Merge branch 'cc-5709-airtime-analyzer-refactor' into saas-media-refactor

Conflicts: airtime_mvc/application/controllers/plugins/Acl_plugin.php
2015-02-24 11:18:49 -05:00 · 2015-02-24 11:18:49 -05:00 · c0db309e32
parent 51aa846a4c 7600b8ae82
commit c0db309e32
5 changed files with 35 additions and 11 deletions
--- a/airtime_mvc/application/Bootstrap.php
+++ b/airtime_mvc/application/Bootstrap.php
@ -82,13 +82,28 @@ class Bootstrap extends Zend_Application_Bootstrap_Bootstrap
        }
        $view->headScript()->appendScript("var userType = '$userType';");
    }
+
+    /**
+     * Create a global namespace to hold a session token for CSRF prevention
+     */
+    protected function _initCsrfNamespace() {
+        $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
+        // Check if the token exists
+        if (!$csrf_namespace->authtoken) {
+            // If we don't have a token, regenerate it and set a 2 hour timeout
+            // Should we log the user out here if the token is expired?
+            $csrf_namespace->authtoken = sha1(uniqid(rand(),1));
+            $csrf_namespace->setExpirationSeconds(2*60*60);
+        }
+    }
    
    /**
     * Ideally, globals should be written to a single js file once 
     * from a php init function. This will save us from having to 
     * reinitialize them every request
     */
-    private function _initTranslationGlobals($view) {
+    protected function _initTranslationGlobals() {
+        $view = $this->getResource('view');
        $view->headScript()->appendScript("var PRODUCT_NAME = '" . PRODUCT_NAME . "';");
        $view->headScript()->appendScript("var USER_MANUAL_URL = '" . USER_MANUAL_URL . "';");
        $view->headScript()->appendScript("var COMPANY_NAME = '" . COMPANY_NAME . "';");
--- a/airtime_mvc/application/common/FileDataHelper.php
+++ b/airtime_mvc/application/common/FileDataHelper.php
@ -19,9 +19,9 @@ class FileDataHelper {
        }
        if (array_key_exists("bpm", $data)) {
            //Some BPM tags are silly and include the word "BPM". Let's strip that...
-            $data["year"] = str_ireplace("BPM", "", $data["year"]);
+            $data["bpm"] = str_ireplace("BPM", "", $data["bpm"]);
            // This will convert floats to ints too.
-            $data["year"] = intval($data["year"]);
+            $data["bpm"] = intval($data["bpm"]);
        }
    }

--- a/airtime_mvc/application/controllers/LoginController.php
+++ b/airtime_mvc/application/controllers/LoginController.php
@ -119,6 +119,9 @@ class LoginController extends Zend_Controller_Action
    {
        $auth = Zend_Auth::getInstance();
        $auth->clearIdentity();
+        // Unset all session variables relating to CSRF prevention on logout
+        $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $csrf_namespace->unsetAll();
        $this->_redirect('showbuilder/index');
    }

--- a/airtime_mvc/application/controllers/PluploadController.php
+++ b/airtime_mvc/application/controllers/PluploadController.php
@ -31,9 +31,10 @@ class PluploadController extends Zend_Controller_Action
            $this->view->quotaLimitReached = true;
        }

+        //Because uploads are done via AJAX (and we're not using Zend form for those), we manually add the CSRF
+        //token in here.
        $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
-        $csrf_namespace->setExpirationSeconds(5*60*60);
-        $csrf_namespace->authtoken = sha1(uniqid(rand(),1));
+        //The CSRF token is generated in Bootstrap.php

        $csrf_element = new Zend_Form_Element_Hidden('csrf');
        $csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label');
--- a/airtime_mvc/application/controllers/plugins/Acl_plugin.php
+++ b/airtime_mvc/application/controllers/plugins/Acl_plugin.php
@ -152,17 +152,22 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
                }
            }
        } else { //We have a session/identity.
-
            // If we have an identity and we're making a RESTful request,
            // we need to check the CSRF token
-            if ($request->_action != "get" && $request->getModuleName() == "rest") {
-                $tokenValid = $this->verifyCSRFToken($request->getParam("csrf_token"));
+            if ($_SERVER['REQUEST_METHOD'] != "GET" && $request->getModuleName() == "rest") {
+                $token = $request->getParam("csrf_token");
+                $tokenValid = $this->verifyCSRFToken($token);

                if (!$tokenValid) {
+                    $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
+                    $csrf_namespace->authtoken = sha1(openssl_random_pseudo_bytes(128));
+
+                    Logging::warn("Invalid CSRF token: $token");
                    $this->getResponse()
                         ->setHttpResponseCode(401)
-                         ->appendBody("ERROR: CSRF token mismatch.");
-                    return;
+                         ->appendBody("ERROR: CSRF token mismatch.")
+                         ->sendResponse();
+                    die();
                }
            }
            
@ -207,7 +212,7 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
        $observed_csrf_token = $token;
        $expected_csrf_token = $current_namespace->authtoken;
-        
+
        return ($observed_csrf_token == $expected_csrf_token);
    }