Security fix in Zend_Service_WindowsAzure.

git-svn-id: http://framework.zend.com/svn/framework/standard/trunk@20065 44c647ce-9c0f-0410-b52a-842ac1e357ba

library/Zend/Service/WindowsAzure/Storage.php

@@ -17,7 +17,7 @@
  * @subpackage Storage
  * @copyright  Copyright (c) 2005-2009 Zend Technologies USA Inc. (http://www.zend.com)
  * @license    http://framework.zend.com/license/new-bsd     New BSD License
- * @version    $Id: Storage.php 35999 2009-12-21 07:56:42Z unknown $
+ * @version    $Id: Storage.php 36457 2010-01-04 07:36:33Z unknown $
  */
 
 /**
@@ -425,6 +425,53 @@ class Zend_Service_WindowsAzure_Storage
 	}
 	
 	/**
+	 * Generate metadata headers
+	 * 
+	 * @param array $metadata
+	 * @return HTTP headers containing metadata
+	 */
+	protected function _generateMetadataHeaders($metadata = array())
+	{
+		// Validate
+		if (!is_array($metadata)) {
+			return array();
+		}
+		
+		// Return headers
+		$headers = array();
+		foreach ($metadata as $key => $value) {
+			if (strpos($value, "\r") !== false || strpos($value, "\n") !== false) {
+				throw new Zend_Service_WindowsAzure_Exception('Metadata cannot contain newline characters.');
+			}
+		    $headers["x-ms-meta-" . strtolower($key)] = $value;
+		}
+		return $headers;
+	}
+	
+	/**
+	 * Parse metadata errors
+	 * 
+	 * @param array $headers HTTP headers containing metadata
+	 * @return array
+	 */
+	protected function _parseMetadataHeaders($headers = array())
+	{
+		// Validate
+		if (!is_array($headers)) {
+			return array();
+		}
+		
+		// Return metadata
+		$metadata = array();
+		foreach ($headers as $key => $value) {
+		    if (substr(strtolower($key), 0, 10) == "x-ms-meta-") {
+		        $metadata[str_replace("x-ms-meta-", '', strtolower($key))] = $value;
+		    }
+		}
+		return $metadata;
+	}
+	
+	/**
 	 * Generate ISO 8601 compliant date string in UTC time zone
 	 * 
 	 * @param int $timestamp

library/Zend/Service/WindowsAzure/Storage/Blob.php

@@ -17,7 +17,7 @@
  * @subpackage Storage
  * @copyright  Copyright (c) 2005-2009 Zend Technologies USA Inc. (http://www.zend.com)
  * @license    http://todo     name_todo
- * @version    $Id: Blob.php 35999 2009-12-21 07:56:42Z unknown $
+ * @version    $Id: Blob.php 36457 2010-01-04 07:36:33Z unknown $
  */
 
 /**
@@ -212,9 +212,7 @@ class Zend_Service_WindowsAzure_Storage_Blob extends Zend_Service_WindowsAzure_S
 			
 		// Create metadata headers
 		$headers = array();
-		foreach ($metadata as $key => $value) {
-		    $headers["x-ms-meta-" . strtolower($key)] = $value;
-		}
+		$headers = array_merge($headers, $this->_generateMetadataHeaders($metadata));
 		
 		// Perform request
 		$response = $this->_performRequest($containerName, '?restype=container', Zend_Http_Client::PUT, $headers, false, null, Zend_Service_WindowsAzure_Storage::RESOURCE_CONTAINER, Zend_Service_WindowsAzure_Credentials_CredentialsAbstract::PERMISSION_WRITE);			
@@ -354,12 +352,7 @@ class Zend_Service_WindowsAzure_Storage_Blob extends Zend_Service_WindowsAzure_S
 		$response = $this->_performRequest($containerName, '?restype=container', Zend_Http_Client::GET, array(), false, null, Zend_Service_WindowsAzure_Storage::RESOURCE_CONTAINER, Zend_Service_WindowsAzure_Credentials_CredentialsAbstract::PERMISSION_READ);	
 		if ($response->isSuccessful()) {
 		    // Parse metadata
-		    $metadata = array();
-		    foreach ($response->getHeaders() as $key => $value) {
-		        if (substr(strtolower($key), 0, 10) == "x-ms-meta-") {
-		            $metadata[str_replace("x-ms-meta-", '', strtolower($key))] = $value;
-		        }
-		    }
+		    $metadata = $this->_parseMetadataHeaders($response->getHeaders());
 
 		    // Return container
 		    return new Zend_Service_WindowsAzure_Storage_BlobContainer(
@@ -419,9 +412,7 @@ class Zend_Service_WindowsAzure_Storage_Blob extends Zend_Service_WindowsAzure_S
 		    
 		// Create metadata headers
 		$headers = array();
-		foreach ($metadata as $key => $value) {
-		    $headers["x-ms-meta-" . strtolower($key)] = $value;
-		}
+		$headers = array_merge($headers, $this->_generateMetadataHeaders($metadata)); 
 		
 		// Additional headers?
 		foreach ($additionalHeaders as $key => $value) {
@@ -559,9 +550,7 @@ class Zend_Service_WindowsAzure_Storage_Blob extends Zend_Service_WindowsAzure_S
 
 		// Create metadata headers
 		$headers = array();
-		foreach ($metadata as $key => $value) {
-		    $headers["x-ms-meta-" . strtolower($key)] = $value;
-		}
+		$headers = array_merge($headers, $this->_generateMetadataHeaders($metadata)); 
 		
 		// Additional headers?
 		foreach ($additionalHeaders as $key => $value) {
@@ -753,9 +742,7 @@ class Zend_Service_WindowsAzure_Storage_Blob extends Zend_Service_WindowsAzure_S
 		
 	    // Create metadata headers
 		$headers = array();
-		foreach ($metadata as $key => $value) {
-		    $headers["x-ms-meta-" . strtolower($key)] = $value;
-		}
+		$headers = array_merge($headers, $this->_generateMetadataHeaders($metadata)); 
 		
 		// Additional headers?
 		foreach ($additionalHeaders as $key => $value) {
@@ -880,9 +867,7 @@ class Zend_Service_WindowsAzure_Storage_Blob extends Zend_Service_WindowsAzure_S
 
 		// Create metadata headers
 		$headers = array();
-		foreach ($metadata as $key => $value) {
-		    $headers["x-ms-meta-" . strtolower($key)] = $value;
-		}
+		$headers = array_merge($headers, $this->_generateMetadataHeaders($metadata)); 
 		
 		// Additional headers?
 		foreach ($additionalHeaders as $key => $value) {
@@ -996,12 +981,7 @@ class Zend_Service_WindowsAzure_Storage_Blob extends Zend_Service_WindowsAzure_S
 		$response = $this->_performRequest($resourceName, '', Zend_Http_Client::HEAD, $headers, false, null, Zend_Service_WindowsAzure_Storage::RESOURCE_BLOB, Zend_Service_WindowsAzure_Credentials_CredentialsAbstract::PERMISSION_READ);
 		if ($response->isSuccessful()) {
 		    // Parse metadata
-		    $metadata = array();
-		    foreach ($response->getHeaders() as $key => $value) {
-		        if (substr(strtolower($key), 0, 10) == "x-ms-meta-") {
-		            $metadata[str_replace("x-ms-meta-", '', strtolower($key))] = $value;
-		        }
-		    }
+		    $metadata = $this->_parseMetadataHeaders($response->getHeaders());
 
 		    // Return blob
 			return new Zend_Service_WindowsAzure_Storage_BlobInstance(
@@ -1079,9 +1059,7 @@ class Zend_Service_WindowsAzure_Storage_Blob extends Zend_Service_WindowsAzure_S
 		    
 		// Create metadata headers
 		$headers = array();
-		foreach ($metadata as $key => $value) {
-		    $headers["x-ms-meta-" . strtolower($key)] = $value;
-		}
+		$headers = array_merge($headers, $this->_generateMetadataHeaders($metadata)); 
 		
 		// Additional headers?
 		foreach ($additionalHeaders as $key => $value) {

library/Zend/Service/WindowsAzure/Storage/Queue.php

@@ -142,9 +142,7 @@ class Zend_Service_WindowsAzure_Storage_Queue extends Zend_Service_WindowsAzure_
 			
 		// Create metadata headers
 		$headers = array();
-		foreach ($metadata as $key => $value) {
-		    $headers["x-ms-meta-" . strtolower($key)] = $value;
-		}
+		$headers = array_merge($headers, $this->_generateMetadataHeaders($metadata)); 
 		
 		// Perform request
 		$response = $this->_performRequest($queueName, '', Zend_Http_Client::PUT, $headers);			
@@ -178,12 +176,7 @@ class Zend_Service_WindowsAzure_Storage_Queue extends Zend_Service_WindowsAzure_
 		$response = $this->_performRequest($queueName, '?comp=metadata', Zend_Http_Client::GET);	
 		if ($response->isSuccessful()) {
 		    // Parse metadata
-		    $metadata = array();
-		    foreach ($response->getHeaders() as $key => $value) {
-		        if (substr(strtolower($key), 0, 10) == "x-ms-meta-") {
-		            $metadata[str_replace("x-ms-meta-", '', strtolower($key))] = $value;
-		        }
-		    }
+		    $metadata = $this->_parseMetadataHeaders($response->getHeaders());
 
 		    // Return queue
 		    $queue = new Zend_Service_WindowsAzure_Storage_QueueInstance(
@@ -239,9 +232,7 @@ class Zend_Service_WindowsAzure_Storage_Queue extends Zend_Service_WindowsAzure_
 		    
 		// Create metadata headers
 		$headers = array();
-		foreach ($metadata as $key => $value) {
-		    $headers["x-ms-meta-" . strtolower($key)] = $value;
-		}
+		$headers = array_merge($headers, $this->_generateMetadataHeaders($metadata)); 
 		
 		// Perform request
 		$response = $this->_performRequest($queueName, '?comp=metadata', Zend_Http_Client::PUT, $headers);

library/Zend/Service/WindowsAzure/Storage/Table.php

@@ -230,7 +230,7 @@ class Zend_Service_WindowsAzure_Storage_Table
 		
         $requestBody = $this->_fillTemplate($requestBody, array(
             'BaseUrl' => $this->getBaseUrl(),
-            'TableName' => $tableName,
+            'TableName' => htmlspecialchars($tableName),
         	'Updated' => $this->isoDate(),
             'AccountName' => $this->_accountName
         ));
@@ -803,7 +803,7 @@ class Zend_Service_WindowsAzure_Storage_Table
 		        if (strtolower($azureValue->Type) == 'edm.boolean') {
 		            $value[] = ($azureValue->Value == true ? '1' : '0');
 		        } else {
-		            $value[] = $azureValue->Value;
+		            $value[] = htmlspecialchars($azureValue->Value);
 		        }
 		    }