From dbed91546955cf641d888c9882c5fc8232939dd4 Mon Sep 17 00:00:00 2001
From: Robert Elder <robert@robertelder.org>
Date: Wed, 1 Oct 2014 19:36:17 +0000
Subject: [PATCH 1/5] Tokens for preferences form.

---
 airtime_mvc/application/forms/Preferences.php             | 8 ++++++++
 .../application/views/scripts/form/preferences.phtml      | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/airtime_mvc/application/forms/Preferences.php b/airtime_mvc/application/forms/Preferences.php
index e9e2edc9e..977cae355 100644
--- a/airtime_mvc/application/forms/Preferences.php
+++ b/airtime_mvc/application/forms/Preferences.php
@@ -15,6 +15,14 @@ class Application_Form_Preferences extends Zend_Form
         ));
 
         $general_pref = new Application_Form_GeneralPreferences();
+
+        $this->addElement('hash', 'csrf', array(
+           'salt' => 'unique',
+           'decorators' => array(
+                'ViewHelper'
+            )
+        ));
+
         $this->addSubForm($general_pref, 'preferences_general');
 
             $email_pref = new Application_Form_EmailServerPreferences();
diff --git a/airtime_mvc/application/views/scripts/form/preferences.phtml b/airtime_mvc/application/views/scripts/form/preferences.phtml
index b9f2c34c0..afc324126 100644
--- a/airtime_mvc/application/views/scripts/form/preferences.phtml
+++ b/airtime_mvc/application/views/scripts/form/preferences.phtml
@@ -1,5 +1,5 @@
 <form method="<?php echo $this->element->getMethod() ?>" enctype="multipart/form-data">
-
+    <?php echo $this->element->getElement('csrf') ?>
     <?php echo $this->element->getSubform('preferences_general') ?>
     
     <h3 class="collapsible-header" id="email-server-heading"><span class="arrow-icon"></span><?php echo _("Email / Mail Server Settings"); ?></h3>

From 29b05343bdfa30da442bafb06ad2787e0ec3538a Mon Sep 17 00:00:00 2001
From: Robert Elder <robert@robertelder.org>
Date: Wed, 1 Oct 2014 19:36:36 +0000
Subject: [PATCH 2/5] Tokens for add User.

---
 airtime_mvc/application/forms/AddUser.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/airtime_mvc/application/forms/AddUser.php b/airtime_mvc/application/forms/AddUser.php
index 1d3835ae7..24d311bde 100644
--- a/airtime_mvc/application/forms/AddUser.php
+++ b/airtime_mvc/application/forms/AddUser.php
@@ -21,6 +21,10 @@ class Application_Form_AddUser extends Zend_Form
         $hidden->setDecorators(array('ViewHelper'));
         $this->addElement($hidden);
 
+        $this->addElement('hash', 'csrf', array(
+           'salt' => 'unique'
+        ));
+
         $login = new Zend_Form_Element_Text('login');
         $login->setLabel(_('Username:'));
         $login->setAttrib('class', 'input_text');

From 5c69eda010241e075c26c02c7064164a388d575d Mon Sep 17 00:00:00 2001
From: Robert Elder <robert@robertelder.org>
Date: Wed, 1 Oct 2014 20:55:07 +0000
Subject: [PATCH 3/5] Tokens for Stream Settings page.

---
 airtime_mvc/application/controllers/PreferenceController.php  | 4 ++++
 .../application/views/scripts/preference/stream-setting.phtml | 1 +
 2 files changed, 5 insertions(+)

diff --git a/airtime_mvc/application/controllers/PreferenceController.php b/airtime_mvc/application/controllers/PreferenceController.php
index 183cada01..84718c66d 100644
--- a/airtime_mvc/application/controllers/PreferenceController.php
+++ b/airtime_mvc/application/controllers/PreferenceController.php
@@ -201,6 +201,10 @@ class PreferenceController extends Zend_Controller_Action
         $num_of_stream = intval(Application_Model_Preference::GetNumOfStreams());
         $form = new Application_Form_StreamSetting();
 
+        $form->addElement('hash', 'csrf', array(
+           'salt' => 'unique'
+        ));
+
         $form->setSetting($setting);
         $form->startFrom();
 
diff --git a/airtime_mvc/application/views/scripts/preference/stream-setting.phtml b/airtime_mvc/application/views/scripts/preference/stream-setting.phtml
index 058ec4ac9..29fbc6756 100644
--- a/airtime_mvc/application/views/scripts/preference/stream-setting.phtml
+++ b/airtime_mvc/application/views/scripts/preference/stream-setting.phtml
@@ -4,6 +4,7 @@
     <?php if($this->enable_stream_conf == "true"){?>
     <form method="post" id="stream_form" enctype="application/x-www-form-urlencoded">
     <button name="stream_save" id="stream_save" type="button" class="btn btn-small right-floated"><?php echo _("Save") ?></button>
+    <?php echo $this->form->getElement('csrf') ?>
     <div style="clear:both"></div>
     <?php }?>
   <?php echo $this->statusMsg;?>

From feff7f4343541c958bc09c17ff67da75bb3f690e Mon Sep 17 00:00:00 2001
From: Robert Elder <robert@robertelder.org>
Date: Thu, 2 Oct 2014 02:04:03 +0000
Subject: [PATCH 4/5] tokens for multipart data upload.

