Skip to content

E
edx-platform
Commit 6cb5c390 by polesye Committed by Valera Rozuvan
Options

BLD-408: Don't allow users to enter video url's in http.

parent 80c83f0b
Showing with 112 additions and 93 deletions
CHANGELOG.rst
......@@ -5,6 +5,8 @@ These are notable changes in edx-platform. This is a rolling list of changes,
in roughly chronological order, most recent first. Add your entries at or near
the top. Include a label indicating the component affected.
Blades: Disallow users to enter video url's in http.
Blades: Fix bug when the speed can only be changed when the video is playing.
LMS: Change bulk email implementation to use less memory, and to better handle
......
cms/djangoapps/contentstore/features/transcripts.feature
......@@ -22,8 +22,8 @@ Feature: Video Component Editor
And I edit the component
#User inputs html5 links with equal extension
And I enter a "123.webm" source to field number 1
And I enter a "456.webm" source to field number 2
And I enter a "https://domain.org/123.webm" source to field number 1
And I enter a "https://domain.org/456.webm" source to field number 2
Then I see error message "file_type"
# Currently we are working with 2nd field. It means, that if 2nd field
# contain incorrect value, 1st and 3rd fields should be disabled until
......@@ -35,6 +35,8 @@ Feature: Video Component Editor
#User input URL with incorrect format
And I enter a "htt://link.c" source to field number 1
Then I see error message "url_format"
And I enter a "http://domain.org/123.mp4" source to field number 1
Then I see error message "url_format"
# Currently we are working with 1st field. It means, that if 1st field
# contain incorrect value, 2nd and 3rd fields should be disabled until
# 1st field will be filled by correct correct value
......@@ -120,7 +122,7 @@ Feature: Video Component Editor
Given I have created a Video component
And I edit the component
And I enter a "t_not_exist.mp4" source to field number 1
And I enter a "https://domain.org/t_not_exist.mp4" source to field number 1
Then I see status message "not found"
And I see value "" in the field "HTML5 Transcript"
......@@ -129,7 +131,7 @@ Feature: Video Component Editor
Given I have created a Video component with subtitles "t_not_exist"
And I edit the component
And I enter a "t_not_exist.mp4" source to field number 1
And I enter a "https://domain.org/t_not_exist.mp4" source to field number 1
Then I see status message "found"
And I see value "t_not_exist" in the field "HTML5 Transcript"
......@@ -141,7 +143,7 @@ Feature: Video Component Editor
And I enter a "http://youtu.be/t_not_exist" source to field number 1
Then I see status message "found"
And I enter a "test_video_name.mp4" source to field number 2
And I enter a "https://domain.org/test_video_name.mp4" source to field number 2
Then I see status message "found"
And I see value "t_not_exist" in the field "HTML5 Transcript"
......@@ -156,7 +158,7 @@ Feature: Video Component Editor
And I click transcript button "import"
Then I see status message "found"
And I enter a "t_not_exist.mp4" source to field number 2
And I enter a "https://domain.org/t_not_exist.mp4" source to field number 2
Then I see status message "found"
And I see value "t__eq_exist" in the field "HTML5 Transcript"
......@@ -170,12 +172,12 @@ Feature: Video Component Editor
And I see button "import"
And I see button "upload_new_timed_transcripts"
And I enter a "t_not_exist.mp4" source to field number 2
And I enter a "https://domain.org/t_not_exist.mp4" source to field number 2
Then I see status message "not found"
And I see button "import"
And I see button "upload_new_timed_transcripts"
And I enter a "t_not_exist.webm" source to field number 3
And I enter a "https://domain.org/t_not_exist.webm" source to field number 3
Then I see status message "not found"
And I see button "import"
And I see button "upload_new_timed_transcripts"
......@@ -188,11 +190,11 @@ Feature: Video Component Editor
Then I see status message "not found"
And I see button "disabled_download_to_edit"
And I see button "upload_new_timed_transcripts"
And I enter a "t_not_exist.mp4" source to field number 2
And I enter a "https://domain.org/t_not_exist.mp4" source to field number 2
Then I see status message "not found"
And I see button "upload_new_timed_transcripts"
