Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #70 from RobertElder/more-tokens 

More tokens
This commit is contained in:
dpsommer 2014-10-07 10:10:14 -04:00
parent 159ab47857 185d84dc01
commit 9a21b99fdf
8 changed files with 45 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
airtime_mvc/application/controllers/PluploadController.php
View File

@ -24,15 +24,33 @@ class PluploadController extends Zend_Controller_Action
$this->view->headScript()->appendFile($baseUrl.'js/plupload/i18n/'.$locale.'.js?'.$CC_CONFIG['airtime_version'],'text/javascript'); $this->view->headScript()->appendFile($baseUrl.'js/plupload/i18n/'.$locale.'.js?'.$CC_CONFIG['airtime_version'],'text/javascript');
$this->view->headLink()->appendStylesheet($baseUrl.'css/plupload.queue.css?'.$CC_CONFIG['airtime_version']); $this->view->headLink()->appendStylesheet($baseUrl.'css/plupload.queue.css?'.$CC_CONFIG['airtime_version']);
$csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
$csrf_namespace->setExpirationSeconds(5*60*60);
$csrf_namespace->authtoken = sha1(uniqid(rand(),1));
$csrf_element = new Zend_Form_Element_Hidden('csrf');
$csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label');
$csrf_form = new Zend_Form();
$csrf_form->addElement($csrf_element);
$this->view->form = $csrf_form;
} }
public function uploadAction() public function uploadAction()
{ {
$current_namespace = new Zend_Session_Namespace('csrf_namespace');
$observed_csrf_token = $this->_getParam('csrf_token');
$expected_csrf_token = $current_namespace->authtoken;
if($observed_csrf_token == $expected_csrf_token){
$upload_dir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload"; $upload_dir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";
$tempFilePath = Application_Model_StoredFile::uploadFile($upload_dir); $tempFilePath = Application_Model_StoredFile::uploadFile($upload_dir);
$tempFileName = basename($tempFilePath); $tempFileName = basename($tempFilePath);
$this->_helper->json->sendJson(array("jsonrpc" => "2.0", "tempfilepath" => $tempFileName)); $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "tempfilepath" => $tempFileName));
}else{
$this->_helper->json->sendJson(array("jsonrpc" => "2.0", "valid" => false, "error" => "CSRF token did not match."));
}
} }
public function copyfileAction() public function copyfileAction()

4
airtime_mvc/application/controllers/PreferenceController.php
View File

@ -201,6 +201,10 @@ class PreferenceController extends Zend_Controller_Action
$num_of_stream = intval(Application_Model_Preference::GetNumOfStreams()); $num_of_stream = intval(Application_Model_Preference::GetNumOfStreams());
$form = new Application_Form_StreamSetting(); $form = new Application_Form_StreamSetting();
$form->addElement('hash', 'csrf', array(
'salt' => 'unique'
));
$form->setSetting($setting); $form->setSetting($setting);
$form->startFrom(); $form->startFrom();

4
airtime_mvc/application/forms/AddUser.php
View File

@ -21,6 +21,10 @@ class Application_Form_AddUser extends Zend_Form
$hidden->setDecorators(array('ViewHelper')); $hidden->setDecorators(array('ViewHelper'));
$this->addElement($hidden); $this->addElement($hidden);
$this->addElement('hash', 'csrf', array(
'salt' => 'unique'
));
$login = new Zend_Form_Element_Text('login'); $login = new Zend_Form_Element_Text('login');
$login->setLabel(_('Username:')); $login->setLabel(_('Username:'));
$login->setAttrib('class', 'input_text'); $login->setAttrib('class', 'input_text');

8
airtime_mvc/application/forms/Preferences.php
View File

@ -15,6 +15,14 @@ class Application_Form_Preferences extends Zend_Form
)); ));
$general_pref = new Application_Form_GeneralPreferences(); $general_pref = new Application_Form_GeneralPreferences();
$this->addElement('hash', 'csrf', array(
'salt' => 'unique',
'decorators' => array(
'ViewHelper'
)
));
$this->addSubForm($general_pref, 'preferences_general'); $this->addSubForm($general_pref, 'preferences_general');
$email_pref = new Application_Form_EmailServerPreferences(); $email_pref = new Application_Form_EmailServerPreferences();

2
airtime_mvc/application/views/scripts/form/preferences.phtml
View File

@ -1,5 +1,5 @@
<form method="<?php echo $this->element->getMethod() ?>" enctype="multipart/form-data"> <form method="<?php echo $this->element->getMethod() ?>" enctype="multipart/form-data">
<?php echo $this->element->getElement('csrf') ?>
<?php echo $this->element->getSubform('preferences_general') ?> <?php echo $this->element->getSubform('preferences_general') ?>
<h3 class="collapsible-header" id="email-server-heading"><span class="arrow-icon"></span><?php echo _("Email / Mail Server Settings"); ?></h3> <h3 class="collapsible-header" id="email-server-heading"><span class="arrow-icon"></span><?php echo _("Email / Mail Server Settings"); ?></h3>

1
airtime_mvc/application/views/scripts/plupload/index.phtml
View File

@ -4,6 +4,7 @@
} }
</style> </style>
<form id="plupload_form"> <form id="plupload_form">
<?php echo $this->form->getElement('csrf') ?>
<div id="plupload_files"></div> <div id="plupload_files"></div>
</form> </form>
<div id="plupload_error"> <div id="plupload_error">

1
airtime_mvc/application/views/scripts/preference/stream-setting.phtml
View File

@ -4,6 +4,7 @@
<?php if($this->enable_stream_conf == "true"){?> <?php if($this->enable_stream_conf == "true"){?>
<form method="post" id="stream_form" enctype="application/x-www-form-urlencoded"> <form method="post" id="stream_form" enctype="application/x-www-form-urlencoded">
<button name="stream_save" id="stream_save" type="button" class="btn btn-small right-floated"><?php echo _("Save") ?></button> <button name="stream_save" id="stream_save" type="button" class="btn btn-small right-floated"><?php echo _("Save") ?></button>
<?php echo $this->form->getElement('csrf') ?>
<div style="clear:both"></div> <div style="clear:both"></div>
<?php }?> <?php }?>
<?php echo $this->statusMsg;?> <?php echo $this->statusMsg;?>

5
airtime_mvc/public/js/airtime/library/plupload.js
View File

@ -11,7 +11,10 @@ $(document).ready(function() {
multiple_queues : 'true', multiple_queues : 'true',
filters : [ filters : [
{title: "Audio Files", extensions: "ogg,mp3,oga,flac,wav,m4a,mp4,opus"} {title: "Audio Files", extensions: "ogg,mp3,oga,flac,wav,m4a,mp4,opus"}
] ],
multipart_params : {
"csrf_token" : $("#csrf").attr('value'),
}
}); });
uploader = $("#plupload_files").pluploadQueue(); uploader = $("#plupload_files").pluploadQueue();