Infra-Mirrors/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2024-10-01 01:26:10 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into sri-into-config

Browse Source
This commit is contained in:
El RIDO 2024-07-09 21:32:42 +02:00
commit 7294ea7847
No known key found for this signature in database
GPG Key ID: 0F5C940A6BD81F92
13 changed files with 34 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGELOG.md
View File

@ -1,12 +1,17 @@
# PrivateBin version history # PrivateBin version history
## 1.7.4 (not yet released) ## 1.7.5 (not yet released)
* CHANGED: Simpler PostgreSQL table lookup query (#1361)
* CHANGED: SRI hashes are now configurable, no longer hardcoded in templates (#1365)
## 1.7.4 (2024-07-09)
* CHANGED: Saving markdown pastes uses `.md` extension instead of `.txt` (#1293) * CHANGED: Saving markdown pastes uses `.md` extension instead of `.txt` (#1293)
* CHANGED: Enable strict type checking in PHP (#1350) * CHANGED: Enable strict type checking in PHP (#1350)
* CHANGED: SRI hashes are now configurable, no longer hardcoded in templates (#1365) * CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community
* FIXED: Reset password input field on creation of new paste (#1194) * FIXED: Reset password input field on creation of new paste (#1194)
* FIXED: Allow database schema upgrade to skip versions (#1343) * FIXED: Allow database schema upgrade to skip versions (#1343)
* FIXED: `bootstrap5` dark mode toggle unset on dark browser preference (#1340) * FIXED: `bootstrap5` dark mode toggle unset on dark browser preference (#1340)
* FIXED: Prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs
## 1.7.3 (2024-05-13) ## 1.7.3 (2024-05-13)
* CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community * CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community

4
Makefile
View File

@ -1,7 +1,7 @@
.PHONY: all coverage coverage-js coverage-php doc doc-js doc-php increment sign test test-js test-php help .PHONY: all coverage coverage-js coverage-php doc doc-js doc-php increment sign test test-js test-php help
CURRENT_VERSION = 1.7.3 CURRENT_VERSION = 1.7.4
VERSION ?= 1.7.4 VERSION ?= 1.7.5
VERSION_FILES = README.md SECURITY.md doc/Installation.md js/package*.json lib/Controller.php Makefile VERSION_FILES = README.md SECURITY.md doc/Installation.md js/package*.json lib/Controller.php Makefile
REGEX_CURRENT_VERSION := $(shell echo $(CURRENT_VERSION) | sed "s/\./\\\./g") REGEX_CURRENT_VERSION := $(shell echo $(CURRENT_VERSION) | sed "s/\./\\\./g")
REGEX_VERSION := $(shell echo $(VERSION) | sed "s/\./\\\./g") REGEX_VERSION := $(shell echo $(VERSION) | sed "s/\./\\\./g")

2
README.md
View File

@ -1,6 +1,6 @@
# [![PrivateBin](https://cdn.rawgit.com/PrivateBin/assets/master/images/preview/logoSmall.png)](https://privatebin.info/) # [![PrivateBin](https://cdn.rawgit.com/PrivateBin/assets/master/images/preview/logoSmall.png)](https://privatebin.info/)
*Current version: 1.7.3* *Current version: 1.7.4*
**PrivateBin** is a minimalist, open source online **PrivateBin** is a minimalist, open source online
[pastebin](https://en.wikipedia.org/wiki/Pastebin) [pastebin](https://en.wikipedia.org/wiki/Pastebin)

4
SECURITY.md
View File

@ -4,8 +4,8 @@
| Version | Supported | | Version | Supported |
| ------- | ------------------ | | ------- | ------------------ |
| 1.7.3 | :heavy_check_mark: | | 1.7.4 | :heavy_check_mark: |
| < 1.7.3 | :x: | | < 1.7.4 | :x: |
## Reporting a Vulnerability ## Reporting a Vulnerability

4
css/bootstrap5/privatebin.css
View File

@ -36,6 +36,10 @@
margin-bottom: 10px; margin-bottom: 10px;
} }
#message {
height: 70vh;
}
#message, .replymessage { #message, .replymessage {
font-family: monospace; font-family: monospace;
resize: vertical; resize: vertical;