And I see button "disabled_download_to_edit"
And I enter a "t_not_exist.webm" source to field number 3
And I enter a "https://domain.org/t_not_exist.webm" source to field number 3
Then I see status message "not found"
And I see button "disabled_download_to_edit"
And I see button "upload_new_timed_transcripts"
......@@ -209,12 +211,12 @@ Feature: Video Component Editor
Then I see status message "found"
And I see button "upload_new_timed_transcripts"
And I enter a "t_not_exist.mp4" source to field number 2
And I enter a "https://domain.org/t_not_exist.mp4" source to field number 2
Then I see status message "found"
And I see button "download_to_edit"
And I see button "upload_new_timed_transcripts"
And I enter a "t_not_exist.webm" source to field number 3
And I enter a "https://domain.org/t_not_exist.webm" source to field number 3
Then I see status message "found"
And I see button "download_to_edit"
And I see button "upload_new_timed_transcripts"
......@@ -229,12 +231,12 @@ Feature: Video Component Editor
And I see button "disabled_download_to_edit"
And I see button "upload_new_timed_transcripts"
And I enter a "t_not_exist.mp4" source to field number 2
And I enter a "https://domain.org/t_not_exist.mp4" source to field number 2
Then I see status message "not found"
And I see button "disabled_download_to_edit"
And I see button "upload_new_timed_transcripts"
And I enter a "t_neq_exist.webm" source to field number 3
And I enter a "https://domain.org/t_neq_exist.webm" source to field number 3
Then I see status message "found"
And I see button "download_to_edit"
And I see button "upload_new_timed_transcripts"
......@@ -249,12 +251,12 @@ Feature: Video Component Editor
And I see button "import"
And I see button "upload_new_timed_transcripts"
And I enter a "t_not_exist.mp4" source to field number 2
And I enter a "https://domain.org/t_not_exist.mp4" source to field number 2
Then I see status message "not found"
And I see button "import"
And I see button "upload_new_timed_transcripts"
And I enter a "t_neq_exist.webm" source to field number 3
And I enter a "https://domain.org/t_neq_exist.webm" source to field number 3
Then I see status message "not found"
And I see button "import"
And I see button "upload_new_timed_transcripts"
......@@ -269,12 +271,12 @@ Feature: Video Component Editor
And I see button "import"
And I see button "upload_new_timed_transcripts"
And I enter a "t_neq_exist.mp4" source to field number 2
And I enter a "https://domain.org/t_neq_exist.mp4" source to field number 2
Then I see status message "not found"
And I see button "import"
And I see button "upload_new_timed_transcripts"
And I enter a "t_not_exist.webm" source to field number 3
And I enter a "https://domain.org/t_not_exist.webm" source to field number 3
Then I see status message "not found"
And I see button "import"
And I see button "upload_new_timed_transcripts"
......@@ -291,12 +293,12 @@ Feature: Video Component Editor
Then I see status message "found"
And I see button "upload_new_timed_transcripts"
And I enter a "t_neq_exist.mp4" source to field number 2
And I enter a "https://domain.org/t_neq_exist.mp4" source to field number 2
Then I see status message "found"
And I see button "download_to_edit"
And I see button "upload_new_timed_transcripts"
And I enter a "t_not_exist.webm" source to field number 3
And I enter a "https://domain.org/t_not_exist.webm" source to field number 3
Then I see status message "found"
And I see button "download_to_edit"
And I see button "upload_new_timed_transcripts"
......@@ -313,12 +315,12 @@ Feature: Video Component Editor
Then I see status message "found"
And I see button "upload_new_timed_transcripts"
And I enter a "t_not_exist.mp4" source to field number 2
And I enter a "https://domain.org/t_not_exist.mp4" source to field number 2
Then I see status message "found"
And I see button "download_to_edit"
And I see button "upload_new_timed_transcripts"
And I enter a "t_neq_exist.webm" source to field number 3
And I enter a "https://domain.org/t_neq_exist.webm" source to field number 3
Then I see status message "found"
And I see button "download_to_edit"
And I see button "upload_new_timed_transcripts"
......@@ -328,7 +330,7 @@ Feature: Video Component Editor
