From b4c9a77e7cece9954f92cdc1a75d5fe60f867b33 Mon Sep 17 00:00:00 2001 From: Albert Santoni Date: Fri, 12 Jun 2015 13:48:54 -0400 Subject: [PATCH] CC-6055: Improved escaping --- airtime_mvc/application/Bootstrap.php | 1 + .../application/common/SecurityHelper.php | 16 ++++--- .../application/common/WidgetHelper.php | 44 ++++++------------- .../application/controllers/ApiController.php | 14 +++--- .../controllers/EmbedController.php | 4 +- .../controllers/LibraryController.php | 2 +- .../controllers/PlayouthistoryController.php | 6 ++- .../controllers/PluploadController.php | 2 +- .../application/services/HistoryService.php | 5 ++- .../views/scripts/playlist/playlist.phtml | 2 +- 10 files changed, 46 insertions(+), 50 deletions(-) diff --git a/airtime_mvc/application/Bootstrap.php b/airtime_mvc/application/Bootstrap.php index 8ad87e2aa..578181189 100644 --- a/airtime_mvc/application/Bootstrap.php +++ b/airtime_mvc/application/Bootstrap.php @@ -24,6 +24,7 @@ require_once "FileIO.php"; require_once "OsPath.php"; require_once "Database.php"; require_once "ProvisioningHelper.php"; +require_once "SecurityHelper.php"; require_once "GoogleAnalytics.php"; require_once "Timezone.php"; require_once "Auth.php"; diff --git a/airtime_mvc/application/common/SecurityHelper.php b/airtime_mvc/application/common/SecurityHelper.php index af4d712eb..95353407e 100644 --- a/airtime_mvc/application/common/SecurityHelper.php +++ b/airtime_mvc/application/common/SecurityHelper.php @@ -1,11 +1,15 @@ $val) { + if (is_array($val)) { + self::htmlescape_recursive($arr[$key]); + } else if (is_string($val)) { + $arr[$key] = htmlspecialchars($val, ENT_QUOTES); + } + } + return $arr; + } } \ No newline at end of file diff --git a/airtime_mvc/application/common/WidgetHelper.php b/airtime_mvc/application/common/WidgetHelper.php index a51d88fa5..efdc1cc4f 100644 --- a/airtime_mvc/application/common/WidgetHelper.php +++ b/airtime_mvc/application/common/WidgetHelper.php @@ -46,13 +46,14 @@ class WidgetHelper ); $result[$dow[$i]] = $shows; - - // XSS exploit prevention - self::convertSpecialChars($result, array("name", "url")); - // convert image paths to point to api endpoints - self::findAndConvertPaths($result); } + // XSS exploit prevention + SecurityHelper::htmlescape_recursive($result); + + // convert image paths to point to api endpoints + self::findAndConvertPaths($result); + return $result; } @@ -124,37 +125,18 @@ class WidgetHelper } $result[$weekCounter][$dayOfWeekCounter]["shows"] = $shows; - // XSS exploit prevention - self::convertSpecialChars($result, array("name", "url")); - // convert image paths to point to api endpoints - self::findAndConvertPaths($result); - } $weekCounter += 1; } - return $result; - } - /** - * Go through a given array and sanitize any potentially exploitable fields - * by passing them through htmlspecialchars - * - * @param unknown $arr the array to sanitize - * @param unknown $keys indexes of values to be sanitized - */ - public static function convertSpecialChars(&$arr, $keys) - { - foreach ($arr as &$a) { - if (is_array($a)) { - foreach ($keys as &$key) { - if (array_key_exists($key, $a)) { - $a[$key] = htmlspecialchars($a[$key]); - } - } - self::convertSpecialChars($a, $keys); - } - } + // XSS exploit prevention + SecurityHelper::htmlescape_recursive($result); + + // convert image paths to point to api endpoints + self::findAndConvertPaths($result); + + return $result; } /** diff --git a/airtime_mvc/application/controllers/ApiController.php b/airtime_mvc/application/controllers/ApiController.php index 0821e4b35..baee530b2 100644 --- a/airtime_mvc/application/controllers/ApiController.php +++ b/airtime_mvc/application/controllers/ApiController.php @@ -199,9 +199,7 @@ class ApiController extends Zend_Controller_Action } else { $result = Application_Model_Schedule::GetPlayOrderRangeOld($limit); } - - // XSS exploit prevention - WidgetHelper::convertSpecialChars($result, array("name", "url")); + // apply user-defined timezone, or default to station Application_Common_DateHelper::convertTimestampsToTimezone( $result['currentShow'], @@ -218,6 +216,10 @@ class ApiController extends Zend_Controller_Action $result["schedulerTime"] = Application_Common_DateHelper::UTCStringToTimezoneString($result["schedulerTime"], $timezone); $result["timezone"] = $upcase ? strtoupper($timezone) : $timezone; $result["timezoneOffset"] = Application_Common_DateHelper::getTimezoneOffset($timezone); + + // XSS exploit prevention + SecurityHelper::htmlescape_recursive($result); + // convert image paths to point to api endpoints WidgetHelper::findAndConvertPaths($result); @@ -288,10 +290,12 @@ class ApiController extends Zend_Controller_Action $result = Application_Model_Schedule::GetPlayOrderRange($utcTimeEnd, $showsToRetrieve); - // XSS exploit prevention - WidgetHelper::convertSpecialChars($result, array("name", "url")); // apply user-defined timezone, or default to station $this->applyLiveTimezoneAdjustments($result, $timezone, $upcase); + + // XSS exploit prevention + SecurityHelper::htmlescape_recursive($result); + // convert image paths to point to api endpoints WidgetHelper::findAndConvertPaths($result); diff --git a/airtime_mvc/application/controllers/EmbedController.php