From eb429159919870eb4c25864ea3eb06e778b699e0 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Thu, 13 Jun 2024 20:22:40 +0200
Subject: [PATCH 1/6] bootstrap5 textarea height relative to viewport height,
 fixes #1349

---
 CHANGELOG.md                  | 1 +
 css/bootstrap5/privatebin.css | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c0797555..e7e953fb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## 1.7.4 (not yet released)
 * CHANGED: Saving markdown pastes uses `.md` extension instead of `.txt` (#1293)
 * CHANGED: Enable strict type checking in PHP (#1350)
+* CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community
 * FIXED: Reset password input field on creation of new paste (#1194)
 * FIXED: Allow database schema upgrade to skip versions (#1343)
 
diff --git a/css/bootstrap5/privatebin.css b/css/bootstrap5/privatebin.css
index 426e66d7..b14768a1 100644
--- a/css/bootstrap5/privatebin.css
+++ b/css/bootstrap5/privatebin.css
@@ -36,6 +36,10 @@
 	margin-bottom: 10px;
 }
 
+#message {
+	height: 70vh;
+}
+
 #message, .replymessage {
 	font-family: monospace;
 	resize: vertical;

From 2c711e9d3ca21230fc68f5b4dba2a7a0592b963b Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sat, 29 Jun 2024 20:26:09 +0200
Subject: [PATCH 2/6] prevent bypassing YOURLS proxy URL filter, allowing to
 shorten non-self URLs

---
 CHANGELOG.md            | 1 +
 lib/YourlsProxy.php     | 2 +-
 tst/YourlsProxyTest.php | 7 +++++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 34d9485a..7ba2cb97 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,7 @@
 * FIXED: Reset password input field on creation of new paste (#1194)
 * FIXED: Allow database schema upgrade to skip versions (#1343)
 * FIXED: `bootstrap5` dark mode toggle unset on dark browser preference (#1340)
+* FIXED: Prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs
 
 ## 1.7.3 (2024-05-13)
 * CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community
diff --git a/lib/YourlsProxy.php b/lib/YourlsProxy.php
index f616832d..de46a12b 100644
--- a/lib/YourlsProxy.php
+++ b/lib/YourlsProxy.php
@@ -47,7 +47,7 @@ class YourlsProxy
      */
     public function __construct(Configuration $conf, $link)
     {
-        if (strpos($link, $conf->getKey('basepath') . '?') === false) {
+        if (strpos($link, $conf->getKey('basepath') . '?') !== 0) {
             $this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.';
             return;
         }
diff --git a/tst/YourlsProxyTest.php b/tst/YourlsProxyTest.php
index d6e9cb76..389f510d 100644
--- a/tst/YourlsProxyTest.php
+++ b/tst/YourlsProxyTest.php
@@ -54,6 +54,13 @@ class YourlsProxyTest extends TestCase
         $this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
     }
 
+    public function testSneakyForeignUrl()
+    {
+        $yourls = new YourlsProxy($this->_conf, 'https://other.example.com/?q=https://example.com/?foo#bar');
+        $this->assertTrue($yourls->isError());
+        $this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
+    }
+
     public function testYourlsError()
     {
         // when statusCode is not 200, shorturl may not have been set

From 8e6e31db5cd7e50cfc6c1eeece8ac414fe37c30d Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sun, 30 Jun 2024 07:45:06 +0200
Subject: [PATCH 3/6] fix test, basepath needs to be set

---
 tst/JsonApiTest.php | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/tst/JsonApiTest.php b/tst/JsonApiTest.php
index 07f33ad2..f5b69a7c 100644
--- a/tst/JsonApiTest.php
+++ b/tst/JsonApiTest.php
@@ -325,6 +325,9 @@ class JsonApiTest extends TestCase
      */
     public function testShortenViaYourlsFailure()
     {
+        $options                            = parse_ini_file(CONF, true);
+        $options['main']['basepath']        = 'https://example.com/path'; // missing slash gets added by Configuration constructor
+        Helper::createIniFile(CONF, $options);
         $_SERVER['REQUEST_URI'] = '/path/shortenviayourls?link=https%3A%2F%2Fexample.com%2Fpath%2F%3Ffoo%23bar';
         $_GET['link']           = 'https://example.com/path/?foo#bar';
         ob_start();

