Merged cc-5709-airtime-analyzer into saas-file-sanitization

2015-02-17 11:51:00 -05:00 · 2015-02-17 11:51:00 -05:00 · 04e138b124
parent a1436bfebb eb40379152
commit 04e138b124
2 changed files with 19 additions and 1 deletions
--- a/airtime_mvc/application/forms/EditAudioMD.php
+++ b/airtime_mvc/application/forms/EditAudioMD.php
@ -59,7 +59,7 @@ class Application_Form_EditAudioMD extends Zend_Form
        $track_number->class = 'input_text';
        $track_number->setLabel('Track Number:')
            ->setFilters(array('StringTrim'))
-            ->setValidators(array(new Zend_Validate_Digits()));
+            ->setValidators(array(new Zend_Validate_Int()));
        $this->addElement($track_number);

        // Add genre field
--- a/airtime_mvc/application/modules/rest/controllers/MediaController.php
+++ b/airtime_mvc/application/modules/rest/controllers/MediaController.php
@ -119,6 +119,8 @@ class Rest_MediaController extends Zend_Rest_Controller
            $file->save();
            return;
        } else {
+            // Sanitize any incorrect metadata that slipped past validation
+            $this->sanitizeData($file, $whiteList);
            /* If full_path is set, the post request came from ftp.
             * Users are allowed to upload folders via ftp. If this is the case
             * we need to include the folder name with the file name, otherwise
@ -200,8 +202,12 @@ class Rest_MediaController extends Zend_Rest_Controller
                ->setHttpResponseCode(200)
                ->appendBody(json_encode(CcFiles::sanitizeResponse($file)));
        } else if ($file) {
+            // Sanitize any incorrect metadata that slipped past validation
+            $this->sanitizeData($file, $whiteList);
+
            //local file storage
            $file->setDbDirectory(self::MUSIC_DIRS_STOR_PK);
+
            $file->fromArray($whiteList, BasePeer::TYPE_FIELDNAME);
            //Our RESTful API takes "full_path" as a field, which we then split and translate to match
            //our internal schema. Internally, file path is stored relative to a directory, with the directory
@ -334,6 +340,18 @@ class Rest_MediaController extends Zend_Rest_Controller
        return true;
    }

+    /**
+     * We want to throw out invalid data and process the upload successfully
+     * at all costs, so check the whitelisted data and sanitize it if necessary
+     * @param CcFiles   $file       CcFiles object being uploaded
+     * @param array     $whitelist  array of whitelisted (modifiable) file fields
+     */
+    private function sanitizeData($file, &$whitelist) {
+        if (!ctype_digit(strval($whitelist["track_number"]))) {
+            $file->setDbTrackNumber(null);
+        }
+    }
+
    private function processUploadedFile($callbackUrl, $originalFilename, $ownerId)
    {
        $CC_CONFIG = Config::getConfig();