mirror of
https://github.com/PrivateBin/PrivateBin.git
synced 2025-01-12 07:49:42 -05:00
Merge pull request #1438 from PrivateBin/array-key-type-error
Numeric array key type errors
This commit is contained in:
commit
631b65c1ea
@ -7,6 +7,7 @@
|
|||||||
* CHANGED: Simpler PostgreSQL table lookup query (#1361)
|
* CHANGED: Simpler PostgreSQL table lookup query (#1361)
|
||||||
* CHANGED: SRI hashes are now configurable, no longer hardcoded in templates (#1365)
|
* CHANGED: SRI hashes are now configurable, no longer hardcoded in templates (#1365)
|
||||||
* CHANGED: Upgrading libraries to: DOMpurify 3.1.7
|
* CHANGED: Upgrading libraries to: DOMpurify 3.1.7
|
||||||
|
* FIXED: Numeric array keys being cast to integer causing failures under strict type checking (#1435)
|
||||||
|
|
||||||
## 1.7.4 (2024-07-09)
|
## 1.7.4 (2024-07-09)
|
||||||
* CHANGED: Saving markdown pastes uses `.md` extension instead of `.txt` (#1293)
|
* CHANGED: Saving markdown pastes uses `.md` extension instead of `.txt` (#1293)
|
||||||
|
@ -506,8 +506,8 @@ class Database extends AbstractData
|
|||||||
private function _exec($sql, array $params)
|
private function _exec($sql, array $params)
|
||||||
{
|
{
|
||||||
$statement = $this->_db->prepare($sql);
|
$statement = $this->_db->prepare($sql);
|
||||||
foreach ($params as $key => &$parameter) {
|
$position = 1;
|
||||||
$position = $key + 1;
|
foreach ($params as &$parameter) {
|
||||||
if (is_int($parameter)) {
|
if (is_int($parameter)) {
|
||||||
$statement->bindParam($position, $parameter, PDO::PARAM_INT);
|
$statement->bindParam($position, $parameter, PDO::PARAM_INT);
|
||||||
} elseif (is_string($parameter) && strlen($parameter) >= 4000) {
|
} elseif (is_string($parameter) && strlen($parameter) >= 4000) {
|
||||||
@ -515,6 +515,7 @@ class Database extends AbstractData
|
|||||||
} else {
|
} else {
|
||||||
$statement->bindParam($position, $parameter);
|
$statement->bindParam($position, $parameter);
|
||||||
}
|
}
|
||||||
|
++$position;
|
||||||
}
|
}
|
||||||
$result = $statement->execute();
|
$result = $statement->execute();
|
||||||
$statement->closeCursor();
|
$statement->closeCursor();
|
||||||
|
@ -83,6 +83,7 @@ class Request
|
|||||||
{
|
{
|
||||||
foreach ($_GET as $key => $value) {
|
foreach ($_GET as $key => $value) {
|
||||||
// only return if value is empty and key is 16 hex chars
|
// only return if value is empty and key is 16 hex chars
|
||||||
|
$key = (string) $key;
|
||||||
if (($value === '') && strlen($key) === 16 && ctype_xdigit($key)) {
|
if (($value === '') && strlen($key) === 16 && ctype_xdigit($key)) {
|
||||||
return $key;
|
return $key;
|
||||||
}
|
}
|
||||||
|
@ -116,7 +116,7 @@ class Helper
|
|||||||
*
|
*
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
public static function getPasteId()
|
public static function getPasteId(): string
|
||||||
{
|
{
|
||||||
return self::$pasteid;
|
return self::$pasteid;
|
||||||
}
|
}
|
||||||
@ -128,7 +128,7 @@ class Helper
|
|||||||
* @param array $meta
|
* @param array $meta
|
||||||
* @return array
|
* @return array
|
||||||
*/
|
*/
|
||||||
public static function getPaste($version = 2, array $meta = array())
|
public static function getPaste($version = 2, array $meta = array()): array
|
||||||
{
|
{
|
||||||
$example = self::getPasteWithAttachment($version, $meta);
|
$example = self::getPasteWithAttachment($version, $meta);
|
||||||
// v1 has the attachment stored in a separate property
|
// v1 has the attachment stored in a separate property
|
||||||
@ -145,7 +145,7 @@ class Helper
|
|||||||
* @param array $meta
|
* @param array $meta
|
||||||
* @return array
|
* @return array
|
||||||
*/
|
*/
|
||||||
public static function getPasteWithAttachment($version = 2, array $meta = array())
|
public static function getPasteWithAttachment($version = 2, array $meta = array()): array
|
||||||
{
|
{
|
||||||
$example = $version === 1 ? self::$pasteV1 : self::$pasteV2;
|
$example = $version === 1 ? self::$pasteV1 : self::$pasteV2;
|
||||||
$example['meta']['salt'] = ServerSalt::generate();
|
$example['meta']['salt'] = ServerSalt::generate();
|
||||||
@ -160,7 +160,7 @@ class Helper
|
|||||||
* @param array $meta
|
* @param array $meta
|
||||||
* @return array
|
* @return array
|
||||||
*/
|
*/
|
||||||
public static function getPastePost($version = 2, array $meta = array())
|
public static function getPastePost($version = 2, array $meta = array()): array
|
||||||
{
|
{
|
||||||
$example = self::getPaste($version, $meta);
|
$example = self::getPaste($version, $meta);
|
||||||
if ($version == 2) {
|
if ($version == 2) {
|
||||||
@ -176,9 +176,9 @@ class Helper
|
|||||||
*
|
*
|
||||||
* @param int $version
|
* @param int $version
|
||||||
* @param array $meta
|
* @param array $meta
|
||||||
* @return array
|
* @return string
|
||||||
*/
|
*/
|
||||||
public static function getPasteJson($version = 2, array $meta = array())
|
public static function getPasteJson($version = 2, array $meta = array()): string
|
||||||
{
|
{
|
||||||
return json_encode(self::getPastePost($version, $meta));
|
return json_encode(self::getPastePost($version, $meta));
|
||||||
}
|
}
|
||||||
@ -188,7 +188,7 @@ class Helper
|
|||||||
*
|
*
|
||||||
* @return string
|
* @return string
|
||||||
*/
|
*/
|
||||||
public static function getCommentId()
|
public static function getCommentId(): string
|
||||||
{
|
{
|
||||||
return self::$commentid;
|
return self::$commentid;
|
||||||
}
|
}
|
||||||
@ -200,7 +200,7 @@ class Helper
|
|||||||
* @param array $meta
|
* @param array $meta
|
||||||
* @return array
|
* @return array
|
||||||
*/
|
*/
|
||||||
public static function getComment($version = 2, array $meta = array())
|
public static function getComment($version = 2, array $meta = array()): array
|
||||||
{
|
{
|
||||||
$example = $version === 1 ? self::$commentV1 : self::$pasteV2;
|
$example = $version === 1 ? self::$commentV1 : self::$pasteV2;
|
||||||
if ($version === 2) {
|
if ($version === 2) {
|
||||||
@ -220,7 +220,7 @@ class Helper
|
|||||||
* @param int $version
|
* @param int $version
|
||||||
* @return array
|
* @return array
|
||||||
*/
|
*/
|
||||||
public static function getCommentPost()
|
public static function getCommentPost(): array
|
||||||
{
|
{
|
||||||
$example = self::getComment();
|
$example = self::getComment();
|
||||||
unset($example['meta']);
|
unset($example['meta']);
|
||||||
@ -231,20 +231,32 @@ class Helper
|
|||||||
* get example comment, as received via POST by user
|
* get example comment, as received via POST by user
|
||||||
*
|
*
|
||||||
* @param int $version
|
* @param int $version
|
||||||
* @return array
|
* @return string
|
||||||
*/
|
*/
|
||||||
public static function getCommentJson()
|
public static function getCommentJson(): string
|
||||||
{
|
{
|
||||||
return json_encode(self::getCommentPost());
|
return json_encode(self::getCommentPost());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns 16 random hexadecimal characters.
|
||||||
|
*
|
||||||
|
* @return string
|
||||||
|
*/
|
||||||
|
public static function getRandomId(): string
|
||||||
|
{
|
||||||
|
// 8 binary bytes are 16 characters long in hex
|
||||||
|
return bin2hex(random_bytes(8));
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* delete directory and all its contents recursively
|
* delete directory and all its contents recursively
|
||||||
*
|
*
|
||||||
* @param string $path
|
* @param string $path
|
||||||
* @throws Exception
|
* @throws Exception
|
||||||
|
* @return void
|
||||||
*/
|
*/
|
||||||
public static function rmDir($path)
|
public static function rmDir($path): void
|
||||||
{
|
{
|
||||||
if (is_dir($path)) {
|
if (is_dir($path)) {
|
||||||
$path .= DIRECTORY_SEPARATOR;
|
$path .= DIRECTORY_SEPARATOR;
|
||||||
@ -272,7 +284,7 @@ class Helper
|
|||||||
*
|
*
|
||||||
* @return void
|
* @return void
|
||||||
*/
|
*/
|
||||||
public static function confBackup()
|
public static function confBackup(): void
|
||||||
{
|
{
|
||||||
if (!is_file(CONF . '.bak') && is_file(CONF)) {
|
if (!is_file(CONF . '.bak') && is_file(CONF)) {
|
||||||
rename(CONF, CONF . '.bak');
|
rename(CONF, CONF . '.bak');
|
||||||
@ -287,7 +299,7 @@ class Helper
|
|||||||
*
|
*
|
||||||
* @return void
|
* @return void
|
||||||
*/
|
*/
|
||||||
public static function confRestore()
|
public static function confRestore(): void
|
||||||
{
|
{
|
||||||
if (is_file(CONF . '.bak')) {
|
if (is_file(CONF . '.bak')) {
|
||||||
rename(CONF . '.bak', CONF);
|
rename(CONF . '.bak', CONF);
|
||||||
@ -303,7 +315,7 @@ class Helper
|
|||||||
* @param string $pathToFile
|
* @param string $pathToFile
|
||||||
* @param array $values
|
* @param array $values
|
||||||
*/
|
*/
|
||||||
public static function createIniFile($pathToFile, array $values)
|
public static function createIniFile($pathToFile, array $values): void
|
||||||
{
|
{
|
||||||
if (count($values)) {
|
if (count($values)) {
|
||||||
@unlink($pathToFile);
|
@unlink($pathToFile);
|
||||||
@ -346,7 +358,7 @@ class Helper
|
|||||||
* @param bool $return
|
* @param bool $return
|
||||||
* @return void|string
|
* @return void|string
|
||||||
*/
|
*/
|
||||||
public static function varExportMin($var, $return = false)
|
public static function varExportMin($var, $return = false): string
|
||||||
{
|
{
|
||||||
if (is_array($var)) {
|
if (is_array($var)) {
|
||||||
$toImplode = array();
|
$toImplode = array();
|
||||||
@ -369,7 +381,7 @@ class Helper
|
|||||||
*
|
*
|
||||||
* @return void
|
* @return void
|
||||||
*/
|
*/
|
||||||
public static function updateSubresourceIntegrity()
|
public static function updateSubresourceIntegrity(): void
|
||||||
{
|
{
|
||||||
foreach (new GlobIterator(PATH . 'js' . DIRECTORY_SEPARATOR . '*.js') as $file) {
|
foreach (new GlobIterator(PATH . 'js' . DIRECTORY_SEPARATOR . '*.js') as $file) {
|
||||||
if ($file->getBasename() == 'common.js') {
|
if ($file->getBasename() == 'common.js') {
|
||||||
|
@ -141,9 +141,7 @@ class FilesystemTest extends TestCase
|
|||||||
$commentid = Helper::getCommentId();
|
$commentid = Helper::getCommentId();
|
||||||
$ids = array();
|
$ids = array();
|
||||||
for ($i = 0, $max = 10; $i < $max; ++$i) {
|
for ($i = 0, $max = 10; $i < $max; ++$i) {
|
||||||
// PHPs mt_rand only supports 32 bit or up 0x7fffffff on 64 bit systems to be precise :-/
|
$dataid = Helper::getRandomId();
|
||||||
$dataid = str_pad(dechex(mt_rand(0, mt_getrandmax())), 8, '0', STR_PAD_LEFT) .
|
|
||||||
str_pad(dechex(mt_rand(0, mt_getrandmax())), 8, '0', STR_PAD_LEFT);
|
|
||||||
$storagedir = $this->_path . DIRECTORY_SEPARATOR . substr($dataid, 0, 2) .
|
$storagedir = $this->_path . DIRECTORY_SEPARATOR . substr($dataid, 0, 2) .
|
||||||
DIRECTORY_SEPARATOR . substr($dataid, 2, 2) . DIRECTORY_SEPARATOR;
|
DIRECTORY_SEPARATOR . substr($dataid, 2, 2) . DIRECTORY_SEPARATOR;
|
||||||
$ids[$dataid] = $storagedir;
|
$ids[$dataid] = $storagedir;
|
||||||
|
@ -12,18 +12,6 @@ class RequestTest extends TestCase
|
|||||||
$_POST = array();
|
$_POST = array();
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Returns 16 random hexadecimal characters.
|
|
||||||
*
|
|
||||||
* @access public
|
|
||||||
* @return string
|
|
||||||
*/
|
|
||||||
public function getRandomId()
|
|
||||||
{
|
|
||||||
// 8 binary bytes are 16 characters long in hex
|
|
||||||
return bin2hex(random_bytes(8));
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns random query safe characters.
|
* Returns random query safe characters.
|
||||||
*
|
*
|
||||||
@ -54,7 +42,25 @@ class RequestTest extends TestCase
|
|||||||
public function testRead()
|
public function testRead()
|
||||||
{
|
{
|
||||||
$this->reset();
|
$this->reset();
|
||||||
$id = $this->getRandomId();
|
$id = Helper::getRandomId();
|
||||||
|
$_SERVER['REQUEST_METHOD'] = 'GET';
|
||||||
|
$_SERVER['QUERY_STRING'] = $id;
|
||||||
|
$_GET[$id] = '';
|
||||||
|
$request = new Request;
|
||||||
|
$this->assertFalse($request->isJsonApiCall(), 'is HTML call');
|
||||||
|
$this->assertEquals($id, $request->getParam('pasteid'));
|
||||||
|
$this->assertEquals('read', $request->getOperation());
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* paste IDs are 8 bytes hex encoded strings, if unlucky, this turns into
|
||||||
|
* a numeric string that PHP will cast to an int, for example in array keys
|
||||||
|
* @see https://www.php.net/manual/en/language.types.array.php
|
||||||
|
*/
|
||||||
|
public function testReadNumeric()
|
||||||
|
{
|
||||||
|
$this->reset();
|
||||||
|
$id = '1234567812345678';
|
||||||
$_SERVER['REQUEST_METHOD'] = 'GET';
|
$_SERVER['REQUEST_METHOD'] = 'GET';
|
||||||
$_SERVER['QUERY_STRING'] = $id;
|
$_SERVER['QUERY_STRING'] = $id;
|
||||||
$_GET[$id] = '';
|
$_GET[$id] = '';
|
||||||
@ -67,7 +73,7 @@ class RequestTest extends TestCase
|
|||||||
public function testDelete()
|
public function testDelete()
|
||||||
{
|
{
|
||||||
$this->reset();
|
$this->reset();
|
||||||
$id = $this->getRandomId();
|
$id = Helper::getRandomId();
|
||||||
$_SERVER['REQUEST_METHOD'] = 'GET';
|
$_SERVER['REQUEST_METHOD'] = 'GET';
|
||||||
$_GET['pasteid'] = $id;
|
$_GET['pasteid'] = $id;
|
||||||
$_GET['deletetoken'] = 'bar';
|
$_GET['deletetoken'] = 'bar';
|
||||||
@ -110,7 +116,7 @@ class RequestTest extends TestCase
|
|||||||
public function testApiRead()
|
public function testApiRead()
|
||||||
{
|
{
|
||||||
$this->reset();
|
$this->reset();
|
||||||
$id = $this->getRandomId();
|
$id = Helper::getRandomId();
|
||||||
$_SERVER['REQUEST_METHOD'] = 'GET';
|
$_SERVER['REQUEST_METHOD'] = 'GET';
|
||||||
$_SERVER['HTTP_ACCEPT'] = 'application/json, text/javascript, */*; q=0.01';
|
$_SERVER['HTTP_ACCEPT'] = 'application/json, text/javascript, */*; q=0.01';
|
||||||
$_SERVER['QUERY_STRING'] = $id;
|
$_SERVER['QUERY_STRING'] = $id;
|
||||||
@ -124,7 +130,7 @@ class RequestTest extends TestCase
|
|||||||
public function testApiDelete()
|
public function testApiDelete()
|
||||||
{
|
{
|
||||||
$this->reset();
|
$this->reset();
|
||||||
$id = $this->getRandomId();
|
$id = Helper::getRandomId();
|
||||||
$_SERVER['REQUEST_METHOD'] = 'POST';
|
$_SERVER['REQUEST_METHOD'] = 'POST';
|
||||||
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
|
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
|
||||||
$_SERVER['QUERY_STRING'] = $id;
|
$_SERVER['QUERY_STRING'] = $id;
|
||||||
@ -155,7 +161,7 @@ class RequestTest extends TestCase
|
|||||||
public function testReadWithNegotiation()
|
public function testReadWithNegotiation()
|
||||||
{
|
{
|
||||||
$this->reset();
|
$this->reset();
|
||||||
$id = $this->getRandomId();
|
$id = Helper::getRandomId();
|
||||||
$_SERVER['REQUEST_METHOD'] = 'GET';
|
$_SERVER['REQUEST_METHOD'] = 'GET';
|
||||||
$_SERVER['HTTP_ACCEPT'] = 'text/html,text/html; charset=UTF-8,application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8, text/csv,application/json';
|
$_SERVER['HTTP_ACCEPT'] = 'text/html,text/html; charset=UTF-8,application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8, text/csv,application/json';
|
||||||
$_SERVER['QUERY_STRING'] = $id;
|
$_SERVER['QUERY_STRING'] = $id;
|
||||||
@ -169,7 +175,7 @@ class RequestTest extends TestCase
|
|||||||
public function testReadWithXhtmlNegotiation()
|
public function testReadWithXhtmlNegotiation()
|
||||||
{
|
{
|
||||||
$this->reset();
|
$this->reset();
|
||||||
$id = $this->getRandomId();
|
$id = Helper::getRandomId();
|
||||||
$_SERVER['REQUEST_METHOD'] = 'GET';
|
$_SERVER['REQUEST_METHOD'] = 'GET';
|
||||||
$_SERVER['HTTP_ACCEPT'] = 'application/xhtml+xml,text/html,text/html; charset=UTF-8, application/xml;q=0.9,*/*;q=0.8, text/csv,application/json';
|
$_SERVER['HTTP_ACCEPT'] = 'application/xhtml+xml,text/html,text/html; charset=UTF-8, application/xml;q=0.9,*/*;q=0.8, text/csv,application/json';
|
||||||
$_SERVER['QUERY_STRING'] = $id;
|
$_SERVER['QUERY_STRING'] = $id;
|
||||||
@ -183,7 +189,7 @@ class RequestTest extends TestCase
|
|||||||
public function testApiReadWithNegotiation()
|
public function testApiReadWithNegotiation()
|
||||||
{
|
{
|
||||||
$this->reset();
|
$this->reset();
|
||||||
$id = $this->getRandomId();
|
$id = Helper::getRandomId();
|
||||||
$_SERVER['REQUEST_METHOD'] = 'GET';
|
$_SERVER['REQUEST_METHOD'] = 'GET';
|
||||||
$_SERVER['HTTP_ACCEPT'] = 'text/plain,text/csv, application/xml;q=0.9, application/json, text/html,text/html; charset=UTF-8,application/xhtml+xml, */*;q=0.8';
|
$_SERVER['HTTP_ACCEPT'] = 'text/plain,text/csv, application/xml;q=0.9, application/json, text/html,text/html; charset=UTF-8,application/xhtml+xml, */*;q=0.8';
|
||||||
$_SERVER['QUERY_STRING'] = $id;
|
$_SERVER['QUERY_STRING'] = $id;
|
||||||
@ -197,7 +203,7 @@ class RequestTest extends TestCase
|
|||||||
public function testReadWithFailedNegotiation()
|
public function testReadWithFailedNegotiation()
|
||||||
{
|
{
|
||||||
$this->reset();
|
$this->reset();
|
||||||
$id = $this->getRandomId();
|
$id = Helper::getRandomId();
|
||||||
$_SERVER['REQUEST_METHOD'] = 'GET';
|
$_SERVER['REQUEST_METHOD'] = 'GET';
|
||||||
$_SERVER['HTTP_ACCEPT'] = 'text/plain,text/csv, application/xml;q=0.9, */*;q=0.8';
|
$_SERVER['HTTP_ACCEPT'] = 'text/plain,text/csv, application/xml;q=0.9, */*;q=0.8';
|
||||||
$_SERVER['QUERY_STRING'] = $id;
|
$_SERVER['QUERY_STRING'] = $id;
|
||||||
@ -211,7 +217,7 @@ class RequestTest extends TestCase
|
|||||||
public function testPasteIdExtraction()
|
public function testPasteIdExtraction()
|
||||||
{
|
{
|
||||||
$this->reset();
|
$this->reset();
|
||||||
$id = $this->getRandomId();
|
$id = Helper::getRandomId();
|
||||||
$queryParams = array($id);
|
$queryParams = array($id);
|
||||||
$queryParamCount = random_int(1, 5);
|
$queryParamCount = random_int(1, 5);
|
||||||
for ($i = 0; $i < $queryParamCount; ++$i) {
|
for ($i = 0; $i < $queryParamCount; ++$i) {
|
||||||
|
Loading…
Reference in New Issue
Block a user