From e0bca0d4dc7239f2e66629a4446eec2cd45c8589 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Sun, 7 Jul 2024 12:37:28 +0200
Subject: [PATCH 4/6] simpler PostgreSQL table lookup query, fixes #1361

---
 CHANGELOG.md          |  1 +
 lib/Data/Database.php | 14 ++------------
 2 files changed, 3 insertions(+), 12 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 34d9485a..d7727b26 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## 1.7.4 (not yet released)
 * CHANGED: Saving markdown pastes uses `.md` extension instead of `.txt` (#1293)
 * CHANGED: Enable strict type checking in PHP (#1350)
+* CHANGED: Simpler PostgreSQL table lookup query (#1361)
 * FIXED: Reset password input field on creation of new paste (#1194)
 * FIXED: Allow database schema upgrade to skip versions (#1343)
 * FIXED: `bootstrap5` dark mode toggle unset on dark browser preference (#1340)
diff --git a/lib/Data/Database.php b/lib/Data/Database.php
index addc6c44..2fb209b0 100644
--- a/lib/Data/Database.php
+++ b/lib/Data/Database.php
@@ -598,18 +598,8 @@ class Database extends AbstractData
                 $sql = 'SELECT table_name FROM all_tables';
                 break;
             case 'pgsql':
-                $sql = 'SELECT c."relname" AS "table_name" '
-                     . 'FROM "pg_class" c, "pg_user" u '
-                     . 'WHERE c."relowner" = u."usesysid" AND c."relkind" = \'r\' '
-                     . 'AND NOT EXISTS (SELECT 1 FROM "pg_views" WHERE "viewname" = c."relname") '
-                     . "AND c.\"relname\" !~ '^(pg_|sql_)' "
-                     . 'UNION '
-                     . 'SELECT c."relname" AS "table_name" '
-                     . 'FROM "pg_class" c '
-                     . "WHERE c.\"relkind\" = 'r' "
-                     . 'AND NOT EXISTS (SELECT 1 FROM "pg_views" WHERE "viewname" = c."relname") '
-                     . 'AND NOT EXISTS (SELECT 1 FROM "pg_user" WHERE "usesysid" = c."relowner") '
-                     . "AND c.\"relname\" !~ '^pg_'";
+                $sql = 'SELECT "tablename" FROM "pg_catalog"."pg_tables" '
+                     . 'WHERE "schemaname" NOT IN (\'pg_catalog\', \'information_schema\')';
                 break;
             case 'sqlite':
                 $sql = 'SELECT "name" FROM "sqlite_master" WHERE "type"=\'table\' '

From 031bcef317a2cea33fa0e384b6804e8da0950793 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Tue, 9 Jul 2024 20:35:59 +0200
Subject: [PATCH 5/6] incrementing version

---
 CHANGELOG.md         | 2 +-
 Makefile             | 2 +-
 README.md            | 2 +-
 SECURITY.md          | 4 ++--
 doc/Installation.md  | 2 +-
 js/package-lock.json | 4 ++--
 js/package.json      | 2 +-
 lib/Controller.php   | 2 +-
 8 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index eb0392a4..c0039127 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,6 @@
 # PrivateBin version history
 
-## 1.7.4 (not yet released)
+## 1.7.4 (2024-07-09)
 * CHANGED: Saving markdown pastes uses `.md` extension instead of `.txt` (#1293)
 * CHANGED: Enable strict type checking in PHP (#1350)
 * CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community
diff --git a/Makefile b/Makefile
index a94eeb06..66fe387f 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 .PHONY: all coverage coverage-js coverage-php doc doc-js doc-php increment sign test test-js test-php help
 
-CURRENT_VERSION = 1.7.3
+CURRENT_VERSION = 1.7.4
 VERSION ?= 1.7.4
 VERSION_FILES = README.md SECURITY.md doc/Installation.md js/package*.json lib/Controller.php Makefile
 REGEX_CURRENT_VERSION := $(shell echo $(CURRENT_VERSION) | sed "s/\./\\\./g")
diff --git a/README.md b/README.md
index c0d699e1..995335ec 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # [![PrivateBin](https://cdn.rawgit.com/PrivateBin/assets/master/images/preview/logoSmall.png)](https://privatebin.info/)
 
