From b4c9a77e7cece9954f92cdc1a75d5fe60f867b33 Mon Sep 17 00:00:00 2001 From: Albert Santoni Date: Fri, 12 Jun 2015 13:48:54 -0400 Subject: [PATCH 1/7] CC-6055: Improved escaping --- airtime_mvc/application/Bootstrap.php | 1 + .../application/common/SecurityHelper.php | 16 ++++--- .../application/common/WidgetHelper.php | 44 ++++++------------- .../application/controllers/ApiController.php | 14 +++--- .../controllers/EmbedController.php | 4 +- .../controllers/LibraryController.php | 2 +- .../controllers/PlayouthistoryController.php | 6 ++- .../controllers/PluploadController.php | 2 +- .../application/services/HistoryService.php | 5 ++- .../views/scripts/playlist/playlist.phtml | 2 +- 10 files changed, 46 insertions(+), 50 deletions(-) diff --git a/airtime_mvc/application/Bootstrap.php b/airtime_mvc/application/Bootstrap.php index 8ad87e2aa..578181189 100644 --- a/airtime_mvc/application/Bootstrap.php +++ b/airtime_mvc/application/Bootstrap.php @@ -24,6 +24,7 @@ require_once "FileIO.php"; require_once "OsPath.php"; require_once "Database.php"; require_once "ProvisioningHelper.php"; +require_once "SecurityHelper.php"; require_once "GoogleAnalytics.php"; require_once "Timezone.php"; require_once "Auth.php"; diff --git a/airtime_mvc/application/common/SecurityHelper.php b/airtime_mvc/application/common/SecurityHelper.php index af4d712eb..95353407e 100644 --- a/airtime_mvc/application/common/SecurityHelper.php +++ b/airtime_mvc/application/common/SecurityHelper.php @@ -1,11 +1,15 @@ $val) { + if (is_array($val)) { + self::htmlescape_recursive($arr[$key]); + } else if (is_string($val)) { + $arr[$key] = htmlspecialchars($val, ENT_QUOTES); + } + } + return $arr; + } } \ No newline at end of file diff --git a/airtime_mvc/application/common/WidgetHelper.php b/airtime_mvc/application/common/WidgetHelper.php index a51d88fa5..efdc1cc4f 100644 --- a/airtime_mvc/application/common/WidgetHelper.php +++ b/airtime_mvc/application/common/WidgetHelper.php @@ -46,13 +46,14 @@ class WidgetHelper ); $result[$dow[$i]] = $shows; - - // XSS exploit prevention - self::convertSpecialChars($result, array("name", "url")); - // convert image paths to point to api endpoints - self::findAndConvertPaths($result); } + // XSS exploit prevention + SecurityHelper::htmlescape_recursive($result); + + // convert image paths to point to api endpoints + self::findAndConvertPaths($result); + return $result; } @@ -124,37 +125,18 @@ class WidgetHelper } $result[$weekCounter][$dayOfWeekCounter]["shows"] = $shows; - // XSS exploit prevention - self::convertSpecialChars($result, array("name", "url")); - // convert image paths to point to api endpoints - self::findAndConvertPaths($result); - } $weekCounter += 1; } - return $result; - } - /** - * Go through a given array and sanitize any potentially exploitable fields - * by passing them through htmlspecialchars - * - * @param unknown $arr the array to sanitize - * @param unknown $keys indexes of values to be sanitized - */ - public static function convertSpecialChars(&$arr, $keys) - { - foreach ($arr as &$a) { - if (is_array($a)) { - foreach ($keys as &$key) { - if (array_key_exists($key, $a)) { - $a[$key] = htmlspecialchars($a[$key]); - } - } - self::convertSpecialChars($a, $keys); - } - } + // XSS exploit prevention + SecurityHelper::htmlescape_recursive($result); + + // convert image paths to point to api endpoints + self::findAndConvertPaths($result); + + return $result; } /** diff --git a/airtime_mvc/application/controllers/ApiController.php b/airtime_mvc/application/controllers/ApiController.php index 0821e4b35..baee530b2 100644 --- a/airtime_mvc/application/controllers/ApiController.php +++ b/airtime_mvc/application/controllers/ApiController.php @@ -199,9 +199,7 @@ class ApiController extends Zend_Controller_Action } else { $result = Application_Model_Schedule::GetPlayOrderRangeOld($limit); } - - // XSS exploit prevention - WidgetHelper::convertSpecialChars($result, array("name", "url")); + // apply user-defined timezone, or default to station Application_Common_DateHelper::convertTimestampsToTimezone( $result['currentShow'], @@ -218,6 +216,10 @@ class ApiController extends Zend_Controller_Action $result["schedulerTime"] = Application_Common_DateHelper::UTCStringToTimezoneString($result["schedulerTime"], $timezone); $result["timezone"] = $upcase ? strtoupper($timezone) : $timezone; $result["timezoneOffset"] = Application_Common_DateHelper::getTimezoneOffset($timezone); + + // XSS exploit prevention + SecurityHelper::htmlescape_recursive($result); + // convert image paths to point to api endpoints WidgetHelper::findAndConvertPaths($result); @@ -288,10 +290,12 @@ class ApiController extends Zend_Controller_Action $result = Application_Model_Schedule::GetPlayOrderRange($utcTimeEnd, $showsToRetrieve); - // XSS exploit prevention - WidgetHelper::convertSpecialChars($result, array("name", "url")); // apply user-defined timezone, or default to station $this->applyLiveTimezoneAdjustments($result, $timezone, $upcase); + + // XSS exploit prevention + SecurityHelper::htmlescape_recursive($result); + // convert image paths to point to api endpoints WidgetHelper::findAndConvertPaths($result); diff --git a/airtime_mvc/application/controllers/EmbedController.php b/airtime_mvc/application/controllers/EmbedController.php index c160ad9e2..aac5da520 100644 --- a/airtime_mvc/application/controllers/EmbedController.php +++ b/airtime_mvc/application/controllers/EmbedController.php @@ -28,7 +28,7 @@ class EmbedController extends Zend_Controller_Action $this->view->jquery = Application_Common_HTTPHelper::getStationUrl() . "js/libs/jquery-1.10.2.js"; $this->view->muses_swf = Application_Common_HTTPHelper::getStationUrl() . "js/airtime/player/muses.swf"; $this->view->metadata_api_url = Application_Common_HTTPHelper::getStationUrl() . "api/live-info"; - $this->view->player_title = json_encode($request->getParam('title')); + $this->view->player_title = json_encode($this->view->escape($request->getParam('title'))); $styleParam = $request->getParam('style'); $player_style = isset($styleParam) ? $styleParam : "basic"; @@ -97,7 +97,7 @@ class EmbedController extends Zend_Controller_Action $weeklyScheduleData = WidgetHelper::getWeekInfoV2($this->getRequest()->getParam("timezone")); // Return only the current week's schedule data. In the future we may use the next week's data. - $this->view->weeklyScheduleData = $weeklyScheduleData[0]; + $this->view->weeklyScheduleData = ($weeklyScheduleData[0]); $currentDay = new DateTime("now", new DateTimeZone(Application_Model_Preference::GetTimezone())); //day of the month without leading zeros (1 to 31) diff --git a/airtime_mvc/application/controllers/LibraryController.php b/airtime_mvc/application/controllers/LibraryController.php index 212d57521..00b8f84fe 100644 --- a/airtime_mvc/application/controllers/LibraryController.php +++ b/airtime_mvc/application/controllers/LibraryController.php @@ -413,7 +413,7 @@ class LibraryController extends Zend_Controller_Action $this->view->sEcho = $r["sEcho"]; $this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"]; $this->view->iTotalRecords = $r["iTotalRecords"]; - $this->view->files = $r["aaData"]; + $this->view->files = SecurityHelper::htmlescape_recursive($r["aaData"]); } public function editFileMdAction() diff --git a/airtime_mvc/application/controllers/PlayouthistoryController.php b/airtime_mvc/application/controllers/PlayouthistoryController.php index 7b82f7dfd..533f41d76 100644 --- a/airtime_mvc/application/controllers/PlayouthistoryController.php +++ b/airtime_mvc/application/controllers/PlayouthistoryController.php @@ -89,6 +89,7 @@ class PlayouthistoryController extends Zend_Controller_Action $this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"]; $this->view->iTotalRecords = $r["iTotalRecords"]; $this->view->history = $r["history"]; + $this->view->history = SecurityHelper::htmlescape_recursive($this->view->history); } catch (Exception $e) { Logging::info($e); @@ -112,7 +113,9 @@ class PlayouthistoryController extends Zend_Controller_Action $this->view->iTotalDisplayRecords = $r["iTotalDisplayRecords"]; $this->view->iTotalRecords = $r["iTotalRecords"]; $this->view->history = $r["history"]; - } + $this->view->history = SecurityHelper::htmlescape_recursive($this->view->history); + + } catch (Exception $e) { Logging::info($e); Logging::info($e->getMessage()); @@ -130,6 +133,7 @@ class PlayouthistoryController extends Zend_Controller_Action $historyService = new Application_Service_HistoryService(); $shows = $historyService->getShowList($startsDT, $endsDT); + $shows = SecurityHelper::htmlescape_recursive($shows); $this->_helper->json->sendJson($shows); } diff --git a/airtime_mvc/application/controllers/PluploadController.php b/airtime_mvc/application/controllers/PluploadController.php index 7c808140c..f6970d6c7 100644 --- a/airtime_mvc/application/controllers/PluploadController.php +++ b/airtime_mvc/application/controllers/PluploadController.php @@ -112,6 +112,6 @@ class PluploadController extends Zend_Controller_Action $this->view->sEcho = intval($request->getParam('sEcho')); $this->view->iTotalDisplayRecords = $numTotalDisplayUploads; $this->view->iTotalRecords = $numTotalRecentUploads; - $this->view->files = $uploadsArray; + $this->view->files = SecurityHelper::htmlescape_recursive($uploadsArray); } } diff --git a/airtime_mvc/application/services/HistoryService.php b/airtime_mvc/application/services/HistoryService.php index 181e55a67..9f5fb4ceb 100644 --- a/airtime_mvc/application/services/HistoryService.php +++ b/airtime_mvc/application/services/HistoryService.php @@ -980,7 +980,7 @@ class Application_Service_HistoryService $this->populateTemplateItem($values, $id, $instanceId); } else { - $json["form"] = $form; + $json["form"] = SecurityHelper::htmlescape_recursive($form); } return $json; @@ -1008,7 +1008,8 @@ class Application_Service_HistoryService $this->populateTemplateFile($values, $id); } else { - $json["error"] = $msgs; + $json["error"] = $form->getErrorMessages(); + $json["error"] = SecurityHelper::htmlescape_recursive($json["error"]); } return $json; diff --git a/airtime_mvc/application/views/scripts/playlist/playlist.phtml b/airtime_mvc/application/views/scripts/playlist/playlist.phtml index 44917fef6..d187dc866 100644 --- a/airtime_mvc/application/views/scripts/playlist/playlist.phtml +++ b/airtime_mvc/application/views/scripts/playlist/playlist.phtml @@ -54,7 +54,7 @@ if (isset($this->obj)) {
- +
From a338616acaabb0075ffbbdb21ff2bc98be6626da Mon Sep 17 00:00:00 2001 From: drigato Date: Tue, 16 Jun 2015 15:38:21 -0400 Subject: [PATCH 2/7] Add max-width to logo on radio page --- airtime_mvc/public/css/radio-page/radio-page.css | 1 + 1 file changed, 1 insertion(+) diff --git a/airtime_mvc/public/css/radio-page/radio-page.css b/airtime_mvc/public/css/radio-page/radio-page.css index a9ffd149e..3b8256a76 100644 --- a/airtime_mvc/public/css/radio-page/radio-page.css +++ b/airtime_mvc/public/css/radio-page/radio-page.css @@ -26,6 +26,7 @@ body { .logo img { margin: 40px 0px 0px 60px; + max-width: 180px; } .login-btn { From 0b6fb9882a3fe89305e9203752c28e602bdc24f4 Mon Sep 17 00:00:00 2001 From: Albert Santoni Date: Tue, 16 Jun 2015 16:04:20 -0400 Subject: [PATCH 3/7] Fix provisioning --- airtime_mvc/application/common/ProvisioningHelper.php | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/airtime_mvc/application/common/ProvisioningHelper.php b/airtime_mvc/application/common/ProvisioningHelper.php index 605617105..cdd9818c0 100644 --- a/airtime_mvc/application/common/ProvisioningHelper.php +++ b/airtime_mvc/application/common/ProvisioningHelper.php @@ -112,8 +112,12 @@ class ProvisioningHelper $this->dbowner = $_POST['dbowner']; $this->instanceId = $_POST['instanceid']; - $this->stationName = $_POST['station_name']; - $this->description = $_POST['description']; + if (isset($_POST['station_name'])) { + $this->stationName = $_POST['station_name']; + } + if (isset($_POST['description'])) { + $this->description = $_POST['description']; + } } /** From 627343a6266d1d00b536143ad8dcbeac42d2891c Mon Sep 17 00:00:00 2001 From: Albert Santoni Date: Tue, 16 Jun 2015 18:18:34 -0400 Subject: [PATCH 4/7] Fixed the status page --- airtime_mvc/application/views/scripts/systemstatus/index.phtml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/airtime_mvc/application/views/scripts/systemstatus/index.phtml b/airtime_mvc/application/views/scripts/systemstatus/index.phtml index ec68dfd5e..f6e1007d5 100644 --- a/airtime_mvc/application/views/scripts/systemstatus/index.phtml +++ b/airtime_mvc/application/views/scripts/systemstatus/index.phtml @@ -3,6 +3,7 @@ From 080c2c43b5fab8f688038bd3f3f1f02ff7cd4be4 Mon Sep 17 00:00:00 2001 From: Duncan Sommerville Date: Wed, 17 Jun 2015 17:39:37 -0400 Subject: [PATCH 5/7] Add soundcloud callback file for saas routing --- airtime_mvc/public/soundcloud_callback.php | 28 ++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 airtime_mvc/public/soundcloud_callback.php diff --git a/airtime_mvc/public/soundcloud_callback.php b/airtime_mvc/public/soundcloud_callback.php new file mode 100644 index 000000000..e3bdb47dc --- /dev/null +++ b/airtime_mvc/public/soundcloud_callback.php @@ -0,0 +1,28 @@ +val pairs + * into an array, then redirect + */ + public function reroute() { + $params = array(); + parse_str($_SERVER['QUERY_STRING'], $params); + $this->_redirect($params); + } + + /** + * Redirect to the URL passed in the 'state' parameter + * when we're redirected here from SoundCloud + * + * @param $params array array of URL query parameters + */ + private function _redirect($params) { + $url = urldecode($params['state']); + header("Location: $url?" . $_SERVER['QUERY_STRING']); + } + +} + +(new Router())->reroute(); From 88bd3c9bc24c42cd2abfc1906f73ab0da99a7168 Mon Sep 17 00:00:00 2001 From: Duncan Sommerville Date: Wed, 17 Jun 2015 13:44:14 -0400 Subject: [PATCH 6/7] SAAS-872 - Load disk information statically --- .../controllers/SystemstatusController.php | 5 ++-- .../views/scripts/systemstatus/index.phtml | 30 +++++++++++++++++-- 2 files changed, 30 insertions(+), 5 deletions(-) diff --git a/airtime_mvc/application/controllers/SystemstatusController.php b/airtime_mvc/application/controllers/SystemstatusController.php index 6098f71b7..2f651db52 100644 --- a/airtime_mvc/application/controllers/SystemstatusController.php +++ b/airtime_mvc/application/controllers/SystemstatusController.php @@ -4,11 +4,12 @@ class SystemstatusController extends Zend_Controller_Action { public function init() { + /* Disable this on Airtime pro since we're not using Media Monitor/Monit + $CC_CONFIG = Config::getConfig(); - $baseUrl = Application_Common_OsPath::getBaseDir(); - $this->view->headScript()->appendFile($baseUrl.'js/airtime/status/status.js?'.$CC_CONFIG['airtime_version'],'text/javascript'); + */ } public function indexAction() diff --git a/airtime_mvc/application/views/scripts/systemstatus/index.phtml b/airtime_mvc/application/views/scripts/systemstatus/index.phtml index f6e1007d5..a8687eb24 100644 --- a/airtime_mvc/application/views/scripts/systemstatus/index.phtml +++ b/airtime_mvc/application/views/scripts/systemstatus/index.phtml @@ -8,18 +8,24 @@ $externalServices = checkExternalServices(); $zend = $phpDependencies["zend"]; $postgres = $phpDependencies["postgres"]; - + $database = $externalServices["database"]; $rabbitmq = $externalServices["rabbitmq"]; - + $pypo = $externalServices["pypo"]; $liquidsoap = $externalServices["liquidsoap"]; $mediamonitor = $externalServices["media-monitor"]; - + $r1 = array_reduce($phpDependencies, "booleanReduce", true); $r2 = array_reduce($externalServices, "booleanReduce", true); $result = $r1 && $r2; */ + + // Disk information. We only use the [0]th index + // because we don't have Watched/Media Folders + $disk = $this->status->partitions[0]; + $used = $disk->totalSpace-$disk->totalFreeSpace; + $total = $disk->totalSpace; ?>
@@ -178,5 +184,23 @@ + + + + +
+
    +
+ 		+ + +
+
;"> +
+
+
+
From 298ee30e9dbbbe5fcdd8a0e36f2f44bec95caf45 Mon Sep 17 00:00:00 2001 From: Duncan Sommerville Date: Wed, 17 Jun 2015 14:52:04 -0400 Subject: [PATCH 7/7] Move misplaced tag --- .../views/scripts/systemstatus/index.phtml | 44 +++++++++---------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/airtime_mvc/application/views/scripts/systemstatus/index.phtml b/airtime_mvc/application/views/scripts/systemstatus/index.phtml index a8687eb24..d06cd4c1d 100644 --- a/airtime_mvc/application/views/scripts/systemstatus/index.phtml +++ b/airtime_mvc/application/views/scripts/systemstatus/index.phtml @@ -180,27 +180,27 @@ ?> - */?> - - - - - -
    -
- - - - - -
-
;"> -
-
-
- - + */?> + + + + + +
    +
+ + + + + +
+
;"> +
+
+
+ +