summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBrion Vibber <brion@pobox.com>2010-11-16 15:36:53 -0800
committerBrion Vibber <brion@pobox.com>2010-11-16 15:36:53 -0800
commitd1fb52264bc41a54061614772580377f200e90ee (patch)
tree9ee7c3e8771ee4e9fb67b595ec9ec8be80d4e08e
parent9cdb9cc18d7aea9eaf13443413ba051e78e1f89e (diff)
Use session token protection on oEmbed proxy action for LinkPreview... and commit the file *sigh*
-rw-r--r--plugins/LinkPreview/linkpreview.js3
-rw-r--r--plugins/LinkPreview/oembedproxyaction.php84
2 files changed, 86 insertions, 1 deletions
diff --git a/plugins/LinkPreview/linkpreview.js b/plugins/LinkPreview/linkpreview.js
index 641adb729..0c0eb734e 100644
--- a/plugins/LinkPreview/linkpreview.js
+++ b/plugins/LinkPreview/linkpreview.js
@@ -54,7 +54,8 @@
url: url,
format: 'json',
maxwidth: oEmbed.width,
- maxheight: oEmbed.height
+ maxheight: oEmbed.height,
+ token: $('#token').val()
};
$.get(oEmbed.api, params, function(data, xhr) {
callback(data);
diff --git a/plugins/LinkPreview/oembedproxyaction.php b/plugins/LinkPreview/oembedproxyaction.php
new file mode 100644
index 000000000..470f78073
--- /dev/null
+++ b/plugins/LinkPreview/oembedproxyaction.php
@@ -0,0 +1,84 @@
+<?php
+/**
+ * StatusNet, the distributed open-source microblogging tool
+ *
+ * StatusNet-only extensions to the Twitter-like API
+ *
+ * PHP version 5
+ *
+ * LICENCE: This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * @package StatusNet
+ * @author Brion Vibber <brion@status.net>
+ * @copyright 2010 StatusNet, Inc.
+ * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
+ * @link http://status.net/
+ */
+
+if (!defined('STATUSNET') && !defined('LACONICA')) {
+ exit(1);
+}
+
+/**
+ * Oembed proxy implementation
+ *
+ * This class provides an interface for our JS-side code to pull info on
+ * links from other sites, using either native oEmbed, our own custom
+ * handlers, or the oohEmbed.com offsite proxy service as configured.
+ *
+ * @category oEmbed
+ * @package StatusNet
+ * @author Brion Vibber <brion@status.net>
+ * @copyright 2010 StatusNet, Inc.
+ * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0
+ * @link http://status.net/
+ */
+
+class OembedproxyAction extends OembedAction
+{
+
+ function handle($args)
+ {
+ // We're not a general oEmbed proxy service; limit to valid sessions.
+ $token = $this->trimmed('token');
+ if (!$token || $token != common_session_token()) {
+ $this->clientError(_('There was a problem with your session token. '.
+ 'Try again, please.'));
+ }
+
+ $format = $this->arg('format');
+ if ($format && $format != 'json') {
+ throw new ClientException('Invalid format; only JSON supported.');
+ }
+
+ $url = $this->arg('url');
+ if (!common_valid_http_url($url)) {
+ throw new ClientException('Invalid URL.');
+ }
+
+ $params = array();
+ if ($this->arg('maxwidth')) {
+ $params['maxwidth'] = $this->arg('maxwidth');
+ }
+ if ($this->arg('maxheight')) {
+ $params['maxheight'] = $this->arg('maxheight');
+ }
+
+ $data = oEmbedHelper::getObject($url, $params);
+
+ $this->init_document('json');
+ print json_encode($data);
+ }
+
+}