Merged cc-5709-airtime-analyzer into saas-file-sanitization

airtime_mvc/application/Bootstrap.php

@@ -18,6 +18,7 @@ require_once 'Preference.php';
 require_once 'Locale.php';
 require_once "DateHelper.php";
 require_once "LocaleHelper.php";
+require_once "FileDataHelper.php";
 require_once "HTTPHelper.php";
 require_once "OsPath.php";
 require_once "Database.php";

airtime_mvc/application/common/FileDataHelper.php

@@ -0,0 +1,20 @@
+<?php
+/**
+ * Created by PhpStorm.
+ * User: sourcefabric
+ * Date: 17/02/15
+ */
+
+class FileDataHelper {
+
+    /**
+     * We want to throw out invalid data and process the upload successfully
+     * at all costs, so check the data and sanitize it if necessary
+     * @param array $data array containing new file metadata
+     */
+    public static function sanitizeData(&$data) {
+        // If the track number isn't numeric, this will return 0
+        $data["track_number"] = intval($data["track_number"]);
+    }
+
+}

airtime_mvc/application/controllers/LibraryController.php

@@ -77,8 +77,6 @@ class LibraryController extends Zend_Controller_Action
 
             $obj_sess = new Zend_Session_Namespace(UI_PLAYLISTCONTROLLER_OBJ_SESSNAME);
             if (isset($obj_sess->id)) {
-                $objInfo = Application_Model_Library::getObjInfo($obj_sess->type);
-
                 $objInfo     = Application_Model_Library::getObjInfo($obj_sess->type);
                 $obj         = new $objInfo['className']($obj_sess->id);
                 $userInfo    = Zend_Auth::getInstance()->getStorage()->read();
@@ -447,6 +445,8 @@ class LibraryController extends Zend_Controller_Action
             }
 
             if ($form->isValid($serialized)) {
+                // Sanitize any incorrect metadata that slipped past validation
+                FileDataHelper::sanitizeData($serialized["track_number"]);
 
                 $formValues = $this->_getParam('data', null);
                 $formdata = array();

airtime_mvc/application/modules/rest/controllers/MediaController.php

@@ -120,7 +120,8 @@ class Rest_MediaController extends Zend_Rest_Controller
             return;
         } else {
             // Sanitize any incorrect metadata that slipped past validation
-            $this->sanitizeData($file, $whiteList);
+            FileDataHelper::sanitizeData($whiteList["track_number"]);
+
             /* If full_path is set, the post request came from ftp.
              * Users are allowed to upload folders via ftp. If this is the case
              * we need to include the folder name with the file name, otherwise
@@ -174,6 +175,9 @@ class Rest_MediaController extends Zend_Rest_Controller
             $file->save();
             return;
         } else if ($file && isset($requestData["resource_id"])) {
+            // Sanitize any incorrect metadata that slipped past validation
+            FileDataHelper::sanitizeData($whiteList["track_number"]);
+
             $file->fromArray($whiteList, BasePeer::TYPE_FIELDNAME);
             
             //store the original filename
@@ -340,18 +344,6 @@ class Rest_MediaController extends Zend_Rest_Controller
         return true;
     }
 
-    /**
-     * We want to throw out invalid data and process the upload successfully
-     * at all costs, so check the whitelisted data and sanitize it if necessary
-     * @param CcFiles   $file       CcFiles object being uploaded
-     * @param array     $whitelist  array of whitelisted (modifiable) file fields
-     */
-    private function sanitizeData($file, &$whitelist) {
-        if (!ctype_digit(strval($whitelist["track_number"]))) {
-            $file->setDbTrackNumber(null);
-        }
-    }
-
     private function processUploadedFile($callbackUrl, $originalFilename, $ownerId)
     {
         $CC_CONFIG = Config::getConfig();