From 8c7ae6c890a2bf6b96e7011816963fe10cb38259 Mon Sep 17 00:00:00 2001
From: Albert Santoni <albert.santoni@sourcefabric.org>
Date: Fri, 20 Mar 2015 17:23:53 -0400
Subject: [PATCH] Added safety checks to Amazon_S3StorageBackend
---
.../cloud_storage/Amazon_S3StorageBackend.php | 26 +++++++++++++++----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/airtime_mvc/application/cloud_storage/Amazon_S3StorageBackend.php b/airtime_mvc/application/cloud_storage/Amazon_S3StorageBackend.php
index e2b6a1ba6..6a05bd9a5 100644
--- a/airtime_mvc/application/cloud_storage/Amazon_S3StorageBackend.php
+++ b/airtime_mvc/application/cloud_storage/Amazon_S3StorageBackend.php
@@ -53,14 +53,30 @@ class Amazon_S3StorageBackend extends StorageBackend
// Records in the database will remain in case we have to restore the files.
public function deleteAllCloudFileObjects()
{
- $this->s3Client->deleteMatchingObjects(
- $bucket = $this->getBucket(),
- $prefix = $this->getFilePrefix());
+ $bucket = $this->getBucket();
+ $prefix = $this->getFilePrefix();
+
+ //Add a trailing slash in for safety
+ //(so that deleting /13/413 doesn't delete /13/41313 !)
+ $prefix = $prefix . "/";
+
+ //Do a bunch of safety checks to ensure we don't delete more than we intended.
+ //An valid prefix is like "12/4312" for instance 4312.
+ $slashPos = strpos($prefix, "/");
+ if (($slashPos === FALSE) || //Slash must exist
+ ($slashPos != 2) || //Slash must be the third character
+ (strlen($prefix) > $slashPos) || //String must have something after the first slash
+ (substr_count($prefix, "/") != 2)) //String must have two slashes
+ {
+ throw new Exception("Invalid file prefix in " . __FUNCTION__);
}
-
+ $this->s3Client->deleteMatchingObjects($bucket, $prefix);
+ }
+
public function getFilePrefix()
{
$hostingId = Billing::getClientInstanceId();
- return substr($hostingId, -2)."/".$hostingId;
+ $filePrefix = substr($hostingId, -2)."/".$hostingId;
+ return $filePrefix;
}
}