-*Current version: 1.7.3*
+*Current version: 1.7.4*
 
 **PrivateBin** is a minimalist, open source online
 [pastebin](https://en.wikipedia.org/wiki/Pastebin)
diff --git a/SECURITY.md b/SECURITY.md
index ecad42f7..f78fe952 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,8 +4,8 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 1.7.3   | :heavy_check_mark: |
-| < 1.7.3 | :x:                |
+| 1.7.4   | :heavy_check_mark: |
+| < 1.7.4 | :x:                |
 
 ## Reporting a Vulnerability
 
diff --git a/doc/Installation.md b/doc/Installation.md
index 3a569588..f7d98c81 100644
--- a/doc/Installation.md
+++ b/doc/Installation.md
@@ -201,7 +201,7 @@ CREATE INDEX parent ON prefix_comment(pasteid);
 CREATE TABLE prefix_config (
     id CHAR(16) NOT NULL, value TEXT, PRIMARY KEY (id)
 );
-INSERT INTO prefix_config VALUES('VERSION', '1.7.3');
+INSERT INTO prefix_config VALUES('VERSION', '1.7.4');
 ```
 
 In **PostgreSQL**, the `data`, `attachment`, `nickname` and `vizhash` columns
diff --git a/js/package-lock.json b/js/package-lock.json
index ead24582..f63d2113 100644
--- a/js/package-lock.json
+++ b/js/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "privatebin",
-  "version": "1.7.3",
+  "version": "1.7.4",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "privatebin",
-      "version": "1.7.3",
+      "version": "1.7.4",
       "license": "zlib-acknowledgement",
       "devDependencies": {
         "@peculiar/webcrypto": "^1.1.1",
diff --git a/js/package.json b/js/package.json
index a3534c59..90e501dc 100644
--- a/js/package.json
+++ b/js/package.json
@@ -1,6 +1,6 @@
 {
   "name": "privatebin",
-  "version": "1.7.3",
+  "version": "1.7.4",
   "description": "PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bit AES in Galois Counter mode (GCM).",
   "main": "privatebin.js",
   "directories": {
diff --git a/lib/Controller.php b/lib/Controller.php
index d518fcc5..c1c4f2ba 100644
--- a/lib/Controller.php
+++ b/lib/Controller.php
@@ -27,7 +27,7 @@ class Controller
      *
      * @const string
      */
-    const VERSION = '1.7.3';
+    const VERSION = '1.7.4';
 
     /**
      * minimal required PHP version

From d2f311d246d4d3eccd34e64506f95dab81c51418 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Tue, 9 Jul 2024 21:27:49 +0200
Subject: [PATCH 6/6] chore: prepare for next release

---
 CHANGELOG.md | 2 ++
 Makefile     | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c0039127..251ad5a1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,7 @@
 # PrivateBin version history
 
+## 1.7.5 (not yet released)
+
 ## 1.7.4 (2024-07-09)
 * CHANGED: Saving markdown pastes uses `.md` extension instead of `.txt` (#1293)
 * CHANGED: Enable strict type checking in PHP (#1350)
diff --git a/Makefile b/Makefile
index 66fe387f..99872fd6 100644
--- a/Makefile
+++ b/Makefile
@@ -1,7 +1,7 @@
 .PHONY: all coverage coverage-js coverage-php doc doc-js doc-php increment sign test test-js test-php help
 
 CURRENT_VERSION = 1.7.4
-VERSION ?= 1.7.4
+VERSION ?= 1.7.5
 VERSION_FILES = README.md SECURITY.md doc/Installation.md js/package*.json lib/Controller.php Makefile
 REGEX_CURRENT_VERSION := $(shell echo $(CURRENT_VERSION) | sed "s/\./\\\./g")
 REGEX_VERSION := $(shell echo $(VERSION) | sed "s/\./\\\./g")