Given I have created a Video component with subtitles "t__eq_exist"
And I edit the component
And I enter a "t__eq_exist.mp4" source to field number 1
And I enter a "https://domain.org/t__eq_exist.mp4" source to field number 1
Then I see status message "found"
And I see button "download_to_edit"
And I see button "upload_new_timed_transcripts"
......@@ -343,7 +345,7 @@ Feature: Video Component Editor
And I see button "download_to_edit"
And I see button "upload_new_timed_transcripts"
And I enter a "test_transcripts.webm" source to field number 3
And I enter a "https://domain.org/test_transcripts.webm" source to field number 3
Then I see status message "found"
#20
......@@ -351,7 +353,7 @@ Feature: Video Component Editor
Given I have created a Video component with subtitles "t_not_exist"
And I edit the component
And I enter a "test_transcripts.mp4" source to field number 1
And I enter a "https://domain.org/test_transcripts.mp4" source to field number 1
Then I see status message "not found"
And I see button "download_to_edit"
And I see button "upload_new_timed_transcripts"
......@@ -359,7 +361,7 @@ Feature: Video Component Editor
Then I see status message "uploaded_successfully"
And I see value "test_transcripts" in the field "HTML5 Transcript"
And I enter a "t_not_exist.webm" source to field number 2
And I enter a "https://domain.org/t_not_exist.webm" source to field number 2
Then I see status message "replace"
And I see choose button "test_transcripts.mp4" number 1
......@@ -372,7 +374,7 @@ Feature: Video Component Editor
Given I have created a Video component with subtitles "t_not_exist"
And I edit the component
And I enter a "t_not_exist.mp4" source to field number 1
And I enter a "https://domain.org/t_not_exist.mp4" source to field number 1
Then I see status message "found"
And I see button "download_to_edit"
And I see button "upload_new_timed_transcripts"
......@@ -381,13 +383,13 @@ Feature: Video Component Editor
And I save changes
And I edit the component
And I enter a "video_name_2.mp4" source to field number 1
And I enter a "https://domain.org/video_name_2.mp4" source to field number 1
Then I see status message "use existing"
And I see button "use_existing"
And I click transcript button "use_existing"
And I see value "video_name_2" in the field "HTML5 Transcript"
And I enter a "video_name_3.mp4" source to field number 1
And I enter a "https://domain.org/video_name_3.mp4" source to field number 1
Then I see status message "use existing"
And I see button "use_existing"
And I click transcript button "use_existing"
......@@ -398,7 +400,7 @@ Feature: Video Component Editor
Given I have created a Video component with subtitles "t_not_exist"
And I edit the component
And I enter a "t_not_exist.mp4" source to field number 1
And I enter a "https://domain.org/t_not_exist.mp4" source to field number 1
Then I see status message "found"
And I see button "download_to_edit"
And I see button "upload_new_timed_transcripts"
......@@ -407,17 +409,17 @@ Feature: Video Component Editor
And I save changes
And I edit the component
And I enter a "video_name_2.mp4" source to field number 1
And I enter a "https://domain.org/video_name_2.mp4" source to field number 1
Then I see status message "use existing"
And I see button "use_existing"
And I click transcript button "use_existing"
And I see value "video_name_2" in the field "HTML5 Transcript"
And I enter a "video_name_3.mp4" source to field number 1
And I enter a "https://domain.org/video_name_3.mp4" source to field number 1
Then I see status message "use existing"
And I see button "use_existing"
And I enter a "video_name_4.mp4" source to field number 1
And I enter a "https://domain.org/video_name_4.mp4" source to field number 1
Then I see status message "use existing"
And I see button "use_existing"
And I click transcript button "use_existing"
......@@ -428,7 +430,7 @@ Feature: Video Component Editor
Given I have created a Video component with subtitles "t_not_exist"
And I edit the component
And I enter a "t_not_exist.mp4" source to field number 1
And I enter a "https://domain.org/t_not_exist.mp4" source to field number 1
Then I see status message "found"
And I see button "download_to_edit"
And I see button "upload_new_timed_transcripts"
......@@ -436,11 +438,11 @@ Feature: Video Component Editor
