mahara-contributors team mailing list archive

Thread
Date

[Bug 1286935] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1286935@xxxxxxxxxxxxxxxxxx>
Date: Thu, 16 Apr 2015 23:46:18 -0000
Reply-to: Bug 1286935 <1286935@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/4660
Committed: http://gitorious.org/mahara/mahara/commit/277c4e1736f8b1d91ad6b92bc5c10e7be417952f
Submitter: Robert Lyon (robertl@xxxxxxxxxxxxxxx)
Branch:    1.8_STABLE

commit 277c4e1736f8b1d91ad6b92bc5c10e7be417952f
Author: Robert Lyon <robertl@xxxxxxxxxxxxxxx>
Date:   Thu Apr 16 11:31:53 2015 +1200

Allow prefixes that end in / to try ? and # as well

Bug 1286935

Seeing as we check the url against FILTER_VALIDATE_URL and that only
site admins can add to the 'allowed iframe sources' that should be
enough without having to add the / to the end of the url.

Change-Id: I82e3623d3df2fa03012278d334994224c51a092e
Signed-off-by: Robert Lyon <robertl@xxxxxxxxxxxxxxx>

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1286935

Title:
  Allowed iframe check doesn't handle URLs with a question mark
  immediately after the domain name

Status in Mahara ePortfolio:
  Fix Committed
Status in Mahara 1.10 series:
  Fix Committed
Status in Mahara 1.8 series:
  Fix Committed
Status in Mahara 1.9 series:
  Fix Committed
Status in Mahara 15.04 series:
  Fix Committed

Bug description:
  See https://mahara.org/interaction/forum/topic.php?id=6124

  In the Mahara forums, a user reported this issue with an embed code
  for hapyak.com. The full embed code:

  <iframe
  src="//hapyak.com?embed=true&amp;edit=false&amp;startInEditMode=false&amp;track=15572&amp;project=3162&amp;key=2a69d0613a6a43b5a613&amp;source=youtube&amp;source_id=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DNWjso1EqSXc&amp;controls=true&amp;nativeControls=false&amp;reset_variables=true&amp;autoplay=false&amp;aspect_ratio=1.3328"
  class="hapyak-embed" marginwidth="0" marginheight="0"
  allowfullscreen="" webkitallowfullscreen="" mozallowfullscreen=""
  frameborder="no" height="699" scrolling="no" width="853"></iframe>

  Note that the URL starts with "//hapyak.com?embed=true...". If you
  change that to "//hapyak.com/?embed=true..." then it works. It looks
  like the problem is that the regular expression we use to identify
  iframes with a valid URL, doesn't handle the scenario of a URL where
  there's a query component but no path component. In other words, a "?"
  immediately after the domain name.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1286935/+subscriptions

References

[Bug 1286935] [NEW] Allowed iframe check doesn't handle URLs with a question mark immediately after the domain name
From: Aaron Wells, 2014-03-02