search

Automattic / jetpack

Security, performance, marketing, and design tools — Jetpack is made by WordPress experts to make WP sites safer and faster, and help you grow your traffic.
https://jetpack.com/
Other
1.59k stars 798 forks source link

Photon: validate URLs passed to jetpack_photon_url() when used by third-parties #35674

Open asafm7 opened 9 months ago

asafm7 commented 9 months ago

Impacted plugin

Jetpack

Quick summary

The jetpack_photon_url filter photon-izes invalid URLs, for example with SVG extension.

This leads to broken images.

Also, there isn't an API function to validate image URLs.

While checking for supported extensions manually is possible, the list might change.

Steps to reproduce

Pass a URL with an unsupported extension (for example svg, or avif) to the filter.

A clear and concise description of what you expected to happen.

The jetpack_photon_url should return the original URL if the extension isn't supported.

What actually happened

No response

Impact

Some (< 50%)

Available workarounds?

No response

Platform (Simple and/or Atomic)

No response

Logs or notes

No response

jeherve commented 9 months ago

Could you give us an example of an image URL that gets served by Photon but shouldn't, when you insert it in your post content?

Also, there isn't an API function to validate image URLs.

How would you like to be using such an API? Do not hesitate to give us more details about that, maybe in a new issue with your use-case? We do have this method for example, but it's currently not accessible outside of the class context because there hasn't been a need for it until now. https://github.com/Automattic/jetpack/blob/bbcb370e56600ecaf31fdc96de8aecd677148dcf/projects/packages/image-cdn/src/class-image-cdn.php#L1072-L1079

asafm7 commented 9 months ago

Thanks @jeherve.

Could you give us an example of an image URL that gets served by Photon but shouldn't, when you insert it in your post content?

Not organically. I assume all organic URLs are passed through the validate_image_url function.

My issue is with a couple of custom coding scenarios. I, for example, try to photon-ize images outside of the image library.

How would you like to be using such an API? Do not hesitate to give us more details about that, maybe in a new issue with your use-case?

Photon-ising a URL is the only use case I can think of currently.

If the jetpack_photon_url filter will be modified to validate the URL, a dedicated validation function might not be required. On the other hand, if for some reason jetpack_photon_url can't validate URLs, a dedicated function might be useful before passing a URL to the filter.

Please let me know if more information is required.