And I save changes
And I edit the component
And I enter a "video_name_2.mp4" source to field number 1
And I enter a "https://domain.org/video_name_2.mp4" source to field number 1
Then I see status message "use existing"
And I see button "use_existing"
And I enter a "video_name_3.webm" source to field number 2
And I enter a "https://domain.org/video_name_3.webm" source to field number 2
Then I see status message "use existing"
And I see button "use_existing"
And I click transcript button "use_existing"
......@@ -451,7 +453,7 @@ Feature: Video Component Editor
Given I have created a Video component
And I edit the component
And I enter a "video_name_1.mp4" source to field number 1
And I enter a "https://domain.org/video_name_1.mp4" source to field number 1
And I see status message "not found"
And I upload the transcripts file "test_transcripts.srt"
Then I see status message "uploaded_successfully"
......@@ -471,7 +473,7 @@ Feature: Video Component Editor
Given I have created a Video component
And I edit the component
And I enter a "video_name_1.mp4" source to field number 1
And I enter a "https://domain.org/video_name_1.mp4" source to field number 1
Then I see status message "not found"
#26
......@@ -479,10 +481,10 @@ Feature: Video Component Editor
Given I have created a Video component
And I edit the component
And I enter a "video_name_1.mp4" source to field number 1
And I enter a "https://domain.org/video_name_1.mp4" source to field number 1
And I see status message "not found"
And I enter a "video_name_2.webm" source to field number 2
And I enter a "https://domain.org/video_name_2.webm" source to field number 2
And I see status message "not found"
And I upload the transcripts file "test_transcripts.srt"
Then I see status message "uploaded_successfully"
......@@ -518,7 +520,7 @@ Feature: Video Component Editor
Then I see status message "not found"
And I see button "upload_new_timed_transcripts"
And I enter a "video_name_1.mp4" source to field number 2
And I enter a "https://domain.org/video_name_1.mp4" source to field number 2
Then I see status message "not found"
And I see button "upload_new_timed_transcripts"
......@@ -538,7 +540,7 @@ Feature: Video Component Editor
Given I have created a Video component with subtitles "t_not_exist"
And I edit the component
And I enter a "video_name_1.mp4" source to field number 1
And I enter a "https://domain.org/video_name_1.mp4" source to field number 1
Then I see status message "not found"
And I open tab "Advanced"
......@@ -556,7 +558,7 @@ Feature: Video Component Editor
Given I have created a Video component
And I edit the component
And I enter a "video_name_1.mp4" source to field number 1
And I enter a "https://domain.org/video_name_1.mp4" source to field number 1
Then I see status message "not found"
And I upload the transcripts file "chinese_transcripts.srt"
......@@ -570,7 +572,7 @@ Feature: Video Component Editor
Given I have created a Video component with subtitles "t_not_exist"
And I edit the component
And I enter a "video_name_1.mp4" source to field number 1
And I enter a "https://domain.org/video_name_1.mp4" source to field number 1
Then I see status message "not found"
And I open tab "Advanced"
......@@ -590,7 +592,7 @@ Feature: Video Component Editor
Given I have created a Video component with subtitles "t_not_exist"
And I edit the component
And I enter a "t_not_exist.mp4" source to field number 1
And I enter a "https://domain.org/t_not_exist.mp4" source to field number 1
Then I see status message "found"
And I open tab "Advanced"
......@@ -610,7 +612,7 @@ Feature: Video Component Editor
Given I have created a Video component with subtitles "t_not_exist"
And I edit the component
And I enter a "t_not_exist.mp4" source to field number 1
And I enter a "https://domain.org/t_not_exist.mp4" source to field number 1
Then I see status message "found"
And I save changes
......@@ -633,7 +635,7 @@ Feature: Video Component Editor
Given I have created a Video component with subtitles "t_not_exist"
And I edit the component
And I enter a "video_name_1.mp4" source to field number 1
And I enter a "https://domain.org/video_name_1.mp4" source to field number 1
Then I see status message "not found"
And I upload the transcripts file "chinese_transcripts.srt"
......
