diff --git a/airtime_mvc/application/controllers/PluploadController.php b/airtime_mvc/application/controllers/PluploadController.php index 9698b163a..4fdaa131b 100644 --- a/airtime_mvc/application/controllers/PluploadController.php +++ b/airtime_mvc/application/controllers/PluploadController.php @@ -24,15 +24,33 @@ class PluploadController extends Zend_Controller_Action $this->view->headScript()->appendFile($baseUrl.'js/plupload/i18n/'.$locale.'.js?'.$CC_CONFIG['airtime_version'],'text/javascript'); $this->view->headLink()->appendStylesheet($baseUrl.'css/plupload.queue.css?'.$CC_CONFIG['airtime_version']); + + $csrf_namespace = new Zend_Session_Namespace('csrf_namespace'); + $csrf_namespace->setExpirationSeconds(5*60*60); + $csrf_namespace->authtoken = sha1(uniqid(rand(),1)); + + $csrf_element = new Zend_Form_Element_Hidden('csrf'); + $csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label'); + $csrf_form = new Zend_Form(); + $csrf_form->addElement($csrf_element); + $this->view->form = $csrf_form; } public function uploadAction() { - $upload_dir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload"; - $tempFilePath = Application_Model_StoredFile::uploadFile($upload_dir); - $tempFileName = basename($tempFilePath); + $current_namespace = new Zend_Session_Namespace('csrf_namespace'); + $observed_csrf_token = $this->_getParam('csrf_token'); + $expected_csrf_token = $current_namespace->authtoken; - $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "tempfilepath" => $tempFileName)); + if($observed_csrf_token == $expected_csrf_token){ + $upload_dir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload"; + $tempFilePath = Application_Model_StoredFile::uploadFile($upload_dir); + $tempFileName = basename($tempFilePath); + + $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "tempfilepath" => $tempFileName)); + }else{ + $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "valid" => false, "error" => "CSRF token did not match.")); + } } public function copyfileAction() diff --git a/airtime_mvc/application/controllers/PreferenceController.php b/airtime_mvc/application/controllers/PreferenceController.php index 183cada01..84718c66d 100644 --- a/airtime_mvc/application/controllers/PreferenceController.php +++ b/airtime_mvc/application/controllers/PreferenceController.php @@ -201,6 +201,10 @@ class PreferenceController extends Zend_Controller_Action $num_of_stream = intval(Application_Model_Preference::GetNumOfStreams()); $form = new Application_Form_StreamSetting(); + $form->addElement('hash', 'csrf', array( + 'salt' => 'unique' + )); + $form->setSetting($setting); $form->startFrom(); diff --git a/airtime_mvc/application/forms/AddUser.php b/airtime_mvc/application/forms/AddUser.php index 1d3835ae7..24d311bde 100644 --- a/airtime_mvc/application/forms/AddUser.php +++ b/airtime_mvc/application/forms/AddUser.php @@ -21,6 +21,10 @@ class Application_Form_AddUser extends Zend_Form $hidden->setDecorators(array('ViewHelper')); $this->addElement($hidden); + $this->addElement('hash', 'csrf', array( + 'salt' => 'unique' + )); + $login = new Zend_Form_Element_Text('login'); $login->setLabel(_('Username:')); $login->setAttrib('class', 'input_text'); diff --git a/airtime_mvc/application/forms/Preferences.php b/airtime_mvc/application/forms/Preferences.php index e9e2edc9e..977cae355 100644 --- a/airtime_mvc/application/forms/Preferences.php +++ b/airtime_mvc/application/forms/Preferences.php @@ -15,6 +15,14 @@ class Application_Form_Preferences extends Zend_Form )); $general_pref = new Application_Form_GeneralPreferences(); + + $this->addElement('hash', 'csrf', array( + 'salt' => 'unique', + 'decorators' => array( + 'ViewHelper' + ) + )); + $this->addSubForm($general_pref, 'preferences_general'); $email_pref = new Application_Form_EmailServerPreferences(); diff --git a/airtime_mvc/application/views/scripts/form/preferences.phtml b/airtime_mvc/application/views/scripts/form/preferences.phtml index b9f2c34c0..afc324126 100644 --- a/airtime_mvc/application/views/scripts/form/preferences.phtml +++ b/airtime_mvc/application/views/scripts/form/preferences.phtml @@ -1,5 +1,5 @@
- + element->getElement('csrf') ?> element->getSubform('preferences_general') ?>

diff --git a/airtime_mvc/application/views/scripts/plupload/index.phtml b/airtime_mvc/application/views/scripts/plupload/index.phtml index cf236b8d6..47187c63e 100644 --- a/airtime_mvc/application/views/scripts/plupload/index.phtml +++ b/airtime_mvc/application/views/scripts/plupload/index.phtml @@ -4,6 +4,7 @@ } + form->getElement('csrf') ?>
diff --git a/airtime_mvc/application/views/scripts/preference/stream-setting.phtml b/airtime_mvc/application/views/scripts/preference/stream-setting.phtml index 058ec4ac9..29fbc6756 100644 --- a/airtime_mvc/application/views/scripts/preference/stream-setting.phtml +++ b/airtime_mvc/application/views/scripts/preference/stream-setting.phtml @@ -4,6 +4,7 @@ enable_stream_conf == "true"){?>
+ form->getElement('csrf') ?>
statusMsg;?> diff --git a/airtime_mvc/public/js/airtime/library/plupload.js b/airtime_mvc/public/js/airtime/library/plupload.js index 2d76b3383..2e7f0b56f 100644 --- a/airtime_mvc/public/js/airtime/library/plupload.js +++ b/airtime_mvc/public/js/airtime/library/plupload.js @@ -11,7 +11,10 @@ $(document).ready(function() { multiple_queues : 'true', filters : [ {title: "Audio Files", extensions: "ogg,mp3,oga,flac,wav,m4a,mp4,opus"} - ] + ], + multipart_params : { + "csrf_token" : $("#csrf").attr('value'), + } }); uploader = $("#plupload_files").pluploadQueue();