Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed CSRF token checking in MediaController (broken by last 2 commits) 

* Also fixed getOwnerId(), no longer calls a non-existent function
This commit is contained in:
Albert Santoni 2015-01-22 12:20:13 -05:00
parent 476128ce87
commit d5ee710f89
2 changed files with 11 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
airtime_mvc/application/controllers/plugins/Acl_plugin.php
View File

@ -146,7 +146,14 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
// If we have an identity and we're making a RESTful request, // If we have an identity and we're making a RESTful request,
// we need to check the CSRF token // we need to check the CSRF token
if ($request->_action != "get" && $request->getModuleName() == "rest") { if ($request->_action != "get" && $request->getModuleName() == "rest") {
$this->verifyCSRFToken($request->getParam("csrf_token")); $tokenValid = $this->verifyCSRFToken($request->getParam("csrf_token"));
if (!$tokenValid) {
$this->getResponse()
->setHttpResponseCode(401)
->appendBody("ERROR: CSRF token mismatch.");
return;
}
} }
$userInfo = Zend_Auth::getInstance()->getStorage()->read(); $userInfo = Zend_Auth::getInstance()->getStorage()->read();
@ -189,10 +196,8 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
$current_namespace = new Zend_Session_Namespace('csrf_namespace'); $current_namespace = new Zend_Session_Namespace('csrf_namespace');
$observed_csrf_token = $token; $observed_csrf_token = $token;
$expected_csrf_token = $current_namespace->authtoken; $expected_csrf_token = $current_namespace->authtoken;
Logging::error("Observed: " . $observed_csrf_token);
$this->getResponse() Logging::error("Expected: " . $expected_csrf_token);
->setHttpResponseCode(401)
->appendBody("ERROR: CSRF token mismatch.");
return ($observed_csrf_token == $expected_csrf_token); return ($observed_csrf_token == $expected_csrf_token);
} }

2
airtime_mvc/application/modules/rest/controllers/MediaController.php
View File

@ -338,7 +338,7 @@ class Rest_MediaController extends Zend_Rest_Controller
private function getOwnerId() private function getOwnerId()
{ {
try { try {
if ($this->verifySession()) { if (Zend_Auth::getInstance()->hasIdentity()) {
$service_user = new Application_Service_UserService(); $service_user = new Application_Service_UserService();
return $service_user->getCurrentUser()->getDbId(); return $service_user->getCurrentUser()->getDbId();
} else { } else {