cms/djangoapps/contentstore/views/item.py
......@@ -2,8 +2,9 @@
import logging
from uuid import uuid4
from requests.packages.urllib3.util import parse_url
from django.core.exceptions import PermissionDenied
from django.core.exceptions import PermissionDenied, ValidationError
from django.contrib.auth.decorators import login_required
from xmodule.modulestore import Location
......@@ -107,6 +108,17 @@ def save_item(request):
except ValueError:
return JsonResponse({"error": "Invalid data"}, 400)
field.write_to(existing_item, value)
if existing_item.category == 'video':
allowedSchemes = ['https']
# The entire site is served from https, so browsers with good
# security will reject non-https URLs anyway.
# Also, following video module specific code is here, because front-end
# metadata fields doesn't support validation.
if metadata_key == 'html5_sources' and not all([parse_url(u).scheme in allowedSchemes for u in value]):
raise ValidationError(u'HTML5 video sources support following protocols: {0}.'.format(' '.join(allowedSchemes)))
# Save the data that we've just changed to the underlying
# MongoKeyValueStore before we update the mongo datastore.
existing_item.save()
......
cms/static/js/views/transcripts/utils.js
......@@ -145,7 +145,8 @@ define(["jquery", "underscore", "jquery.ajaxQueue"], function($, _) {
}
var link = document.createElement('a'),
match;
allowedProtocols = ['https'],
match, protocol;
link.href = url;
match = link.pathname
......@@ -153,7 +154,8 @@ define(["jquery", "underscore", "jquery.ajaxQueue"], function($, _) {
.pop()
.match(/(.+)\.(mp4|webm)$/);
if (match) {
protocol = link.protocol.slice(0, -1);
if (match && $.inArray(protocol, allowedProtocols) !== -1) {
cache[url] = {
video: match[1],
type: match[2]
......
cms/static/js_spec/transcripts/editor_spec.js
......@@ -18,8 +18,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
type: MetadataModel.VIDEO_LIST_TYPE,
value: [
'http://youtu.be/12345678901',
'video.mp4',
'video.webm'
'https://domain.com/video.mp4',
'https://domain.com/video.webm'
]
},
DisplayNameEntry = {
......@@ -116,7 +116,10 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
help: 'A list of html5 sources.',
options: [],
type: MetadataModel.LIST_TYPE,
value: ['default.mp4', 'default.webm']
value: [
'https://domain.com/default.mp4',
'https://domain.com/default.webm'
]
},
youtubeEntry = {
......@@ -169,17 +172,14 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
}, "Defaults never loaded", 1000);
runs(function() {
var displayNameValue = collection[0].getValue();
var videoUrlValue = collection[1].getValue();
var displayNameValue = collection[0].getValue(),
videoUrlValue = collection[1].getValue();
expect(displayNameValue).toBe('default');
expect(videoUrlValue).toEqual([
'http://youtu.be/OEoXaMPEzfM',
'default.mp4',
'default.webm'
'https://domain.com/default.mp4',
'https://domain.com/default.webm'
]);
});
});
it('If metadataCollection is not defined', function () {
......@@ -190,8 +190,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
expect(videoUrlValue).toEqual([
'http://youtu.be/12345678901',
'video.mp4',
'video.webm'
'https://domain.com/video.mp4',
'https://domain.com/video.webm'
]);
});
......@@ -202,8 +202,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
model.setValue([
'12345678',
'default.mp4',
'default.webm'
'https://domain.com/default.mp4',
'https://domain.com/default.webm'
]);
transcripts.syncBasicTab(metadataCollection, metadataView);
......@@ -213,8 +213,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
expect(videoUrlValue).toEqual([
'',
'default.mp4',
'default.webm'
'https://domain.com/default.mp4',
