From 7ba42d372bb347a2720128ae8e1ffbd574c04340 Mon Sep 17 00:00:00 2001
From: Moritz Strohm <strohm@data-quest.de>
Date: Wed, 4 Oct 2023 09:44:53 +0000
Subject: added checks for valid URL schemes in the preview URL of OER
 materials, fixes #3253

Closes #3253

Merge request studip/studip!2209
---
 app/controllers/oer/mymaterial.php |  7 ++++++-
 app/views/oer/embed/url.php        |  3 ++-
 app/views/oer/market/details.php   |  2 +-
 app/views/oer/mymaterial/edit.php  |  4 ++--
 lib/models/OERMaterial.php         | 26 ++++++++++++++++++++++----
 5 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/app/controllers/oer/mymaterial.php b/app/controllers/oer/mymaterial.php
index f8e461b..309682b 100755
--- a/app/controllers/oer/mymaterial.php
+++ b/app/controllers/oer/mymaterial.php
@@ -38,7 +38,12 @@ class Oer_MymaterialController extends AuthenticatedController
         } elseif (Request::isPost()) {
             CSRFProtection::verifyUnsafeRequest();
             $was_new = $material->isNew();
-            $material->setData(Request::getArray('data'));
+            $data = Request::getArray('data');
+            $material->setData($data);
+            if ($data['player_url'] && !$material->hasValidPreviewUrl()) {
+                PageLayout::postWarning(_('Die angegebene URL muss mit http(s) beginnen.'));
+                $material->player_url = '';
+            }
             $material['host_id'] = null;
             $material['license_identifier'] = Request::get('license', 'CC-BY-SA-4.0');
             if ($_FILES['file']['tmp_name']) {
diff --git a/app/views/oer/embed/url.php b/app/views/oer/embed/url.php
index 2c9af80..1b40d24 100644
--- a/app/views/oer/embed/url.php
+++ b/app/views/oer/embed/url.php
@@ -5,7 +5,8 @@ if ($material['player_url']) {
 }
 $htmlid = "oercampus_".$material->id."_".uniqid();
 ?>
-<iframe id='<?= $htmlid ?>'
+<iframe sandbox="allow-forms allow-popups allow-pointer-lock allow-same-origin allow-scripts"
+        id='<?= $htmlid ?>'
         src="<?= htmlReady($url) ?>"
         style="width: 100%; height: 70vh; border: none;"></iframe>
 <?= $this->render_partial("oer/embed/_link") ?>
diff --git a/app/views/oer/market/details.php b/app/views/oer/market/details.php
index 112c86f..4dd64ee 100755
--- a/app/views/oer/market/details.php
+++ b/app/views/oer/market/details.php
@@ -2,7 +2,7 @@
 
 <? $url = $material['host_id'] ? $material->host->url."download/".$material['foreign_material_id'] : $controller->link_for("oer/endpoints/download/".$material->getId()) ?>
 
-<? if ($material['player_url']) : ?>
+<? if ($material->hasValidPreviewUrl()) : ?>
     <iframe src="<?= htmlReady($material['player_url']) ?>"
             class="lernmarktplatz_player"></iframe>
     <? OERDownloadcounter::addCounter($material->id) ?>
diff --git a/app/views/oer/mymaterial/edit.php b/app/views/oer/mymaterial/edit.php
index 16401c9..ea748fc 100755
--- a/app/views/oer/mymaterial/edit.php
+++ b/app/views/oer/mymaterial/edit.php
@@ -120,8 +120,8 @@
 
             <label>
                 <?= _('Vorschau-URL (optional)') ?>
-                <input type="text" name="data[player_url]"
-                       value="<?= htmlReady($material['player_url'] ?: $template['player_url']) ?>">
+                <input type="url" name="data[player_url]" pattern="^https?://.*"
+                       value="<?= htmlReady($material['player_url'] ?: $template['player_url'] ?? '') ?>">
             </label>
 
             <? if (!$material->isNew()) : ?>
diff --git a/lib/models/OERMaterial.php b/lib/models/OERMaterial.php
index 2c25bc1..0214d2c 100755
--- a/lib/models/OERMaterial.php
+++ b/lib/models/OERMaterial.php
@@ -148,19 +148,19 @@ class OERMaterial extends SimpleORMap
             ? $material->host->url."download/".$material['foreign_material_id']
             : URLHelper::getURL("dispatch.php/oer/endpoints/download/".$material->getId());
 
-        if ($material['player_url'] || $material->isPDF()) {
-            if ($material['player_url']) {
+        if ($material->hasValidPreviewUrl() || $material->isPDF()) {
+            if ($material->hasValidPreviewUrl()) {
                 OERDownloadcounter::addCounter($material->id);
                 $url = $material['player_url'];
             }
             $htmlid = "oercampus_".$material->id."_".uniqid();
-            $output = "<iframe id='".$htmlid."' src=\"". htmlReady($url). "\" style=\"width: 100%; height: 70vh; border: none;\"></iframe>";
+            $output = "<iframe sandbox=\"allow-forms allow-popups allow-pointer-lock allow-same-origin allow-scripts\" id='".$htmlid."' src=\"". htmlReady($url). "\" style=\"width: 100%; height: 70vh; border: none;\"></iframe>";
 
             return $output;
         }
 
         $tf = new Flexi_TemplateFactory($GLOBALS['STUDIP_BASE_PATH']."/app/views");
-        if ($material['player_url'] || $material->isPDF()) {
+        if ($material->hasValidPreviewUrl() || $material->isPDF()) {
             $template = $tf->open("oer/embed/url");
         } elseif ($material->isVideo()) {
             $template = $tf->open("oer/embed/video");
@@ -279,6 +279,24 @@ class OERMaterial extends SimpleORMap
         return (bool) $this['structure'];
     }
 
+    /**
+     * Checks the URL scheme of the preview URL (player_url).
+     * HTTP, HTTPS, Gopher and Gemini are supported schemes.
+     *
+     * @return bool True, if the URL scheme matches the allowced ones,
+     *     false otherwise.
+     */
+    public function hasValidPreviewUrl() : bool
+    {
+        if ($this->player_url) {
+            $scheme = parse_url($this->player_url, PHP_URL_SCHEME);
+            if (in_array($scheme, ['http', 'https'])) {
+                return true;
+            }
+        }
+        return false;
+    }
+
     public function isImage()
     {
         return stripos($this['content_type'], "image") === 0;
-- 
cgit v1.0