Permalink
Browse files

Security fix: faked urls

Backend detection hasn't been resistant against faked urls like:

http://youtube.com.myurl.com/watch?v=abcde
http://vimeo.com.myurl.com/watch?v=abcde

It is fixed and added few tests to cover it.
  • Loading branch information...
yetty committed Aug 12, 2013
1 parent 231e378 commit d0d357b767e324a7cc21b5035357fdfbc7c8ce8e
Showing with 20 additions and 4 deletions.
  1. +3 −3 embed_video/base.py
  2. +17 −1 embed_video/tests/tests_backend.py
@@ -4,13 +4,13 @@
import json

DETECT_YOUTUBE = re.compile(
r'^(http(s)?://(www\.)?)?youtu(\.?)be(\.com)?.*', re.I
r'^(http(s)?://(www\.)?)?youtu(\.?)be(\.com)?/.*', re.I
)
DETECT_VIMEO = re.compile(
r'^(http(s)?://(www\.)?)?vimeo\.com.*', re.I
r'^(http(s)?://(www\.)?)?vimeo\.com/.*', re.I
)
DETECT_SOUNDCLOUD = re.compile(
r'^(http(s)?://(www\.)?)?soundcloud\.com.*', re.I
r'^(http(s)?://(www\.)?)?soundcloud\.com/.*', re.I
)


@@ -5,10 +5,17 @@
from django.template.context import RequestContext

from ..base import detect_backend, YoutubeBackend, VimeoBackend, \
SoundCloundBackend
SoundCloundBackend, UnknownBackendException


class EmbedVideoTestCase(TestCase):
unknown_backend_urls = (
'http://myurl.com/?video=http://www.youtube.com/watch?v=jsrRJyHBvzw',
'http://myurl.com/?video=www.youtube.com/watch?v=jsrRJyHBvzw',
'http://youtube.com.myurl.com/watch?v=jsrRJyHBvzw',
'http://vimeo.com.myurl.com/66577491',
)

youtube_urls = (
('http://www.youtube.com/watch?v=jsrRJyHBvzw', 'jsrRJyHBvzw'),
('http://youtube.com/watch?v=jsrRJyHBvzw', 'jsrRJyHBvzw'),
@@ -92,6 +99,15 @@ def test_tag_vimeo(self):

self.assertEqual(template.render(self._grc()).strip(), rendered)

def test_detect_bad_urls(self):
for url in self.unknown_backend_urls:
try:
backend = detect_backend(url)
self.assertEqual(backend, False)
except UnknownBackendException:
assert True


def test_detect_youtube(self):
for url in self.youtube_urls:
backend = detect_backend(url[0])

0 comments on commit d0d357b

Please sign in to comment.