Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cc-4105: Made reloadMetadataGroupAction safer by validating input

This commit is contained in:
Rudi Grinberg 2012-07-17 13:52:24 -04:00
parent e0ba52644f
commit e7daa67628
2 changed files with 12 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
airtime_mvc/application/controllers/ApiController.php
View File

@ -538,30 +538,34 @@ class ApiController extends Zend_Controller_Action
// The key does not have any meaning as of yet but it could potentially correspond // The key does not have any meaning as of yet but it could potentially correspond
// to some unique id. // to some unique id.
$responses = array(); $responses = array();
$params = $request->getParams();
die( json_encode($params) );
foreach ($request->getParams() as $k => $raw_json) { foreach ($request->getParams() as $k => $raw_json) {
if( !preg_match('/^md\d+$/', $k) ) { continue; }
$info_json = json_decode($raw_json, $assoc=true); $info_json = json_decode($raw_json, $assoc=true);
if( !array_key_exists('mode', $info_json) ) { if( !array_key_exists('mode', $info_json) ) {
Logging::log("Received bad request, no 'mode' parameter. Bad request is:"); Logging::log("Received bad request, no 'mode' parameter. Bad request is:");
Logging::log( $info_json ); Logging::log( $info_json );
array_push( $responses, array('error' => "Bad request. no 'mode' parameter passed.") );
continue; continue;
} }
Logging::log("we got here mang");
die( json_encode('damn straight') );
$mode = $info_json['mode']; $mode = $info_json['mode'];
unset( $info_json['mode'] ); unset( $info_json['mode'] );
// TODO : remove the $dry_run parameter after finished testing // TODO : remove the $dry_run parameter after finished testing
$response = $this->dispatchMetadataAction($info_json, $info_json['mode'], $dry_run=true); $response = $this->dispatchMetadataAction($info_json, $info_json['mode'], $dry_run=true);
array_push($responses, $response); array_push($responses, $response);
// Like wise, remove the following line when done
// On recorded show requests we do some extra work here. Not sure what it actually is and it // On recorded show requests we do some extra work here. Not sure what it actually is and it
// was usually called from the python api // was usually called from the python api. Now we just call it straight from the controller to
if( $info_json['is_record'] ) { // save the http roundtrip
// TODO : must check for error in $response before proceeding... if( $info_json['is_record'] and !array_key_exists('error', $response) ) {
$this->uploadRecordedActionParam($info_json['showinstanceid'],$info_json['fileid']); $this->uploadRecordedActionParam($info_json['showinstanceid'],$info_json['fileid']);
} }
// TODO : Remove this line when done debugging // TODO : Remove this line when done debugging
Logging::log( $info_json ); Logging::log( $info_json );
} }
die(json_encode( array('successes' => 19, 'fails' => 123) )); die( json_encode($responses) );
} }
public function reloadMetadataAction() public function reloadMetadataAction()

4
python_apps/api_clients/api_client.py
View File

@ -397,8 +397,8 @@ class AirtimeApiClient():
action['is_record'] = True action['is_record'] = True
else: action['is_record'] = False else: action['is_record'] = False
valid_actions.append(action) valid_actions.append(action)
# Note that we must prefix every key with: mdX where x is a number
md_list = dict((i, json.dumps(convert_dict_value_to_utf8(md))) for i,md in enumerate(valid_actions)) md_list = dict((("md%d" % i), json.dumps(convert_dict_value_to_utf8(md))) for i,md in enumerate(valid_actions))
data = urllib.urlencode(md_list) data = urllib.urlencode(md_list)
req = urllib2.Request(url, data) req = urllib2.Request(url, data)
response = self.get_response_from_server(req) response = self.get_response_from_server(req)