---
 .../controllers/PluploadController.php        | 26 ++++++++++++++++---
 .../views/scripts/plupload/index.phtml        |  1 +
 .../public/js/airtime/library/plupload.js     |  5 +++-
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/airtime_mvc/application/controllers/PluploadController.php b/airtime_mvc/application/controllers/PluploadController.php
index 9698b163a..42e64c8d6 100644
--- a/airtime_mvc/application/controllers/PluploadController.php
+++ b/airtime_mvc/application/controllers/PluploadController.php
@@ -24,15 +24,33 @@ class PluploadController extends Zend_Controller_Action
         $this->view->headScript()->appendFile($baseUrl.'js/plupload/i18n/'.$locale.'.js?'.$CC_CONFIG['airtime_version'],'text/javascript');
 
         $this->view->headLink()->appendStylesheet($baseUrl.'css/plupload.queue.css?'.$CC_CONFIG['airtime_version']);
+
+        $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $csrf_namespace->setExpirationSeconds(900);
+        $csrf_namespace->authtoken = sha1(uniqid(rand(),1));
+
+        $csrf_element = new Zend_Form_Element_Hidden('csrf');
+        $csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label');
+        $csrf_form = new Zend_Form();
+        $csrf_form->addElement($csrf_element);
+        $this->view->form = $csrf_form;
     }
 
     public function uploadAction()
     {
-        $upload_dir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";
-        $tempFilePath = Application_Model_StoredFile::uploadFile($upload_dir);
-        $tempFileName = basename($tempFilePath);
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $this->_getParam('csrf_token');
+        $expected_csrf_token = $current_namespace->authtoken;
 
-        $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "tempfilepath" => $tempFileName));
+        if($observed_csrf_token == $expected_csrf_token){
+            $upload_dir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";
+            $tempFilePath = Application_Model_StoredFile::uploadFile($upload_dir);
+            $tempFileName = basename($tempFilePath);
+         
+            $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "tempfilepath" => $tempFileName));
+        }else{
+            $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "valid" => false, "error" => "CSRF token did not match."));
+        }
     }
 
     public function copyfileAction()
diff --git a/airtime_mvc/application/views/scripts/plupload/index.phtml b/airtime_mvc/application/views/scripts/plupload/index.phtml
index cf236b8d6..47187c63e 100644
--- a/airtime_mvc/application/views/scripts/plupload/index.phtml
+++ b/airtime_mvc/application/views/scripts/plupload/index.phtml
@@ -4,6 +4,7 @@
 }
 </style> 
 <form id="plupload_form">
+        <?php echo $this->form->getElement('csrf') ?>
 	<div id="plupload_files"></div>	
 </form>
 <div id="plupload_error">
diff --git a/airtime_mvc/public/js/airtime/library/plupload.js b/airtime_mvc/public/js/airtime/library/plupload.js
index 2d76b3383..2e7f0b56f 100644
--- a/airtime_mvc/public/js/airtime/library/plupload.js
+++ b/airtime_mvc/public/js/airtime/library/plupload.js
@@ -11,7 +11,10 @@ $(document).ready(function() {
 		multiple_queues : 'true',
 		filters : [
 			{title: "Audio Files", extensions: "ogg,mp3,oga,flac,wav,m4a,mp4,opus"}
-		]
+		],
+                multipart_params : {
+                    "csrf_token" : $("#csrf").attr('value'),
+                }
 	});
 
 	uploader = $("#plupload_files").pluploadQueue();

From 185d84dc0173f3fae5725fbaceb526dadf55c0a4 Mon Sep 17 00:00:00 2001
From: Robert Elder <robert@robertelder.org>
Date: Fri, 3 Oct 2014 02:18:04 +0000
Subject: [PATCH 5/5] Increase the time token is valid for in case of long
 uploads.

---
 airtime_mvc/application/controllers/PluploadController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/airtime_mvc/application/controllers/PluploadController.php b/airtime_mvc/application/controllers/PluploadController.php
index 42e64c8d6..4fdaa131b 100644
--- a/airtime_mvc/application/controllers/PluploadController.php
+++ b/airtime_mvc/application/controllers/PluploadController.php
@@ -26,7 +26,7 @@ class PluploadController extends Zend_Controller_Action
         $this->view->headLink()->appendStylesheet($baseUrl.'css/plupload.queue.css?'.$CC_CONFIG['airtime_version']);
 
         $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
-        $csrf_namespace->setExpirationSeconds(900);
+        $csrf_namespace->setExpirationSeconds(5*60*60);
         $csrf_namespace->authtoken = sha1(uniqid(rand(),1));
 
         $csrf_element = new Zend_Form_Element_Hidden('csrf');