From a88c0233d62351de64fa0b0d73b376d9eb996a61 Mon Sep 17 00:00:00 2001
From: Robert Elder <robert@robertelder.org>
Date: Mon, 27 Oct 2014 15:07:12 +0000
Subject: [PATCH 1/2] Don't throw exceptions for localhost in CORSHelper.

---
 airtime_mvc/application/common/CORSHelper.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/airtime_mvc/application/common/CORSHelper.php b/airtime_mvc/application/common/CORSHelper.php
index cf3f6d5ac..6febb0f1b 100644
--- a/airtime_mvc/application/common/CORSHelper.php
+++ b/airtime_mvc/application/common/CORSHelper.php
@@ -10,7 +10,7 @@ class CORSHelper
         //Chrome sends the Origin header for all requests, so we whitelist the webserver's hostname as well.
         $response = $response->setHeader('Access-Control-Allow-Origin', '*');
         $origin = $request->getHeader('Origin');
-        if (($origin != "") &&
+        if ((!(preg_match("/https?:\/\/localhost/", $origin) === 1)) && ($origin != "") &&
         (!in_array($origin,
                 array("http://www.airtime.pro",
                         "https://www.airtime.pro",

From fd39db2e241a903b9557c979b37c5c7fd54036b1 Mon Sep 17 00:00:00 2001
From: Albert Santoni <albert.santoni@sourcefabric.org>
Date: Wed, 29 Oct 2014 17:55:42 -0400
Subject: [PATCH 2/2] Merge pull request #75 - Saas relder csrf delete file

---
 .../rest/controllers/MediaController.php      | 25 ++++++++++++++++---
 .../public/js/airtime/library/plupload.js     |  2 +-
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/airtime_mvc/application/modules/rest/controllers/MediaController.php b/airtime_mvc/application/modules/rest/controllers/MediaController.php
index f03b3b7b2..dbbc346ba 100644
--- a/airtime_mvc/application/modules/rest/controllers/MediaController.php
+++ b/airtime_mvc/application/modules/rest/controllers/MediaController.php
@@ -300,12 +300,18 @@ class Rest_MediaController extends Zend_Rest_Controller
         } 
         return $id;
     }
-    
+
     private function verifyAuth($checkApiKey, $checkSession)
     {
-        //Session takes precedence over API key for now:
-        if ($checkSession && $this->verifySession()) 
-        {
+        //  Session takes precedence over API key for now:
+        if ($checkSession && $this->verifySession()) {
+            //  CSRF token validation only applies to session based authorization.
+            if(!$this->verifyCSRFToken($this->_getParam('csrf_token'))){
+                $resp = $this->getResponse();
+                $resp->setHttpResponseCode(401);
+                $resp->appendBody("ERROR: Token Missmatch."); 
+                return false;
+            }
             return true;
         }
         
@@ -321,6 +327,17 @@ class Rest_MediaController extends Zend_Rest_Controller
         return false;
     }
     
+    private function verifyCSRFToken($token){
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $token;
+        $expected_csrf_token = $current_namespace->authtoken;
+
+        if($observed_csrf_token == $expected_csrf_token){
+            return true;
+        }else{
+            return false;
+        }
+    }
 
     private function verifyAPIKey()
     {
diff --git a/airtime_mvc/public/js/airtime/library/plupload.js b/airtime_mvc/public/js/airtime/library/plupload.js
index a361fe442..f96ee3157 100644
--- a/airtime_mvc/public/js/airtime/library/plupload.js
+++ b/airtime_mvc/public/js/airtime/library/plupload.js
@@ -89,7 +89,7 @@ $(document).ready(function() {
     	
     	$.ajax({
     		  type: 'DELETE',
-    		  url: '/rest/media/' + file.id,
+    		  url: 'rest/media/' + file.id + "?csrf_token=" + $("#csrf").attr('value'),
     		  success: function(resp) {
     			  self.recentUploadsTable.fnDraw();
     		  },