Merge pull request #1512 from edx/anton/video-disallow-to-use-http-protocol

Video Player: Disallow users to enter video url's in http.

CHANGELOG.rst

@@ -5,6 +5,8 @@ These are notable changes in edx-platform.  This is a rolling list of changes,
 in roughly chronological order, most recent first.  Add your entries at or near
 the top.  Include a label indicating the component affected.
 
+Blades: Disallow users to enter video url's in http.
+
 Blades: Fix bug when the speed can only be changed when the video is playing.
 
 LMS: Change bulk email implementation to use less memory, and to better handle

cms/djangoapps/contentstore/views/item.py

@@ -2,8 +2,9 @@
 
 import logging
 from uuid import uuid4
+from requests.packages.urllib3.util import parse_url
 
-from django.core.exceptions import PermissionDenied
+from django.core.exceptions import PermissionDenied, ValidationError
 from django.contrib.auth.decorators import login_required
 
 from xmodule.modulestore import Location
@@ -107,6 +108,17 @@ def save_item(request):
                 except ValueError:
                     return JsonResponse({"error": "Invalid data"}, 400)
                 field.write_to(existing_item, value)
+
+
+            if existing_item.category == 'video':
+
+                allowedSchemes = ['https']
+                # The entire site is served from https, so browsers with good
+                # security will reject non-https URLs anyway.
+                # Also, following video module specific code is here, because front-end
+                # metadata fields doesn't support validation.
+                if metadata_key == 'html5_sources' and not all([parse_url(u).scheme in allowedSchemes for u in value]):
+                    raise ValidationError(u'HTML5 video sources support following protocols: {0}.'.format(' '.join(allowedSchemes)))
         # Save the data that we've just changed to the underlying
         # MongoKeyValueStore before we update the mongo datastore.
         existing_item.save()

cms/static/js/views/transcripts/utils.js

@@ -145,7 +145,8 @@ define(["jquery", "underscore", "jquery.ajaxQueue"], function($, _) {
                 }
 
                 var link = document.createElement('a'),
-                    match;
+                    allowedProtocols = ['https'],
+                    match, protocol;
 
                 link.href = url;
                 match = link.pathname
@@ -153,7 +154,8 @@ define(["jquery", "underscore", "jquery.ajaxQueue"], function($, _) {
                             .pop()
                             .match(/(.+)\.(mp4|webm)$/);
 
-                if (match) {
+                protocol = link.protocol.slice(0, -1);
+                if (match && $.inArray(protocol, allowedProtocols) !== -1) {
                     cache[url] = {
                         video: match[1],
                         type: match[2]

cms/static/js_spec/transcripts/editor_spec.js

@@ -18,8 +18,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
                 type: MetadataModel.VIDEO_LIST_TYPE,
                 value: [
                     'http://youtu.be/12345678901',
-                    'video.mp4',
-                    'video.webm'
+                    'https://domain.com/video.mp4',
+                    'https://domain.com/video.webm'
                 ]
             },
             DisplayNameEntry = {
@@ -116,7 +116,10 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
                     help: 'A list of html5 sources.',
                     options: [],
                     type: MetadataModel.LIST_TYPE,
-                    value: ['default.mp4', 'default.webm']
+                    value: [
+                        'https://domain.com/default.mp4',
+                        'https://domain.com/default.webm'
+                    ]
                 },
 
                 youtubeEntry = {
@@ -169,18 +172,15 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
                     }, "Defaults never loaded", 1000);
 
                     runs(function() {
-
-                        var displayNameValue = collection[0].getValue();
-                        var videoUrlValue = collection[1].getValue();
-
+                        var displayNameValue = collection[0].getValue(),
+                            videoUrlValue = collection[1].getValue();
                         expect(displayNameValue).toBe('default');
                         expect(videoUrlValue).toEqual([
                             'http://youtu.be/OEoXaMPEzfM',
-                            'default.mp4',
-                            'default.webm'
+                            'https://domain.com/default.mp4',
+                            'https://domain.com/default.webm'
                         ]);
                 });
-                });
 
                 it('If metadataCollection is not defined', function () {
                     transcripts.syncBasicTab(null);
@@ -190,8 +190,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
 
                     expect(videoUrlValue).toEqual([
                         'http://youtu.be/12345678901',
-                        'video.mp4',
-                        'video.webm'
+                        'https://domain.com/video.mp4',
+                        'https://domain.com/video.webm'
                     ]);
                 });
 
