tokens for multipart data upload.

2014-10-02 02:04:03 +00:00 · 2014-10-02 02:04:03 +00:00 · feff7f4343
parent 5c69eda010
commit feff7f4343
3 changed files with 27 additions and 5 deletions
--- a/airtime_mvc/application/controllers/PluploadController.php
+++ b/airtime_mvc/application/controllers/PluploadController.php
@ -24,15 +24,33 @@ class PluploadController extends Zend_Controller_Action
        $this->view->headScript()->appendFile($baseUrl.'js/plupload/i18n/'.$locale.'.js?'.$CC_CONFIG['airtime_version'],'text/javascript');

        $this->view->headLink()->appendStylesheet($baseUrl.'css/plupload.queue.css?'.$CC_CONFIG['airtime_version']);
+
+        $csrf_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $csrf_namespace->setExpirationSeconds(900);
+        $csrf_namespace->authtoken = sha1(uniqid(rand(),1));
+
+        $csrf_element = new Zend_Form_Element_Hidden('csrf');
+        $csrf_element->setValue($csrf_namespace->authtoken)->setRequired('true')->removeDecorator('HtmlTag')->removeDecorator('Label');
+        $csrf_form = new Zend_Form();
+        $csrf_form->addElement($csrf_element);
+        $this->view->form = $csrf_form;
    }

    public function uploadAction()
    {
-        $upload_dir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";
-        $tempFilePath = Application_Model_StoredFile::uploadFile($upload_dir);
-        $tempFileName = basename($tempFilePath);
+        $current_namespace = new Zend_Session_Namespace('csrf_namespace');
+        $observed_csrf_token = $this->_getParam('csrf_token');
+        $expected_csrf_token = $current_namespace->authtoken;

-        $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "tempfilepath" => $tempFileName));
+        if($observed_csrf_token == $expected_csrf_token){
+            $upload_dir = ini_get("upload_tmp_dir") . DIRECTORY_SEPARATOR . "plupload";
+            $tempFilePath = Application_Model_StoredFile::uploadFile($upload_dir);
+            $tempFileName = basename($tempFilePath);
+         
+            $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "tempfilepath" => $tempFileName));
+        }else{
+            $this->_helper->json->sendJson(array("jsonrpc" => "2.0", "valid" => false, "error" => "CSRF token did not match."));
+        }
    }

    public function copyfileAction()
--- a/airtime_mvc/application/views/scripts/plupload/index.phtml
+++ b/airtime_mvc/application/views/scripts/plupload/index.phtml
@ -4,6 +4,7 @@
 }
 </style> 
 <form id="plupload_form">
+        <?php echo $this->form->getElement('csrf') ?>
 	<div id="plupload_files"></div>	
 </form>
 <div id="plupload_error">
--- a/airtime_mvc/public/js/airtime/library/plupload.js
+++ b/airtime_mvc/public/js/airtime/library/plupload.js
@ -11,7 +11,10 @@ $(document).ready(function() {
 		multiple_queues : 'true',
 		filters : [
 			{title: "Audio Files", extensions: "ogg,mp3,oga,flac,wav,m4a,mp4,opus"}
-		]
+		],
+                multipart_params : {
+                    "csrf_token" : $("#csrf").attr('value'),
+                }
 	});

 	uploader = $("#plupload_files").pluploadQueue();