b/airtime_mvc/application/controllers/EmbedController.php index c160ad9e2..aac5da520 100644 --- a/airtime_mvc/application/controllers/EmbedController.php +++ b/airtime_mvc/application/controllers/EmbedController.php @@ -28,7 +28,7 @@ class EmbedController extends Zend_Controller_Action $this->view->jquery = Application_Common_HTTPHelper::getStationUrl() . "js/libs/jquery-1.10.2.js"; $this->view->muses_swf = Application_Common_HTTPHelper::getStationUrl() . "js/airtime/player/muses.swf"; $this->view->metadata_api_url = Application_Common_HTTPHelper::getStationUrl() . "api/live-info"; - $this->view->player_title = json_encode($request->getParam('title')); + $this->view->player_title = json_encode($this->view->escape($request->getParam('title'))); $styleParam = $request->getParam('style'); $player_style = isset($styleParam) ? $styleParam : "basic"; @@ -97,7 +97,7 @@ class EmbedController extends Zend_Controller_Action $weeklyScheduleData = WidgetHelper::getWeekInfoV2($this->getRequest()->getParam("timezone")); // Return only the current week's schedule data. In the future we may use the next week's data. - $this->view->weeklyScheduleData = $weeklyScheduleData[0]; + $this->view->weeklyScheduleData = ($weeklyScheduleData[0]); $currentDay = new DateTime("now", new DateTimeZone(Application_Model_Preference::GetTimezone())); //day of the month without leading zeros (1 to 31) diff --git a/airtime_mvc/application/controllers/LibraryController.php b/airtime_mvc/application/controllers/LibraryController.php index 212d57521..00b8f84fe 100644 --- a/airtime_mvc/application/controllers/LibraryController.php +++ b/airtime_mvc/application/controllers/LibraryController.php @@ -413,7 +413,7 @@ class LibraryController extends Zend_Controller_Action $this->view->sEcho = $r["sEcho"]; $this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"]; $this->view->iTotalRecords = $r["iTotalRecords"]; - $this->view->files = $r["aaData"]; + $this->view->files = SecurityHelper::htmlescape_recursive($r["aaData"]); } public function editFileMdAction() diff --git a/airtime_mvc/application/controllers/PlayouthistoryController.php b/airtime_mvc/application/controllers/PlayouthistoryController.php index 7b82f7dfd..533f41d76 100644 --- a/airtime_mvc/application/controllers/PlayouthistoryController.php +++ b/airtime_mvc/application/controllers/PlayouthistoryController.php @@ -89,6 +89,7 @@ class PlayouthistoryController extends Zend_Controller_Action $this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"]; $this->view->iTotalRecords = $r["iTotalRecords"]; $this->view->history = $r["history"]; + $this->view->history = SecurityHelper::htmlescape_recursive($this->view->history); } catch (Exception $e) { Logging::info($e); @@ -112,7 +113,9 @@ class PlayouthistoryController extends Zend_Controller_Action $this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"]; $this->view->iTotalRecords = $r["iTotalRecords"]; $this->view->history = $r["history"]; - } + $this->view->history = SecurityHelper::htmlescape_recursive($this->view->history); + + } catch (Exception $e) { Logging::info($e); Logging::info($e->getMessage()); @@ -130,6 +133,7 @@ class PlayouthistoryController extends Zend_Controller_Action $historyService = new Application_Service_HistoryService(); $shows = $historyService->getShowList($startsDT, $endsDT); + $shows = SecurityHelper::htmlescape_recursive($shows); $this->_helper->json->sendJson($shows); } diff --git a/airtime_mvc/application/controllers/PluploadController.php b/airtime_mvc/application/controllers/PluploadController.php index 7c808140c..f6970d6c7 100644 --- a/airtime_mvc/application/controllers/PluploadController.php +++ b/airtime_mvc/application/controllers/PluploadController.php @@ -112,6 +112,6 @@ class PluploadController extends Zend_Controller_Action $this->view->sEcho = intval($request->getParam('sEcho')); $this->view->iTotalDisplayRecords = $numTotalDisplayUploads; $this->view->iTotalRecords = $numTotalRecentUploads; - $this->view->files = $uploadsArray; + $this->view->files = SecurityHelper::htmlescape_recursive($uploadsArray); } } diff --git a/airtime_mvc/application/services/HistoryService.php b/airtime_mvc/application/services/HistoryService.php index 181e55a67..9f5fb4ceb 100644 --- a/airtime_mvc/application/services/HistoryService.php +++ b/airtime_mvc/application/services/HistoryService.php @@ -980,7 +980,7 @@ class Application_Service_HistoryService $this->populateTemplateItem($values, $id, $instanceId); } else { - $json["form"] = $form; + $json["form"] = SecurityHelper::htmlescape_recursive($form); } return $json; @@ -1008,7 +1008,8 @@ class Application_Service_HistoryService $this->populateTemplateFile($values, $id); } else { - $json["error"] = $msgs; + $json["error"] = $form->getErrorMessages(); + $json["error"] = SecurityHelper::htmlescape_recursive($json["error"]); } return $json; diff --git a/airtime_mvc/application/views/scripts/playlist/playlist.phtml b/airtime_mvc/application/views/scripts/playlist/playlist.phtml index 44917fef6..d187dc866 100644 --- a/airtime_mvc/application/views/scripts/playlist/playlist.phtml +++ b/airtime_mvc/application/views/scripts/playlist/playlist.phtml @@ -54,7 +54,7 @@ if (isset($this->obj)) {
- +