'https://domain.com/default.webm'
]);
});
});
......@@ -232,16 +232,16 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
runs(function() {
var displayNameValue = collection[0].getValue();
var subValue = collection[1].getValue();
var html5SourcesValue = collection[2].getValue();
var youtubeValue = collection[3].getValue();
var displayNameValue = collection[0].getValue(),
subValue = collection[1].getValue(),
html5SourcesValue = collection[2].getValue(),
youtubeValue = collection[3].getValue();
expect(displayNameValue).toBe('display value');
expect(subValue).toBe('default');
expect(html5SourcesValue).toEqual([
'video.mp4',
'video.webm'
'https://domain.com/video.mp4',
'https://domain.com/video.webm'
]);
expect(youtubeValue).toBe('12345678901');
});
......@@ -259,8 +259,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
expect(displayNameValue).toBe('default');
expect(subValue).toBe('default');
expect(html5SourcesValue).toEqual([
'default.mp4',
'default.webm'
'https://domain.com/default.mp4',
'https://domain.com/default.webm'
]);
expect(youtubeValue).toBe('OEoXaMPEzfM');
});
......@@ -269,8 +269,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
var model = transcripts.collection.models[1];
model.setValue([
'video.mp4',
'video.webm'
'https://domain.com/video.mp4',
'https://domain.com/video.webm'
]);
transcripts.syncAdvancedTab(metadataCollection);
......@@ -280,8 +280,8 @@ function ($, Backbone, _, Utils, Editor, MetadataView, MetadataModel, MetadataCo
youtubeValue = collection[3].getValue();
expect(html5SourcesValue).toEqual([
'video.mp4',
'video.webm'
'https://domain.com/video.mp4',
'https://domain.com/video.webm'
]);
expect(youtubeValue).toBe('');
});
......
cms/static/js_spec/transcripts/utils_spec.js
......@@ -24,17 +24,13 @@ function ($, _, Utils, _str) {
} (videoId)),
html5FileName = 'file_name',
html5LinksList = (function (videoName) {
html5LinksList = (function (videoName) {
var videoTypes = ['mp4', 'webm'],
links = [
'http://somelink.com/%s.%s?param=1&param=2#hash',
'http://somelink.com/%s.%s#hash',
'http://somelink.com/%s.%s?param=1&param=2',
'http://somelink.com/%s.%s',
'ftp://somelink.com/%s.%s',
'https://somelink.com/%s.%s',
'somelink.com/%s.%s',
'%s.%s'
'https://somelink.com/%s.%s?param=1&param=2#hash',
'https://somelink.com/%s.%s#hash',
'https://somelink.com/%s.%s?param=1&param=2',
'https://somelink.com/%s.%s'
],
data = {};
......@@ -190,7 +186,12 @@ function ($, _, Utils, _str) {
'http://google.com/somevideo_mp4',
'http://google.com/somevideo:mp4',
'http://google.com/somevideo',
'http://google.com/somevideo.webm_'
'http://google.com/somevideo.webm_',
'http://somelink.com/video_name.mp4?param=1&param=2#hash',
'http://somelink.com/video_name.webm',
'ftp://somelink.com/video_name.mp4',
'somelink.com/video_name.webm',
'video_name.mp4'
];
$.each(html5WrongUrls, function (index, link) {
......
cms/static/js_spec/transcripts/videolist_spec.js
......@@ -41,9 +41,9 @@ function ($, _, Utils, VideoList, MessageManager, MetadataView, MetadataModel, A
options: [],
type: MetadataModel.VIDEO_LIST_TYPE,
value: [
'http://youtu.be/12345678901',
'video.mp4',
'video.webm'
'https://youtu.be/12345678901',
'https://domain.com/video.mp4',
'https://domain.com/video.webm'
]
},
response = JSON.stringify({
......@@ -408,8 +408,8 @@ function ($, _, Utils, VideoList, MessageManager, MetadataView, MetadataModel, A
view.setValueInEditor([
'http://youtu.be/12345678901',
'video.mp4',
'video'
'https://domain.com/video.mp4',
'https://domain.com/video'
]);
expect(view).assertIsCorrectVideoList(value);
});
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment