Infra-Mirrors/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2024-10-01 01:26:10 -04:00
Code Issues Packages Projects Releases Wiki Activity

ensure ALL read errors are only exposed in the JSON API to avoid information leakage (i.e. beviour for deleted vs expired pastes), updated test cases & removed duplicate test

Browse Source
This commit is contained in:
El RIDO 2018-05-27 14:36:30 +02:00
parent e511613bbc
commit 05c1776ada
No known key found for this signature in database
GPG Key ID: 0F5C940A6BD81F92
2 changed files with 22 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
lib/PrivateBin.php
View File

@ -356,38 +356,31 @@ class PrivateBin
}
/**
* Read an existing paste or comment
* Read an existing paste or comment, only allowed via a JSON API call
*
* @access private
* @param string $dataid
*/
private function _read($dataid)
{
if (!$this->_request->isJsonApiCall()) {
return;
}
try {
$paste = $this->_model->getPaste($dataid);
if ($paste->exists()) {
// reading paste is only possible via JSON call
if ($this->_request->isJsonApiCall()) {
$data = $paste->get();
$this->_doesExpire = property_exists($data, 'meta') && property_exists($data->meta, 'expire_date');
if (property_exists($data->meta, 'salt')) {
unset($data->meta->salt);
}
$this->_data = json_encode($data);
$data = $paste->get();
$this->_doesExpire = property_exists($data, 'meta') && property_exists($data->meta, 'expire_date');
if (property_exists($data->meta, 'salt')) {
unset($data->meta->salt);
}
$this->_return_message(0, $dataid, (array) $data);
} else {
$this->_error = self::GENERIC_ERROR;
$this->_return_message(1, self::GENERIC_ERROR);
}
} catch (Exception $e) {
$this->_error = $e->getMessage();
}
if ($this->_request->isJsonApiCall()) {
if (strlen($this->_error)) {
$this->_return_message(1, $this->_error);
} else {
$this->_return_message(0, $dataid, json_decode($this->_data, true));
}
$this->_return_message(1, $e->getMessage());
}
}

37
tst/PrivateBinTest.php
View File

@ -679,16 +679,15 @@ class PrivateBinTest extends PHPUnit_Framework_TestCase
*/
public function testReadInvalidId()
{
$_SERVER['QUERY_STRING'] = 'foo';
$_SERVER['QUERY_STRING'] = 'foo';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
ob_start();
new PrivateBin;
$content = ob_get_contents();
ob_end_clean();
$this->assertRegExp(
'#<div[^>]*id="errormessage"[^>]*>.*Invalid paste ID\.#s',
$content,
'outputs error correctly'
);
$response = json_decode($content, true);
$this->assertEquals(1, $response['status'], 'outputs error status');
$this->assertEquals('Invalid paste ID.', $response['message'], 'outputs error message');
}
/**
@ -696,16 +695,15 @@ class PrivateBinTest extends PHPUnit_Framework_TestCase
*/
public function testReadNonexisting()
{
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
ob_start();
new PrivateBin;
$content = ob_get_contents();
ob_end_clean();
$this->assertRegExp(
'#<div[^>]*id="errormessage"[^>]*>.*Paste does not exist, has expired or has been deleted\.#s',
$content,
'outputs error correctly'
);
$response = json_decode($content, true);
$this->assertEquals(1, $response['status'], 'outputs error status');
$this->assertEquals('Paste does not exist, has expired or has been deleted.', $response['message'], 'outputs error message');
}
/**
@ -779,21 +777,6 @@ class PrivateBinTest extends PHPUnit_Framework_TestCase
$this->assertEquals(0, $response['comment_offset'], 'outputs comment_offset correctly');
}
/**
* @runInSeparateProcess
*/
public function testReadInvalidJson()
{
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
ob_start();
new PrivateBin;
$content = ob_get_contents();
ob_end_clean();
$response = json_decode($content, true);
$this->assertEquals(1, $response['status'], 'outputs error status');
}
/**
* @runInSeparateProcess
*/