Security fix: faked urls

Backend detection hasn't been resistant against faked urls like: http://youtube.com.myurl.com/watch?v=abcde http://vimeo.com.myurl.com/watch?v=abcde It is fixed and added few tests to cover it.
2026-04-26 07:34:43 +00:00 · 2013-08-12 12:11:42 +02:00 · 2013-08-12 12:11:42 +02:00 · d0d357b767
commit d0d357b767
parent 231e3780ad
2 changed files with 20 additions and 4 deletions
--- a/embed_video/base.py
+++ b/embed_video/base.py
@ -4,13 +4,13 @@ import requests
 import json

 DETECT_YOUTUBE = re.compile(
-    r'^(http(s)?://(www\.)?)?youtu(\.?)be(\.com)?.*', re.I
+    r'^(http(s)?://(www\.)?)?youtu(\.?)be(\.com)?/.*', re.I
 )
 DETECT_VIMEO = re.compile(
-    r'^(http(s)?://(www\.)?)?vimeo\.com.*', re.I
+    r'^(http(s)?://(www\.)?)?vimeo\.com/.*', re.I
 )
 DETECT_SOUNDCLOUD = re.compile(
-    r'^(http(s)?://(www\.)?)?soundcloud\.com.*', re.I
+    r'^(http(s)?://(www\.)?)?soundcloud\.com/.*', re.I
 )


--- a/embed_video/tests/tests_backend.py
+++ b/embed_video/tests/tests_backend.py
@ -5,10 +5,17 @@ from django.template.base import Template
 from django.template.context import RequestContext

 from ..base import detect_backend, YoutubeBackend, VimeoBackend, \
-        SoundCloundBackend
+        SoundCloundBackend, UnknownBackendException


 class EmbedVideoTestCase(TestCase):
+    unknown_backend_urls = (
+        'http://myurl.com/?video=http://www.youtube.com/watch?v=jsrRJyHBvzw',
+        'http://myurl.com/?video=www.youtube.com/watch?v=jsrRJyHBvzw',
+        'http://youtube.com.myurl.com/watch?v=jsrRJyHBvzw',
+        'http://vimeo.com.myurl.com/66577491',
+    )
+
    youtube_urls = (
        ('http://www.youtube.com/watch?v=jsrRJyHBvzw', 'jsrRJyHBvzw'),
        ('http://youtube.com/watch?v=jsrRJyHBvzw', 'jsrRJyHBvzw'),
@ -92,6 +99,15 @@ class EmbedVideoTestCase(TestCase):

        self.assertEqual(template.render(self._grc()).strip(), rendered)

+    def test_detect_bad_urls(self):
+        for url in self.unknown_backend_urls:
+            try:
+                backend = detect_backend(url)
+                self.assertEqual(backend, False)
+            except UnknownBackendException:
+                assert True
+
+
    def test_detect_youtube(self):
        for url in self.youtube_urls:
            backend = detect_backend(url[0])