2
doc/Installation.md
View File

@ -201,7 +201,7 @@ CREATE INDEX parent ON prefix_comment(pasteid);
CREATE TABLE prefix_config ( CREATE TABLE prefix_config (
id CHAR(16) NOT NULL, value TEXT, PRIMARY KEY (id) id CHAR(16) NOT NULL, value TEXT, PRIMARY KEY (id)
); );
INSERT INTO prefix_config VALUES('VERSION', '1.7.3'); INSERT INTO prefix_config VALUES('VERSION', '1.7.4');
``` ```
In **PostgreSQL**, the `data`, `attachment`, `nickname` and `vizhash` columns In **PostgreSQL**, the `data`, `attachment`, `nickname` and `vizhash` columns

4
js/package-lock.json generated
View File

@ -1,12 +1,12 @@
{ {
"name": "privatebin", "name": "privatebin",
"version": "1.7.3", "version": "1.7.4",
"lockfileVersion": 2, "lockfileVersion": 2,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "privatebin", "name": "privatebin",
"version": "1.7.3", "version": "1.7.4",
"license": "zlib-acknowledgement", "license": "zlib-acknowledgement",
"devDependencies": { "devDependencies": {
"@peculiar/webcrypto": "^1.1.1", "@peculiar/webcrypto": "^1.1.1",

2
js/package.json
View File

@ -1,6 +1,6 @@
{ {
"name": "privatebin", "name": "privatebin",
"version": "1.7.3", "version": "1.7.4",
"description": "PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bit AES in Galois Counter mode (GCM).", "description": "PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bit AES in Galois Counter mode (GCM).",
"main": "privatebin.js", "main": "privatebin.js",
"directories": { "directories": {

2
lib/Controller.php
View File

@ -27,7 +27,7 @@ class Controller
* *
* @const string * @const string
*/ */
const VERSION = '1.7.3'; const VERSION = '1.7.4';
/** /**
* minimal required PHP version * minimal required PHP version

14
lib/Data/Database.php
View File

@ -598,18 +598,8 @@ class Database extends AbstractData
$sql = 'SELECT table_name FROM all_tables'; $sql = 'SELECT table_name FROM all_tables';
break; break;
case 'pgsql': case 'pgsql':
$sql = 'SELECT c."relname" AS "table_name" ' $sql = 'SELECT "tablename" FROM "pg_catalog"."pg_tables" '
. 'FROM "pg_class" c, "pg_user" u ' . 'WHERE "schemaname" NOT IN (\'pg_catalog\', \'information_schema\')';
. 'WHERE c."relowner" = u."usesysid" AND c."relkind" = \'r\' '
. 'AND NOT EXISTS (SELECT 1 FROM "pg_views" WHERE "viewname" = c."relname") '
. "AND c.\"relname\" !~ '^(pg_|sql_)' "
. 'UNION '
. 'SELECT c."relname" AS "table_name" '
. 'FROM "pg_class" c '
. "WHERE c.\"relkind\" = 'r' "
. 'AND NOT EXISTS (SELECT 1 FROM "pg_views" WHERE "viewname" = c."relname") '
. 'AND NOT EXISTS (SELECT 1 FROM "pg_user" WHERE "usesysid" = c."relowner") '
. "AND c.\"relname\" !~ '^pg_'";
break; break;
case 'sqlite': case 'sqlite':
$sql = 'SELECT "name" FROM "sqlite_master" WHERE "type"=\'table\' ' $sql = 'SELECT "name" FROM "sqlite_master" WHERE "type"=\'table\' '

2
lib/YourlsProxy.php
View File

@ -47,7 +47,7 @@ class YourlsProxy
*/ */
public function __construct(Configuration $conf, $link) public function __construct(Configuration $conf, $link)
{ {
if (strpos($link, $conf->getKey('basepath') . '?') === false) { if (strpos($link, $conf->getKey('basepath') . '?') !== 0) {
$this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.'; $this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.';
return; return;
} }

3
tst/JsonApiTest.php
View File

@ -325,6 +325,9 @@ class JsonApiTest extends TestCase
*/ */
public function testShortenViaYourlsFailure() public function testShortenViaYourlsFailure()
{ {
$options = parse_ini_file(CONF, true);
$options['main']['basepath'] = 'https://example.com/path'; // missing slash gets added by Configuration constructor
Helper::createIniFile(CONF, $options);
$_SERVER['REQUEST_URI'] = '/path/shortenviayourls?link=https%3A%2F%2Fexample.com%2Fpath%2F%3Ffoo%23bar'; $_SERVER['REQUEST_URI'] = '/path/shortenviayourls?link=https%3A%2F%2Fexample.com%2Fpath%2F%3Ffoo%23bar';
$_GET['link'] = 'https://example.com/path/?foo#bar'; $_GET['link'] = 'https://example.com/path/?foo#bar';
ob_start(); ob_start();

7
tst/YourlsProxyTest.php
View File

@ -54,6 +54,13 @@ class YourlsProxyTest extends TestCase
$this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.'); $this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
} }
public function testSneakyForeignUrl()
{
$yourls = new YourlsProxy($this->_conf, 'https://other.example.com/?q=https://example.com/?foo#bar');
$this->assertTrue($yourls->isError());
$this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
}
public function testYourlsError() public function testYourlsError()
{ {
// when statusCode is not 200, shorturl may not have been set // when statusCode is not 200, shorturl may not have been set