Congegni
/
libretime
mirror of https://github.com/libretime/libretime.git
7
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'cc-5709-airtime-analyzer-refactor' into saas-media-refactor 

Conflicts:
	airtime_mvc/application/controllers/plugins/Acl_plugin.php
This commit is contained in:
Albert Santoni 2015-02-24 11:18:49 -05:00
parent 51aa846a4c 7600b8ae82
commit c0db309e32
5 changed files with 35 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
airtime_mvc/application/Bootstrap.php
View File

@ -82,13 +82,28 @@ class Bootstrap extends Zend_Application_Bootstrap_Bootstrap
} }
$view->headScript()->appendScript("var userType = '$userType';"); $view->headScript()->appendScript("var userType = '$userType';");
} }
/**
* Create a global namespace to hold a session token for CSRF prevention
*/
protected function _initCsrfNamespace() {
$csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
// Check if the token exists
if (!$csrf_namespace->authtoken) {
// If we don't have a token, regenerate it and set a 2 hour timeout
// Should we log the user out here if the token is expired?
$csrf_namespace->authtoken = sha1(uniqid(rand(),1));
$csrf_namespace->setExpirationSeconds(2*60*60);
}
}
/** /**
* Ideally, globals should be written to a single js file once * Ideally, globals should be written to a single js file once
* from a php init function. This will save us from having to * from a php init function. This will save us from having to
* reinitialize them every request * reinitialize them every request
*/ */
private function _initTranslationGlobals($view) { protected function _initTranslationGlobals() {
$view = $this->getResource('view');
$view->headScript()->appendScript("var PRODUCT_NAME = '" . PRODUCT_NAME . "';"); $view->headScript()->appendScript("var PRODUCT_NAME = '" . PRODUCT_NAME . "';");
$view->headScript()->appendScript("var USER_MANUAL_URL = '" . USER_MANUAL_URL . "';"); $view->headScript()->appendScript("var USER_MANUAL_URL = '" . USER_MANUAL_URL . "';");
$view->headScript()->appendScript("var COMPANY_NAME = '" . COMPANY_NAME . "';"); $view->headScript()->appendScript("var COMPANY_NAME = '" . COMPANY_NAME . "';");

4
airtime_mvc/application/common/FileDataHelper.php
View File

@ -19,9 +19,9 @@ class FileDataHelper {
} }
if (array_key_exists("bpm", $data)) { if (array_key_exists("bpm", $data)) {
//Some BPM tags are silly and include the word "BPM". Let's strip that... //Some BPM tags are silly and include the word "BPM". Let's strip that...
$data["year"] = str_ireplace("BPM", "", $data["year"]); $data["bpm"] = str_ireplace("BPM", "", $data["bpm"]);
// This will convert floats to ints too. // This will convert floats to ints too.
$data["year"] = intval($data["year"]); $data["bpm"] = intval($data["bpm"]);
} }
} }

3
airtime_mvc/application/controllers/LoginController.php
View File

@ -119,6 +119,9 @@ class LoginController extends Zend_Controller_Action
{ {
$auth = Zend_Auth::getInstance(); $auth = Zend_Auth::getInstance();
$auth->clearIdentity(); $auth->clearIdentity();
// Unset all session variables relating to CSRF prevention on logout
$csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
$csrf_namespace->unsetAll();
$this->_redirect('showbuilder/index'); $this->_redirect('showbuilder/index');
} }

5
airtime_mvc/application/controllers/PluploadController.php
View File

@ -31,9 +31,10 @@ class PluploadController extends Zend_Controller_Action
$this->view->quotaLimitReached = true; $this->view->quotaLimitReached = true;
} }
//Because uploads are done via AJAX (and we're not using Zend form for those), we manually add the CSRF
//token in here.
$csrf_namespace = new Zend_Session_Namespace('csrf_namespace'); $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
$csrf_namespace->setExpirationSeconds(5*60*60); //The CSRF token is generated in Bootstrap.php
$csrf_namespace->authtoken = sha1(uniqid(rand(),1));
$csrf_element = new Zend_Form_Element_Hidden('csrf'); $csrf_element = new Zend_Form_Element_Hidden('csrf');
$csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label'); $csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label');

17
airtime_mvc/application/controllers/plugins/Acl_plugin.php
View File

@ -152,17 +152,22 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
} }
} }
} else { //We have a session/identity. } else { //We have a session/identity.
// If we have an identity and we're making a RESTful request, // If we have an identity and we're making a RESTful request,
// we need to check the CSRF token // we need to check the CSRF token
if ($request->_action != "get" && $request->getModuleName() == "rest") { if ($_SERVER['REQUEST_METHOD'] != "GET" && $request->getModuleName() == "rest") {
$tokenValid = $this->verifyCSRFToken($request->getParam("csrf_token")); $token = $request->getParam("csrf_token");
$tokenValid = $this->verifyCSRFToken($token);
if (!$tokenValid) { if (!$tokenValid) {
$csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
$csrf_namespace->authtoken = sha1(openssl_random_pseudo_bytes(128));
Logging::warn("Invalid CSRF token: $token");
$this->getResponse() $this->getResponse()
->setHttpResponseCode(401) ->setHttpResponseCode(401)
->appendBody("ERROR: CSRF token mismatch."); ->appendBody("ERROR: CSRF token mismatch.")
return; ->sendResponse();
die();
} }
} }
@ -207,7 +212,7 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
$current_namespace = new Zend_Session_Namespace('csrf_namespace'); $current_namespace = new Zend_Session_Namespace('csrf_namespace');
$observed_csrf_token = $token; $observed_csrf_token = $token;
$expected_csrf_token = $current_namespace->authtoken; $expected_csrf_token = $current_namespace->authtoken;
return ($observed_csrf_token == $expected_csrf_token); return ($observed_csrf_token == $expected_csrf_token);
} }