Merge branch '2.5.x' into cc-5709-airtime-analyzer

Conflicts:
	airtime_mvc/application/controllers/PluploadController.php
	airtime_mvc/application/views/scripts/plupload/index.phtml

airtime_mvc/application/controllers/LocaleController.php

@@ -12,12 +12,11 @@ class LocaleController extends Zend_Controller_Action
         $this->_helper->viewRenderer->setNoRender(true);
         header("Content-type: text/javascript");
 
-        $baseUrl = Application_Common_OsPath::getBaseDir();
         $locale = Application_Model_Preference::GetLocale();
         echo "var datatables_dict =" .
             file_get_contents(Application_Common_OsPath::join(
-                dirname(__file__),
-                "../../public/js/datatables/i18n/",
+                $_SERVER["DOCUMENT_ROOT"],
+                "js/datatables/i18n/",
                 $locale.".txt")
             );
     }

airtime_mvc/application/controllers/LoginController.php

@@ -56,6 +56,8 @@ class LoginController extends Zend_Controller_Action
                     
                     $result = $auth->authenticate($authAdapter);
                     if ($result->isValid()) {
+                        //  Regenerate session id on login to prevent session fixation.
+                        Zend_Session::regenerateId();
                         //all info about this user from the login table omit only the password
                         $userInfo = $authAdapter->getResultRowObject(null, 'password');
 

airtime_mvc/application/controllers/PluploadController.php

@@ -30,6 +30,33 @@ class PluploadController extends Zend_Controller_Action
         if (Application_Model_Systemstatus::isDiskOverQuota()) {
             $this->view->quotaLimitReached = true;
         }
+
+        $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $csrf_namespace->setExpirationSeconds(5*60*60);
+        $csrf_namespace->authtoken = sha1(uniqid(rand(),1));
+
+        $csrf_element = new Zend_Form_Element_Hidden('csrf');
+        $csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label');
+        $csrf_form = new Zend_Form();
+        $csrf_form->addElement($csrf_element);
+        $this->view->form = $csrf_form;
+    }
+
+    public function uploadAction()
+    {
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $this->_getParam('csrf_token');
+        $expected_csrf_token = $current_namespace->authtoken;
+
+        if($observed_csrf_token == $expected_csrf_token){
+            $upload_dir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";
+            $tempFilePath = Application_Model_StoredFile::uploadFile($upload_dir);
+            $tempFileName = basename($tempFilePath);
+         
+            $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "tempfilepath" => $tempFileName));
+        }else{
+            $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "valid" => false, "error" => "CSRF token did not match."));
+        }
     }
 
     public function recentUploadsAction()

airtime_mvc/application/controllers/PreferenceController.php

@@ -201,6 +201,10 @@ class PreferenceController extends Zend_Controller_Action
         $num_of_stream = intval(Application_Model_Preference::GetNumOfStreams());
         $form = new Application_Form_StreamSetting();
 
+        $form->addElement('hash', 'csrf', array(
+           'salt' => 'unique'
+        ));
+
         $form->setSetting($setting);
         $form->startFrom();