From 0927bb5f2c50a8927d774df94c44a1bc8acac7a9 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Mon, 8 Feb 2021 02:03:48 -0500
Subject: [PATCH 1/2] Harden OEmbed link discovery

- Check OEmbed call return code before storing response
- Stop at first successful OEmbed response
---
 src/Content/OEmbed.php | 26 ++++++++++++--------------
 1 file changed, 12 insertions(+), 14 deletions(-)

diff --git a/src/Content/OEmbed.php b/src/Content/OEmbed.php
index 355dda3fc1..3afa36904a 100644
--- a/src/Content/OEmbed.php
+++ b/src/Content/OEmbed.php
@@ -98,21 +98,19 @@ class OEmbed
 				// try oembed autodiscovery
 				$html_text = DI::httpRequest()->fetch($embedurl, 15, 'text/*');
 				if ($html_text) {
-					$dom = @DOMDocument::loadHTML($html_text);
-					if ($dom) {
+					$dom = new DOMDocument();
+					if ($dom->loadHTML($html_text)) {
 						$xpath = new DOMXPath($dom);
-						$entries = $xpath->query("//link[@type='application/json+oembed']");
-						foreach ($entries as $e) {
-							$href = $e->getAttributeNode('href')->nodeValue;
-							$json_string = DI::httpRequest()->fetch($href . '&maxwidth=' . $a->videowidth);
-							break;
-						}
-
-						$entries = $xpath->query("//link[@type='text/json+oembed']");
-						foreach ($entries as $e) {
-							$href = $e->getAttributeNode('href')->nodeValue;
-							$json_string = DI::httpRequest()->fetch($href . '&maxwidth=' . $a->videowidth);
-							break;
+						foreach (
+							$xpath->query("//link[@type='application/json+oembed'] | //link[@type='text/json+oembed']")
+							as $link)
+						{
+							$href = $link->getAttributeNode('href')->nodeValue;
+							$result = DI::httpRequest()->fetchFull($href . '&maxwidth=' . $a->videowidth);
+							if ($result->getReturnCode() === 200) {
+								$json_string = $result->getBody();
+								break;
+							}
 						}
 					}
 				}

From 4a57ed1a31eb96d55f70aaa6ed7ed7d8e6acc362 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Mon, 8 Feb 2021 02:06:24 -0500
Subject: [PATCH 2/2] Move HTTPS exception for YouTube and Vimeo to
 OEmbed::fetchUrl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Both Youtube and Vimeo output OEmbed endpoint URL with HTTP but their OEmbed endpoint is only accessible by HTTPS ¯\_(ツ)_/¯
---
 src/Content/OEmbed.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Content/OEmbed.php b/src/Content/OEmbed.php
index 3afa36904a..1a5d1d9042 100644
--- a/src/Content/OEmbed.php
+++ b/src/Content/OEmbed.php
@@ -106,6 +106,10 @@ class OEmbed
 							as $link)
 						{
 							$href = $link->getAttributeNode('href')->nodeValue;
+							// Both Youtube and Vimeo output OEmbed endpoint URL with HTTP
+							// but their OEmbed endpoint is only accessible by HTTPS ¯\_(ツ)_/¯
+							$href = str_replace(['http://www.youtube.com/', 'http://player.vimeo.com/'],
+								['https://www.youtube.com/', 'https://player.vimeo.com/'], $href);
 							$result = DI::httpRequest()->fetchFull($href . '&maxwidth=' . $a->videowidth);
 							if ($result->getReturnCode() === 200) {
 								$json_string = $result->getBody();
@@ -335,10 +339,6 @@ class OEmbed
 
 	public static function getHTML($url, $title = null)
 	{
-		// Always embed the SSL version
-		$url = str_replace(["http://www.youtube.com/", "http://player.vimeo.com/"],
-					["https://www.youtube.com/", "https://player.vimeo.com/"], $url);
-
 		$o = self::fetchURL($url, !self::isAllowedURL($url));
 
 		if (!is_object($o) || property_exists($o, 'type') && $o->type == 'error') {