From a88c0233d62351de64fa0b0d73b376d9eb996a61 Mon Sep 17 00:00:00 2001 From: Robert Elder Date: Mon, 27 Oct 2014 15:07:12 +0000 Subject: [PATCH 1/2] Don't throw exceptions for localhost in CORSHelper. --- airtime_mvc/application/common/CORSHelper.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/airtime_mvc/application/common/CORSHelper.php b/airtime_mvc/application/common/CORSHelper.php index cf3f6d5ac..6febb0f1b 100644 --- a/airtime_mvc/application/common/CORSHelper.php +++ b/airtime_mvc/application/common/CORSHelper.php @@ -10,7 +10,7 @@ class CORSHelper //Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well. $response = $response->setHeader('Access-Control-Allow-Origin', '*'); $origin = $request->getHeader('Origin'); - if (($origin != "") && + if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") && (!in_array($origin, array("http://www.airtime.pro", "https://www.airtime.pro", From fd39db2e241a903b9557c979b37c5c7fd54036b1 Mon Sep 17 00:00:00 2001 From: Albert Santoni Date: Wed, 29 Oct 2014 17:55:42 -0400 Subject: [PATCH 2/2] Merge pull request #75 - Saas relder csrf delete file --- .../rest/controllers/MediaController.php | 25 ++++++++++++++++--- .../public/js/airtime/library/plupload.js | 2 +- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/airtime_mvc/application/modules/rest/controllers/MediaController.php b/airtime_mvc/application/modules/rest/controllers/MediaController.php index f03b3b7b2..dbbc346ba 100644 --- a/airtime_mvc/application/modules/rest/controllers/MediaController.php +++ b/airtime_mvc/application/modules/rest/controllers/MediaController.php @@ -300,12 +300,18 @@ class Rest_MediaController extends Zend_Rest_Controller } return $id; } - + private function verifyAuth($checkApiKey, $checkSession) { - //Session takes precedence over API key for now: - if ($checkSession && $this->verifySession()) - { + // Session takes precedence over API key for now: + if ($checkSession && $this->verifySession()) { + // CSRF token validation only applies to session based authorization. + if(!$this->verifyCSRFToken($this->_getParam('csrf_token'))){ + $resp = $this->getResponse(); + $resp->setHttpResponseCode(401); + $resp->appendBody("ERROR: Token Missmatch."); + return false; + } return true; } @@ -321,6 +327,17 @@ class Rest_MediaController extends Zend_Rest_Controller return false; } + private function verifyCSRFToken($token){ + $current_namespace = new Zend_Session_Namespace('csrf_namespace'); + $observed_csrf_token = $token; + $expected_csrf_token = $current_namespace->authtoken; + + if($observed_csrf_token == $expected_csrf_token){ + return true; + }else{ + return false; + } + } private function verifyAPIKey() { diff --git a/airtime_mvc/public/js/airtime/library/plupload.js b/airtime_mvc/public/js/airtime/library/plupload.js index a361fe442..f96ee3157 100644 --- a/airtime_mvc/public/js/airtime/library/plupload.js +++ b/airtime_mvc/public/js/airtime/library/plupload.js @@ -89,7 +89,7 @@ $(document).ready(function() { $.ajax({ type: 'DELETE', - url: '/rest/media/' + file.id, + url: 'rest/media/' + file.id + "?csrf_token=" + $("#csrf").attr('value'), success: function(resp) { self.recentUploadsTable.fnDraw(); },