mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-29 10:12:41 +01:00
Provide a markup protocol whitelist for Phabricator
Summary: See T548 and D996. Makes Phabricator configure the remarkup engine so http:// and https:// get linked. Also make the "named link" syntax respect the whitelist. Test Plan: - Whitelisted URIs (they get linked). - Other URIs (not linked). - Whitelisted, named URIs (linked). - Other, named URIs (treated as phriction links). - Actual phriction links (work correctly). Reviewers: jungejason, nh, tuomaspelkonen, aran, benmathews Reviewed By: jungejason CC: aran, jungejason Differential Revision: 997
This commit is contained in:
parent
78689df4d4
commit
d625f94c55
4 changed files with 27 additions and 1 deletions
|
@ -402,6 +402,14 @@ return array(
|
|||
// You can enable traces for development to make it easier to debug problems.
|
||||
'phabricator.show-stack-traces' => false,
|
||||
|
||||
// When users write comments which have URIs, they'll be automaticaly linked
|
||||
// if the protocol appears in this set. This whitelist is primarily to prevent
|
||||
// security issues like javascript:// URIs.
|
||||
'uri.allowed-protocols' => array(
|
||||
'http' => true,
|
||||
'https' => true,
|
||||
),
|
||||
|
||||
// Tokenizers are UI controls which let the user select other users, email
|
||||
// addresses, project names, etc., by typing the first few letters and having
|
||||
// the control autocomplete from a list. They can load their data in two ways:
|
||||
|
|
|
@ -76,6 +76,8 @@ class PhabricatorMarkupEngine {
|
|||
'custom-inline' => array(),
|
||||
'custom-block' => array(),
|
||||
'macros' => true,
|
||||
'uri.allowed-protocols' => PhabricatorEnv::getEnvConfig(
|
||||
'uri.allowed-protocols'),
|
||||
);
|
||||
}
|
||||
|
||||
|
@ -87,6 +89,9 @@ class PhabricatorMarkupEngine {
|
|||
|
||||
$engine->setConfig('preserve-linebreaks', true);
|
||||
$engine->setConfig('pygments.enabled', $options['pygments']);
|
||||
$engine->setConfig(
|
||||
'uri.allowed-protocols',
|
||||
$options['uri.allowed-protocols']);
|
||||
|
||||
$rules = array();
|
||||
$rules[] = new PhutilRemarkupRuleEscapeRemarkup();
|
||||
|
@ -98,6 +103,7 @@ class PhabricatorMarkupEngine {
|
|||
$rules[] = new PhabricatorRemarkupRuleYoutube();
|
||||
}
|
||||
|
||||
$rules[] = new PhabricatorRemarkupRulePhriction();
|
||||
$rules[] = new PhutilRemarkupRuleHyperlink();
|
||||
|
||||
$rules[] = new PhabricatorRemarkupRuleDifferentialHandle();
|
||||
|
@ -115,7 +121,6 @@ class PhabricatorMarkupEngine {
|
|||
}
|
||||
|
||||
$rules[] = new PhabricatorRemarkupRuleMention();
|
||||
$rules[] = new PhabricatorRemarkupRulePhriction();
|
||||
|
||||
$custom_rule_classes = $options['custom-inline'];
|
||||
if ($custom_rule_classes) {
|
||||
|
|
|
@ -37,6 +37,18 @@ class PhabricatorRemarkupRulePhriction
|
|||
// If whatever is being linked to begins with "/" or has "://", treat it
|
||||
// as a URI instead of a wiki page.
|
||||
$is_uri = preg_match('@(^/)|(://)@', $slug);
|
||||
|
||||
if ($is_uri) {
|
||||
$protocols = $this->getEngine()->getConfig(
|
||||
'uri.allowed-protocols',
|
||||
array());
|
||||
$protocol = id(new PhutilURI($slug))->getProtocol();
|
||||
if (!idx($protocols, $protocol)) {
|
||||
// Don't treat this as a URI if it's not an allowed protocol.
|
||||
$is_uri = false;
|
||||
}
|
||||
}
|
||||
|
||||
if ($is_uri) {
|
||||
$uri = $slug;
|
||||
// Leave the name unchanged, i.e. link the whole URI if there's no
|
||||
|
|
|
@ -10,6 +10,7 @@ phutil_require_module('phabricator', 'applications/phriction/storage/document');
|
|||
|
||||
phutil_require_module('phutil', 'markup');
|
||||
phutil_require_module('phutil', 'markup/engine/remarkup/markuprule/base');
|
||||
phutil_require_module('phutil', 'parser/uri');
|
||||
phutil_require_module('phutil', 'utils');
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue