyOembedException
def get_oembed_data(url: str,
maxwidth: Optional[int]=640,
maxheight: Optional[int]=480) -> Optional[Dict[str, Any]]:
try:
data = oEmbed(url, maxwidth=maxwidth, maxheight=maxheight)
except PyOembedException:
return None
oembed_resource_type = data.get('type', '')
image = data.get('url', data.get('image'))
thumbnail = data.get('thumbnail_url')
html = data.pop('html', '')
if oembed_resource_type == 'photo' and image:
return dict(
oembed=True,
image=image,
type=oembed_resource_type,
title=data.get('title'),
description=data.get('description'),
)
if oembed_resource_type == 'video' and html and thumbnail:
return dict(
oembed=True,
image=thumbnail,
type=oembed_resource_type,
html=strip_cdata(html),
title=data.get('title'),
description=data.get('description'),
)
# Otherwise, start with just the embed type.
return dict(
type=oembed_resource_type,
title=data.get('title'),
description=data.get('description'),
)
def strip_cdata(html: str) -> str:
# Work around a bug in SoundCloud's XML generation:
# <html>&lt;![CDATA[&lt;iframe ...&gt;&lt;/iframe&gt;]]&gt;</html>
if html.startswith('<![CDATA[') and html.endswith(']]>'):
html = html[9:-3]
return html
Reference in New Issue View Git Blame Copy Permalink