Congegni
/
sintonia
7
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

SAAS-595 - Changed Zend validation and added sanitization in file import process to throw out bad track number metadata

This commit is contained in:
Duncan Sommerville 2015-02-17 11:44:31 -05:00
parent 4b6e5671c3
commit eb40379152
2 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
airtime_mvc/application/forms/EditAudioMD.php
View File

@ -59,7 +59,7 @@ class Application_Form_EditAudioMD extends Zend_Form
$track_number->class = 'input_text'; $track_number->class = 'input_text';
$track_number->setLabel('Track Number:') $track_number->setLabel('Track Number:')
->setFilters(array('StringTrim')) ->setFilters(array('StringTrim'))
->setValidators(array(new Zend_Validate_Digits())); ->setValidators(array(new Zend_Validate_Int()));
$this->addElement($track_number); $this->addElement($track_number);
// Add genre field // Add genre field

17
airtime_mvc/application/modules/rest/controllers/MediaController.php
View File

@ -113,6 +113,8 @@ class Rest_MediaController extends Zend_Rest_Controller
$file->save(); $file->save();
return; return;
} else { } else {
// Sanitize any incorrect metadata that slipped past validation
$this->sanitizeData($file, $whiteList);
/* If full_path is set, the post request came from ftp. /* If full_path is set, the post request came from ftp.
* Users are allowed to upload folders via ftp. If this is the case * Users are allowed to upload folders via ftp. If this is the case
* we need to include the folder name with the file name, otherwise * we need to include the folder name with the file name, otherwise
@ -165,6 +167,9 @@ class Rest_MediaController extends Zend_Rest_Controller
$file->save(); $file->save();
return; return;
} else if ($file) { } else if ($file) {
// Sanitize any incorrect metadata that slipped past validation
$this->sanitizeData($file, $whiteList);
$file->fromArray($whiteList, BasePeer::TYPE_FIELDNAME); $file->fromArray($whiteList, BasePeer::TYPE_FIELDNAME);
//Our RESTful API takes "full_path" as a field, which we then split and translate to match //Our RESTful API takes "full_path" as a field, which we then split and translate to match
@ -297,6 +302,18 @@ class Rest_MediaController extends Zend_Rest_Controller
return true; return true;
} }
/**
* We want to throw out invalid data and process the upload successfully
* at all costs, so check the whitelisted data and sanitize it if necessary
* @param CcFiles $file CcFiles object being uploaded
* @param array $whitelist array of whitelisted (modifiable) file fields
*/
private function sanitizeData($file, &$whitelist) {
if (!ctype_digit(strval($whitelist["track_number"]))) {
$file->setDbTrackNumber(null);
}
}
private function processUploadedFile($callbackUrl, $originalFilename, $ownerId) private function processUploadedFile($callbackUrl, $originalFilename, $ownerId)
{ {
$CC_CONFIG = Config::getConfig(); $CC_CONFIG = Config::getConfig();