@@ -202,8 +202,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
 
                     model.setValue([
                         '12345678',
-                        'default.mp4',
-                        'default.webm'
+                        'https://domain.com/default.mp4',
+                        'https://domain.com/default.webm'
                     ]);
 
                     transcripts.syncBasicTab(metadataCollection, metadataView);
@@ -213,8 +213,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
 
                     expect(videoUrlValue).toEqual([
                         '',
-                        'default.mp4',
-                        'default.webm'
+                        'https://domain.com/default.mp4',
+                        'https://domain.com/default.webm'
                     ]);
                 });
             });
@@ -232,16 +232,16 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
 
                     runs(function() {
 
-                        var displayNameValue = collection[0].getValue();
-                        var subValue = collection[1].getValue();
-                        var html5SourcesValue = collection[2].getValue();
-                        var youtubeValue = collection[3].getValue();
+                        var displayNameValue = collection[0].getValue(),
+                            subValue = collection[1].getValue(),
+                            html5SourcesValue = collection[2].getValue(),
+                            youtubeValue = collection[3].getValue();
 
                         expect(displayNameValue).toBe('display value');
                         expect(subValue).toBe('default');
                         expect(html5SourcesValue).toEqual([
-                            'video.mp4',
-                            'video.webm'
+                            'https://domain.com/video.mp4',
+                            'https://domain.com/video.webm'
                         ]);
                         expect(youtubeValue).toBe('12345678901');
                     });
@@ -259,8 +259,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
                     expect(displayNameValue).toBe('default');
                     expect(subValue).toBe('default');
                     expect(html5SourcesValue).toEqual([
-                        'default.mp4',
-                        'default.webm'
+                        'https://domain.com/default.mp4',
+                        'https://domain.com/default.webm'
                     ]);
                     expect(youtubeValue).toBe('OEoXaMPEzfM');
                 });
@@ -269,8 +269,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
                     var model = transcripts.collection.models[1];
 
                     model.setValue([
-                        'video.mp4',
-                        'video.webm'
+                        'https://domain.com/video.mp4',
+                        'https://domain.com/video.webm'
                     ]);
 
                     transcripts.syncAdvancedTab(metadataCollection);
@@ -280,8 +280,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
                         youtubeValue = collection[3].getValue();
 
                     expect(html5SourcesValue).toEqual([
-                        'video.mp4',
-                        'video.webm'
+                        'https://domain.com/video.mp4',
+                        'https://domain.com/video.webm'
                     ]);
                     expect(youtubeValue).toBe('');
                 });

cms/static/js_spec/transcripts/utils_spec.js

@@ -27,14 +27,10 @@ function ($, _, Utils, _str) {
             html5LinksList = (function (videoName) {
                 var videoTypes = ['mp4', 'webm'],
                     links = [
-                        'http://somelink.com/%s.%s?param=1&param=2#hash',
-                        'http://somelink.com/%s.%s#hash',
-                        'http://somelink.com/%s.%s?param=1&param=2',
-                        'http://somelink.com/%s.%s',
-                        'ftp://somelink.com/%s.%s',
-                        'https://somelink.com/%s.%s',
-                        'somelink.com/%s.%s',
-                         '%s.%s'
+                        'https://somelink.com/%s.%s?param=1&param=2#hash',
+                        'https://somelink.com/%s.%s#hash',
+                        'https://somelink.com/%s.%s?param=1&param=2',
+                        'https://somelink.com/%s.%s'
                     ],
                     data = {};
 
@@ -190,7 +186,12 @@ function ($, _, Utils, _str) {
                     'http://google.com/somevideo_mp4',
                     'http://google.com/somevideo:mp4',
                     'http://google.com/somevideo',
-                    'http://google.com/somevideo.webm_'
+                    'http://google.com/somevideo.webm_',
+                    'http://somelink.com/video_name.mp4?param=1&param=2#hash',
+                    'http://somelink.com/video_name.webm',
+                    'ftp://somelink.com/video_name.mp4',
+                    'somelink.com/video_name.webm',
+                    'video_name.mp4'
                 ];
 
                 $.each(html5WrongUrls, function (index, link) {

cms/static/js_spec/transcripts/videolist_spec.js

@@ -41,9 +41,9 @@ function ($, _, Utils, VideoList, MessageManager, MetadataView, MetadataModel, A
                 options: [],
                 type: MetadataModel.VIDEO_LIST_TYPE,
                 value: [
-                    'http://youtu.be/12345678901',
-                    'video.mp4',
-                    'video.webm'
+                    'https://youtu.be/12345678901',
+                    'https://domain.com/video.mp4',
+                    'https://domain.com/video.webm'
                 ]
             },
             response = JSON.stringify({
@@ -408,8 +408,8 @@ function ($, _, Utils, VideoList, MessageManager, MetadataView, MetadataModel, A
 
             view.setValueInEditor([
                 'http://youtu.be/12345678901',
-                'video.mp4',
-                'video'
+                'https://domain.com/video.mp4',
+                'https://domain.com/video'
             ]);
             expect(view).assertIsCorrectVideoList(value);
         });