Merge branch '2.3.x' into 2.3.x-saas

2013-02-20 14:41:55 -05:00 · 2013-02-20 14:41:55 -05:00 · 8bec9dea55
commit 8bec9dea55
parent 103ad6fe6d 8f53871ddc
62 changed files with 8265 additions and 13435 deletions
--- a/airtime_mvc/application/controllers/ApiController.php
+++ b/airtime_mvc/application/controllers/ApiController.php
@ -42,8 +42,9 @@ class ApiController extends Zend_Controller_Action
                ->addActionContext('reload-metadata-group'         , 'json')
                ->addActionContext('notify-webstream-data'         , 'json')
                ->addActionContext('get-stream-parameters'         , 'json')
-                ->addActionContext('push-stream-stats'         , 'json')
-                ->addActionContext('update-stream-setting-table'         , 'json')
+                ->addActionContext('push-stream-stats'             , 'json')
+                ->addActionContext('update-stream-setting-table'   , 'json')
+                ->addActionContext('update-replay-gain-value'      , 'json')
                ->initContext();
    }

@ -261,7 +262,14 @@ class ApiController extends Zend_Controller_Action
                                "currentShow"=>Application_Model_Show::getCurrentShow($utcTimeNow),
                                "nextShow"=>Application_Model_Show::getNextShows($utcTimeNow, $limit, $utcTimeEnd)
                            );
-
+                // XSS exploit prevention
+                foreach ($result["currentShow"] as &$current) {
+                    $current["name"] = htmlspecialchars($current["name"]);
+                }
+                foreach ($result["nextShow"] as &$next) {
+                    $next["name"] = htmlspecialchars($next["name"]);
+                }
+                
                Application_Model_Show::convertToLocalTimeZone($result["currentShow"],
                        array("starts", "ends", "start_timestamp", "end_timestamp"));
                Application_Model_Show::convertToLocalTimeZone($result["nextShow"],
@ -269,6 +277,17 @@ class ApiController extends Zend_Controller_Action
            } else {
                $result = Application_Model_Schedule::GetPlayOrderRange();

+                // XSS exploit prevention
+                $result["previous"]["name"] = htmlspecialchars($result["previous"]["name"]);
+                $result["current"]["name"] = htmlspecialchars($result["current"]["name"]);
+                $result["next"]["name"] = htmlspecialchars($result["next"]["name"]);
+                foreach ($result["currentShow"] as &$current) {
+                    $current["name"] = htmlspecialchars($current["name"]);
+                }
+                foreach ($result["nextShow"] as &$next) {
+                    $next["name"] = htmlspecialchars($next["name"]);
+                }
+
                //Convert from UTC to localtime for Web Browser.
                Application_Model_Show::ConvertToLocalTimeZone($result["currentShow"],
                        array("starts", "ends", "start_timestamp", "end_timestamp"));
@ -315,7 +334,15 @@ class ApiController extends Zend_Controller_Action

                $result[$dow[$i]] = $shows;
            }
-            
+
+            // XSS exploit prevention
+            foreach ($dow as $d) {
+                foreach ($result[$d] as &$show) {
+                    $show["name"] = htmlspecialchars($show["name"]);
+                    $show["url"] = htmlspecialchars($show["url"]);
+                }
+            }
+
            //used by caller to determine if the airtime they are running or widgets in use is out of date.
            $result['AIRTIME_API_VERSION'] = AIRTIME_API_VERSION;
            header("Content-type: text/javascript");
@ -941,10 +968,6 @@ class ApiController extends Zend_Controller_Action

    public function updateReplayGainValueAction()
    {
-        // disable layout
-        $this->view->layout()->disableLayout();
-        $this->_helper->viewRenderer->setNoRender(true);
-
        $request = $this->getRequest();
        $data = json_decode($request->getParam('data'));

@ -955,6 +978,8 @@ class ApiController extends Zend_Controller_Action
            $file->setDbReplayGain($gain);
            $file->save();
        }
+
+        $this->view->msg = "OK";
    }
    
    public function updateCueValuesBySilanAction()
--- a/airtime_mvc/application/controllers/AudiopreviewController.php
+++ b/airtime_mvc/application/controllers/AudiopreviewController.php
@ -62,8 +62,8 @@ class AudiopreviewController extends Zend_Controller_Action
        $this->view->audioFileID     = $audioFileID;
        // We need to decode artist and title because it gets
        // encoded twice in js
-        $this->view->audioFileArtist = urldecode($audioFileArtist);
-        $this->view->audioFileTitle  = urldecode($audioFileTitle);
+        $this->view->audioFileArtist = htmlspecialchars(urldecode($audioFileArtist));
+        $this->view->audioFileTitle  = htmlspecialchars(urldecode($audioFileTitle));
        $this->view->type            = $type;

        $this->_helper->viewRenderer->setRender('audio-preview');
--- a/airtime_mvc/application/controllers/ScheduleController.php
+++ b/airtime_mvc/application/controllers/ScheduleController.php
@ -573,7 +573,10 @@ class ScheduleController extends Zend_Controller_Action
            return;
        }

-        if ($isDJ) {
+        // in case a user was once a dj and had been assigned to a show
+        // but was then changed to an admin user we need to allow
+        // the user to edit the show as an admin (CC-4925)
+        if ($isDJ && !$isAdminOrPM) {
            $this->view->action = "dj-edit-show";
        }