Skip to content

E
edx-platform
Commit 6cb5c390 by polesye Committed by Valera Rozuvan
Options

BLD-408: Don't allow users to enter video url's in http.

parent 80c83f0b
Showing with 63 additions and 46 deletions
CHANGELOG.rst
......@@ -5,6 +5,8 @@ These are notable changes in edx-platform. This is a rolling list of changes,
in roughly chronological order, most recent first. Add your entries at or near
the top. Include a label indicating the component affected.
Blades: Disallow users to enter video url's in http.
Blades: Fix bug when the speed can only be changed when the video is playing.
LMS: Change bulk email implementation to use less memory, and to better handle
......
cms/djangoapps/contentstore/views/item.py
......@@ -2,8 +2,9 @@
import logging
from uuid import uuid4
from requests.packages.urllib3.util import parse_url
from django.core.exceptions import PermissionDenied
from django.core.exceptions import PermissionDenied, ValidationError
from django.contrib.auth.decorators import login_required
from xmodule.modulestore import Location
......@@ -107,6 +108,17 @@ def save_item(request):
except ValueError:
return JsonResponse({"error": "Invalid data"}, 400)
field.write_to(existing_item, value)
if existing_item.category == 'video':
allowedSchemes = ['https']
# The entire site is served from https, so browsers with good
# security will reject non-https URLs anyway.
# Also, following video module specific code is here, because front-end
# metadata fields doesn't support validation.
if metadata_key == 'html5_sources' and not all([parse_url(u).scheme in allowedSchemes for u in value]):
raise ValidationError(u'HTML5 video sources support following protocols: {0}.'.format(' '.join(allowedSchemes)))
# Save the data that we've just changed to the underlying
# MongoKeyValueStore before we update the mongo datastore.
existing_item.save()
......
cms/static/js/views/transcripts/utils.js
......@@ -145,7 +145,8 @@ define(["jquery", "underscore", "jquery.ajaxQueue"], function($, _) {
}
var link = document.createElement('a'),
match;
allowedProtocols = ['https'],
match, protocol;
link.href = url;
match = link.pathname
......@@ -153,7 +154,8 @@ define(["jquery", "underscore", "jquery.ajaxQueue"], function($, _) {
.pop()
.match(/(.+)\.(mp4|webm)$/);
if (match) {
protocol = link.protocol.slice(0, -1);
if (match && $.inArray(protocol, allowedProtocols) !== -1) {
cache[url] = {
video: match[1],
type: match[2]
......
cms/static/js_spec/transcripts/editor_spec.js
......@@ -18,8 +18,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
type: MetadataModel.VIDEO_LIST_TYPE,
value: [
'http://youtu.be/12345678901',
'video.mp4',
'video.webm'
'https://domain.com/video.mp4',
'https://domain.com/video.webm'
]
},
DisplayNameEntry = {
......@@ -116,7 +116,10 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
help: 'A list of html5 sources.',
options: [],
type: MetadataModel.LIST_TYPE,
value: ['default.mp4', 'default.webm']
value: [
'https://domain.com/default.mp4',
'https://domain.com/default.webm'
]
},
youtubeEntry = {
......@@ -169,17 +172,14 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
}, "Defaults never loaded", 1000);
runs(function() {
var displayNameValue = collection[0].getValue();
var videoUrlValue = collection[1].getValue();
var displayNameValue = collection[0].getValue(),
videoUrlValue = collection[1].getValue();
expect(displayNameValue).toBe('default');
expect(videoUrlValue).toEqual([
'http://youtu.be/OEoXaMPEzfM',
'default.mp4',
'default.webm'
'https://domain.com/default.mp4',
'https://domain.com/default.webm'
]);
});
});
it('If metadataCollection is not defined', function () {
......@@ -190,8 +190,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
expect(videoUrlValue).toEqual([
'http://youtu.be/12345678901',
'video.mp4',
'video.webm'
'https://domain.com/video.mp4',
'https://domain.com/video.webm'
]);
});
......@@ -202,8 +202,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
