Merge branch 'cc-5709-airtime-analyzer-refactor' into saas-media-refactor

Conflicts:
	airtime_mvc/application/controllers/plugins/Acl_plugin.php

airtime_mvc/application/controllers/LoginController.php

@@ -119,6 +119,9 @@ class LoginController extends Zend_Controller_Action
     {
         $auth = Zend_Auth::getInstance();
         $auth->clearIdentity();
+        // Unset all session variables relating to CSRF prevention on logout
+        $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $csrf_namespace->unsetAll();
         $this->_redirect('showbuilder/index');
     }
 

airtime_mvc/application/controllers/PluploadController.php

@@ -31,9 +31,10 @@ class PluploadController extends Zend_Controller_Action
             $this->view->quotaLimitReached = true;
         }
 
+        //Because uploads are done via AJAX (and we're not using Zend form for those), we manually add the CSRF
+        //token in here.
         $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
-        $csrf_namespace->setExpirationSeconds(5*60*60);
-        $csrf_namespace->authtoken = sha1(uniqid(rand(),1));
+        //The CSRF token is generated in Bootstrap.php
 
         $csrf_element = new Zend_Form_Element_Hidden('csrf');
         $csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label');

airtime_mvc/application/controllers/plugins/Acl_plugin.php

@@ -152,17 +152,22 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
                 }
             }
         } else { //We have a session/identity.
-
             // If we have an identity and we're making a RESTful request,
             // we need to check the CSRF token
-            if ($request->_action != "get" && $request->getModuleName() == "rest") {
-                $tokenValid = $this->verifyCSRFToken($request->getParam("csrf_token"));
+            if ($_SERVER['REQUEST_METHOD'] != "GET" && $request->getModuleName() == "rest") {
+                $token = $request->getParam("csrf_token");
+                $tokenValid = $this->verifyCSRFToken($token);
 
                 if (!$tokenValid) {
+                    $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
+                    $csrf_namespace->authtoken = sha1(openssl_random_pseudo_bytes(128));
+
+                    Logging::warn("Invalid CSRF token: $token");
                     $this->getResponse()
                          ->setHttpResponseCode(401)
-                         ->appendBody("ERROR: CSRF token mismatch.");
-                    return;
+                         ->appendBody("ERROR: CSRF token mismatch.")
+                         ->sendResponse();
+                    die();
                 }
             }
             
@@ -207,7 +212,7 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
         $current_namespace = new Zend_Session_Namespace('csrf_namespace');
         $observed_csrf_token = $token;
         $expected_csrf_token = $current_namespace->authtoken;
-        
+
         return ($observed_csrf_token == $expected_csrf_token);
     }