Media Fails to Enforce oEmbed Allowed Providers Setting

Open on Drupal.org →

Created on 1 October 2023, over 1 year ago

Background information

security.drupal.org private issue: https://security.drupal.org/node/174515
(included for reference. Please do not report access denied as an error.)
Originally reported by @Chris Burge →

Problem/Motivation

In Media, there is an ‘Allowed providers’ setting for Remote video where a site builder can determine which oEmbed providers are allowed. Because of the nature of oEmbed, this is security setting. There are two instances where this security setting is not enforced:

When a user is referencing existing media, the allowed providers setting is not checked.
When rendering existing media, the allowed providers settings is not checked.
As a result, oEmbed media that is not allowed 1) can still be added to content and 2) is still rendered.

The expected behavior is as follows:

When a user is referencing existing media, the allowed providers setting is checked. Only allowed oEmbed media can be referenced.
When rendering existing media, the allowed providers setting is checked. Only allowed oEmbed media is rendered.
Think about how allowed elements are handled with text formats. If an element exists but isn't allowed, then it isn't rendered. If an element is not allowed, a user cannot add the element with CKEditor either. The same analogous behavior should be applied for oEmbed providers, too.

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

Contributors

- Chris Burge
- marcoscano
- larowlan
- effulgentsia
- catch

🐛 Bug report

Status

Active

Version

10.1 ✨

Component

Last updated about 2 hours ago

Maintained by
🇳🇱Netherlands @seanB
🇩🇪Germany @chr.fritsch
🇺🇸United States @phenaproxima
🇪🇸Spain @marcoscano

Created by

🇳🇱Netherlands dokumori Utrecht

Live updates comments and jobs are added and updated live.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

Issue created by @dokumori
Comment over 1 year ago →
🇳🇱Netherlands dokumori Utrecht
Comment by catch:

This is more of a data integrity issue than a security issue - the allowed providers list is for new content, not existing content.
Comment 3 days ago →
🇺🇸United States Chris Burge
Duplicate? 🐛 Media library allows adding videos from providers other than Youtube/Vimeo using Media embed Needs work
Comment 2 days ago →
🇳🇱Netherlands dokumori Utrecht
@chris burge Thanks, it does seem like a duplicate.
Comment 2 days ago →
🇫🇷France prudloff Lille
I'm not sure this is a duplicate of 🐛 Media library allows adding videos from providers other than Youtube/Vimeo using Media embed Needs work .

If I understand correctly, this is about restricting allowed providers on existing media.
Whereas 🐛 Media library allows adding videos from providers other than Youtube/Vimeo using Media embed Needs work is about core failing to restrict providers on new media created in the media library.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024