model.setValue([
'12345678',
'default.mp4',
'default.webm'
'https://domain.com/default.mp4',
'https://domain.com/default.webm'
]);
transcripts.syncBasicTab(metadataCollection, metadataView);
......@@ -213,8 +213,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
expect(videoUrlValue).toEqual([
'',
'default.mp4',
'default.webm'
'https://domain.com/default.mp4',
'https://domain.com/default.webm'
]);
});
});
......@@ -232,16 +232,16 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
runs(function() {
var displayNameValue = collection[0].getValue();
var subValue = collection[1].getValue();
var html5SourcesValue = collection[2].getValue();
var youtubeValue = collection[3].getValue();
var displayNameValue = collection[0].getValue(),
subValue = collection[1].getValue(),
html5SourcesValue = collection[2].getValue(),
youtubeValue = collection[3].getValue();
expect(displayNameValue).toBe('display value');
expect(subValue).toBe('default');
expect(html5SourcesValue).toEqual([
'video.mp4',
'video.webm'
'https://domain.com/video.mp4',
'https://domain.com/video.webm'
]);
expect(youtubeValue).toBe('12345678901');
});
......@@ -259,8 +259,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
expect(displayNameValue).toBe('default');
expect(subValue).toBe('default');
expect(html5SourcesValue).toEqual([
'default.mp4',
'default.webm'
'https://domain.com/default.mp4',
'https://domain.com/default.webm'
]);
expect(youtubeValue).toBe('OEoXaMPEzfM');
});
......@@ -269,8 +269,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
var model = transcripts.collection.models[1];
model.setValue([
'video.mp4',
'video.webm'
'https://domain.com/video.mp4',
'https://domain.com/video.webm'
]);
transcripts.syncAdvancedTab(metadataCollection);
......@@ -280,8 +280,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
youtubeValue = collection[3].getValue();
expect(html5SourcesValue).toEqual([
'video.mp4',
'video.webm'
'https://domain.com/video.mp4',
'https://domain.com/video.webm'
]);
expect(youtubeValue).toBe('');
});
......
cms/static/js_spec/transcripts/utils_spec.js
......@@ -24,17 +24,13 @@ function ($, _, Utils, _str) {
} (videoId)),
html5FileName = 'file_name',
html5LinksList = (function (videoName) {
html5LinksList = (function (videoName) {
var videoTypes = ['mp4', 'webm'],
links = [
'http://somelink.com/%s.%s?param=1&param=2#hash',
'http://somelink.com/%s.%s#hash',
'http://somelink.com/%s.%s?param=1&param=2',
'http://somelink.com/%s.%s',
'ftp://somelink.com/%s.%s',
'https://somelink.com/%s.%s',
'somelink.com/%s.%s',
'%s.%s'
'https://somelink.com/%s.%s?param=1&param=2#hash',
'https://somelink.com/%s.%s#hash',
'https://somelink.com/%s.%s?param=1&param=2',
'https://somelink.com/%s.%s'
],
data = {};
......@@ -190,7 +186,12 @@ function ($, _, Utils, _str) {
'http://google.com/somevideo_mp4',
'http://google.com/somevideo:mp4',
'http://google.com/somevideo',
'http://google.com/somevideo.webm_'
'http://google.com/somevideo.webm_',
'http://somelink.com/video_name.mp4?param=1&param=2#hash',
'http://somelink.com/video_name.webm',
'ftp://somelink.com/video_name.mp4',
'somelink.com/video_name.webm',
'video_name.mp4'
];
$.each(html5WrongUrls, function (index, link) {
......
cms/static/js_spec/transcripts/videolist_spec.js
......@@ -41,9 +41,9 @@ function ($, _, Utils, VideoList, MessageManager, MetadataView, MetadataModel, A
options: [],
type: MetadataModel.VIDEO_LIST_TYPE,
value: [
'http://youtu.be/12345678901',
'video.mp4',
'video.webm'
'https://youtu.be/12345678901',
'https://domain.com/video.mp4',
'https://domain.com/video.webm'
]
},
response = JSON.stringify({
......@@ -408,8 +408,8 @@ function ($, _, Utils, VideoList, MessageManager, MetadataView, MetadataModel, A
view.setValueInEditor([
'http://youtu.be/12345678901',
'video.mp4',
'video'
'https://domain.com/video.mp4',
'https://domain.com/video'
]);
expect(view).assertIsCorrectVideoList(value);
});
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment