diff --git a/include/api.tickets.php b/include/api.tickets.php
index 7346f2b2943bbc5c0451d62fcc7952677034b6d5..502541fe679795ef7d1309be5873b8e97a57010a 100644
--- a/include/api.tickets.php
+++ b/include/api.tickets.php
@@ -24,6 +24,34 @@ class TicketApiController extends ApiController {
return $supported;
}
+ /*
+ Validate data - overwrites parent's validator for additional validations.
+ */
+ function validate(&$data, $format) {
+ global $ost;
+
+ //Call parent to Validate the structure
+ if(!parent::validate($data, $format))
+ $this->exerr(400, 'Unexpected or invalid data received');
+
+ //Validate attachments: Do error checking... soft fail - set the error and pass on the request.
+ if($data['attachments'] && is_array($data['attachments'])) {
+ foreach($data['attachments'] as &$attachment) {
+ if(!$ost->isFileTypeAllowed($attachment))
+ $data['error'] = 'Invalid file type (ext) for '.Format::htmlchars($attachment['name']);
+ elseif ($attachment['encoding'] && !strcasecmp($attachment['encoding'], 'base64')) {
+ if(!($attachment['data'] = base64_decode($attachment['data'], true)))
+ $attachment['error'] = sprintf('%s: Poorly encoded base64 data', Format::htmlchars($attachment['name']));
+ }
+ }
+ }
+ unset($attachment);
+
+ return true;
+
+ }
+
+
function create($format) {
if(!($key=$this->requireApiKey()) || !$key->canCreateTickets())
@@ -70,11 +98,6 @@ class TicketApiController extends ApiController {
return $this->exerr(500, "Unable to create new ticket: unknown error");
}
-
- # Save attachment(s)
- if($data['attachments'])
- $ticket->importAttachments($data['attachments'], $ticket->getLastMsgId(), 'M');
-
return $ticket;
}
diff --git a/include/class.api.php b/include/class.api.php
index dd0706ceaa374b5ee35c065ce9066590c53e4e05..6403222cc783428b144c7c751f0b11102b5aaf0b 100644
--- a/include/class.api.php
+++ b/include/class.api.php
@@ -192,6 +192,7 @@ class ApiController {
* work will be done for XML requests
*/
function getRequest($format) {
+ global $ost;
$input = (substr(php_sapi_name(), 0, 3) == 'cli')?'php://stdin':'php://input';
@@ -219,7 +220,8 @@ class ApiController {
if (!($data = $parser->parse($stream)))
$this->exerr(400, $parser->lastError());
- $this->validate($data, $this->getRequestStructure($format));
+ //Validate structure of the request.
+ $this->validate($data, $format);
return $data;
}
@@ -239,19 +241,33 @@ class ApiController {
* expected. It is assumed that the functions actually implementing the
* API will further validate the contents of the request
*/
- function validate($data, $structure, $prefix="") {
+ function validateRequestStructure($data, $structure, $prefix="") {
+
foreach ($data as $key=>$info) {
if (is_array($structure) and is_array($info)) {
$search = (isset($structure[$key]) && !is_numeric($key)) ? $key : "*";
if (isset($structure[$search])) {
- $this->validate($info, $structure[$search], "$prefix$key/");
+ $this->validateRequestStructure($info, $structure[$search], "$prefix$key/");
continue;
}
} elseif (in_array($key, $structure)) {
continue;
}
- $this->exerr(400, "$prefix$key: Unexpected data received");
+ return $this->exerr(400, "$prefix$key: Unexpected data received");
}
+
+ return true;
+ }
+
+ /**
+ * Validate request.
+ *
+ */
+ function validate(&$data, $format) {
+ return $this->validateRequestStructure(
+ $data,
+ $this->getRequestStructure($format)
+ );
}
/**