Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SAAS-595 - Updated validation and sanitization

This commit is contained in:
Duncan Sommerville 2015-02-17 12:17:49 -05:00
parent eb40379152
commit a07a1edcc0
4 changed files with 57 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
airtime_mvc/application/Bootstrap.php
View File

@ -11,6 +11,7 @@ require_once __DIR__."/configs/constants.php";
require_once 'Preference.php'; require_once 'Preference.php';
require_once 'Locale.php'; require_once 'Locale.php';
require_once "DateHelper.php"; require_once "DateHelper.php";
require_once "FileDataHelper.php";
require_once "HTTPHelper.php"; require_once "HTTPHelper.php";
require_once "OsPath.php"; require_once "OsPath.php";
require_once "Database.php"; require_once "Database.php";

20
airtime_mvc/application/common/FileDataHelper.php Normal file
View File

@ -0,0 +1,20 @@
<?php
/**
* Created by PhpStorm.
* User: sourcefabric
* Date: 17/02/15
*/
class FileDataHelper {
/**
* We want to throw out invalid data and process the upload successfully
* at all costs, so check the data and sanitize it if necessary
* @param array $data array containing new file metadata
*/
public static function sanitizeData(&$data) {
// If the track number isn't numeric, this will return 0
$data["track_number"] = intval($data["track_number"]);
}
}

4
airtime_mvc/application/controllers/LibraryController.php
View File

@ -77,8 +77,6 @@ class LibraryController extends Zend_Controller_Action
$obj_sess = new Zend_Session_Namespace(UI_PLAYLISTCONTROLLER_OBJ_SESSNAME); $obj_sess = new Zend_Session_Namespace(UI_PLAYLISTCONTROLLER_OBJ_SESSNAME);
if (isset($obj_sess->id)) { if (isset($obj_sess->id)) {
$objInfo = Application_Model_Library::getObjInfo($obj_sess->type);
$objInfo = Application_Model_Library::getObjInfo($obj_sess->type); $objInfo = Application_Model_Library::getObjInfo($obj_sess->type);
$obj = new $objInfo['className']($obj_sess->id); $obj = new $objInfo['className']($obj_sess->id);
$userInfo = Zend_Auth::getInstance()->getStorage()->read(); $userInfo = Zend_Auth::getInstance()->getStorage()->read();
@ -446,6 +444,8 @@ class LibraryController extends Zend_Controller_Action
} }
if ($form->isValid($serialized)) { if ($form->isValid($serialized)) {
// Sanitize any incorrect metadata that slipped past validation
FileDataHelper::sanitizeData($serialized["track_number"]);
$formValues = $this->_getParam('data', null); $formValues = $this->_getParam('data', null);
$formdata = array(); $formdata = array();

48
airtime_mvc/application/modules/rest/controllers/MediaController.php
View File

@ -114,7 +114,8 @@ class Rest_MediaController extends Zend_Rest_Controller
return; return;
} else { } else {
// Sanitize any incorrect metadata that slipped past validation // Sanitize any incorrect metadata that slipped past validation
$this->sanitizeData($file, $whiteList); FileDataHelper::sanitizeData($whiteList["track_number"]);
/* If full_path is set, the post request came from ftp. /* If full_path is set, the post request came from ftp.
* Users are allowed to upload folders via ftp. If this is the case * Users are allowed to upload folders via ftp. If this is the case
* we need to include the folder name with the file name, otherwise * we need to include the folder name with the file name, otherwise
@ -166,6 +167,37 @@ class Rest_MediaController extends Zend_Rest_Controller
if (!$this->validateRequestData($file, $whiteList)) { if (!$this->validateRequestData($file, $whiteList)) {
$file->save(); $file->save();
return; return;
} else if ($file && isset($requestData["resource_id"])) {
// Sanitize any incorrect metadata that slipped past validation
FileDataHelper::sanitizeData($whiteList["track_number"]);
$file->fromArray($whiteList, BasePeer::TYPE_FIELDNAME);
//store the original filename
$file->setDbFilepath($requestData["filename"]);
$fileSizeBytes = $requestData["filesize"];
if (!isset($fileSizeBytes) || $fileSizeBytes === false)
{
$file->setDbImportStatus(2)->save();
$this->fileNotFoundResponse();
return;
}
$cloudFile = new CloudFile();
$cloudFile->setStorageBackend($requestData["storage_backend"]);
$cloudFile->setResourceId($requestData["resource_id"]);
$cloudFile->setCcFiles($file);
$cloudFile->save();
Application_Model_Preference::updateDiskUsage($fileSizeBytes);
$now = new DateTime("now", new DateTimeZone("UTC"));
$file->setDbMtime($now);
$file->save();
$this->getResponse()
->setHttpResponseCode(200)
->appendBody(json_encode(CcFiles::sanitizeResponse($file)));
} else if ($file) { } else if ($file) {
// Sanitize any incorrect metadata that slipped past validation // Sanitize any incorrect metadata that slipped past validation
$this->sanitizeData($file, $whiteList); $this->sanitizeData($file, $whiteList);
@ -267,7 +299,7 @@ class Rest_MediaController extends Zend_Rest_Controller
$fileForm = new Application_Form_EditAudioMD(); $fileForm = new Application_Form_EditAudioMD();
$fileForm->startForm($file->getDbId()); $fileForm->startForm($file->getDbId());
$fileForm->populate($whiteList); $fileForm->populate($whiteList);
/* /*
* Here we are truncating metadata of any characters greater than the * Here we are truncating metadata of any characters greater than the
* max string length set in the database. In the rare case a track's * max string length set in the database. In the rare case a track's
@ -302,18 +334,6 @@ class Rest_MediaController extends Zend_Rest_Controller
return true; return true;
} }
/**
* We want to throw out invalid data and process the upload successfully
* at all costs, so check the whitelisted data and sanitize it if necessary
* @param CcFiles $file CcFiles object being uploaded
* @param array $whitelist array of whitelisted (modifiable) file fields
*/
private function sanitizeData($file, &$whitelist) {
if (!ctype_digit(strval($whitelist["track_number"]))) {
$file->setDbTrackNumber(null);
}
}
private function processUploadedFile($callbackUrl, $originalFilename, $ownerId) private function processUploadedFile($callbackUrl, $originalFilename, $ownerId)
{ {
$CC_CONFIG = Config::getConfig(); $CC_CONFIG = Config::getConfig();