From eb403791528d026f6aca0097d337ec1e628eb237 Mon Sep 17 00:00:00 2001
From: Duncan Sommerville <duncan.sommerville@gmail.com>
Date: Tue, 17 Feb 2015 11:44:31 -0500
Subject: [PATCH] SAAS-595 - Changed Zend validation and added sanitization in
 file import process to throw out bad track number metadata

---
 airtime_mvc/application/forms/EditAudioMD.php   |  2 +-
 .../rest/controllers/MediaController.php        | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/airtime_mvc/application/forms/EditAudioMD.php b/airtime_mvc/application/forms/EditAudioMD.php
index 69ddbccde..9fc41e314 100644
--- a/airtime_mvc/application/forms/EditAudioMD.php
+++ b/airtime_mvc/application/forms/EditAudioMD.php
@@ -59,7 +59,7 @@ class Application_Form_EditAudioMD extends Zend_Form
         $track_number->class = 'input_text';
         $track_number->setLabel('Track Number:')
             ->setFilters(array('StringTrim'))
-            ->setValidators(array(new Zend_Validate_Digits()));
+            ->setValidators(array(new Zend_Validate_Int()));
         $this->addElement($track_number);
 
         // Add genre field
diff --git a/airtime_mvc/application/modules/rest/controllers/MediaController.php b/airtime_mvc/application/modules/rest/controllers/MediaController.php
index 7a7810711..1b9712bd2 100644
--- a/airtime_mvc/application/modules/rest/controllers/MediaController.php
+++ b/airtime_mvc/application/modules/rest/controllers/MediaController.php
@@ -113,6 +113,8 @@ class Rest_MediaController extends Zend_Rest_Controller
             $file->save();
             return;
         } else {
+            // Sanitize any incorrect metadata that slipped past validation
+            $this->sanitizeData($file, $whiteList);
             /* If full_path is set, the post request came from ftp.
              * Users are allowed to upload folders via ftp. If this is the case
              * we need to include the folder name with the file name, otherwise
@@ -165,6 +167,9 @@ class Rest_MediaController extends Zend_Rest_Controller
             $file->save();
             return;
         } else if ($file) {
+            // Sanitize any incorrect metadata that slipped past validation
+            $this->sanitizeData($file, $whiteList);
+
             $file->fromArray($whiteList, BasePeer::TYPE_FIELDNAME);
 
             //Our RESTful API takes "full_path" as a field, which we then split and translate to match
@@ -297,6 +302,18 @@ class Rest_MediaController extends Zend_Rest_Controller
         return true;
     }
 
+    /**
+     * We want to throw out invalid data and process the upload successfully
+     * at all costs, so check the whitelisted data and sanitize it if necessary
+     * @param CcFiles   $file       CcFiles object being uploaded
+     * @param array     $whitelist  array of whitelisted (modifiable) file fields
+     */
+    private function sanitizeData($file, &$whitelist) {
+        if (!ctype_digit(strval($whitelist["track_number"]))) {
+            $file->setDbTrackNumber(null);
+        }
+    }
+
     private function processUploadedFile($callbackUrl, $originalFilename, $ownerId)
     {
         $CC_CONFIG = Config::getConfig();