Merge branch 'master' into sri-into-config

2024-10-01 01:26:10 -04:00 · 2024-07-09 21:32:42 +02:00 · 2024-07-09 21:32:42 +02:00 · 7294ea7847
commit 7294ea7847
parent 8b3b16be44 cf95e0b1d1
13 changed files with 34 additions and 25 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,12 +1,17 @@
 # PrivateBin version history

-## 1.7.4 (not yet released)
+## 1.7.5 (not yet released)
+* CHANGED: Simpler PostgreSQL table lookup query (#1361)
+* CHANGED: SRI hashes are now configurable, no longer hardcoded in templates (#1365)
+
+## 1.7.4 (2024-07-09)
 * CHANGED: Saving markdown pastes uses `.md` extension instead of `.txt` (#1293)
 * CHANGED: Enable strict type checking in PHP (#1350)
-* CHANGED: SRI hashes are now configurable, no longer hardcoded in templates (#1365)
+* CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community
 * FIXED: Reset password input field on creation of new paste (#1194)
 * FIXED: Allow database schema upgrade to skip versions (#1343)
 * FIXED: `bootstrap5` dark mode toggle unset on dark browser preference (#1340)
+* FIXED: Prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs

 ## 1.7.3 (2024-05-13)
 * CHANGED: Various tweaks of the `bootstrap5` template, suggested by the community
--- a/4
+++ b/4
@ -1,7 +1,7 @@
 .PHONY: all coverage coverage-js coverage-php doc doc-js doc-php increment sign test test-js test-php help

-CURRENT_VERSION = 1.7.3
-VERSION ?= 1.7.4
+CURRENT_VERSION = 1.7.4
+VERSION ?= 1.7.5
 VERSION_FILES = README.md SECURITY.md doc/Installation.md js/package*.json lib/Controller.php Makefile
 REGEX_CURRENT_VERSION := $(shell echo $(CURRENT_VERSION) | sed "s/\./\\\./g")
 REGEX_VERSION := $(shell echo $(VERSION) | sed "s/\./\\\./g")
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 # [![PrivateBin](https://cdn.rawgit.com/PrivateBin/assets/master/images/preview/logoSmall.png)](https://privatebin.info/)

-*Current version: 1.7.3*
+*Current version: 1.7.4*

 **PrivateBin** is a minimalist, open source online
 [pastebin](https://en.wikipedia.org/wiki/Pastebin)
--- a/SECURITY.md
+++ b/SECURITY.md
@ -4,8 +4,8 @@

 | Version | Supported          |
 | ------- | ------------------ |
-| 1.7.3   | :heavy_check_mark: |
-| < 1.7.3 | :x:                |
+| 1.7.4   | :heavy_check_mark: |
+| < 1.7.4 | :x:                |

 ## Reporting a Vulnerability

--- a/css/bootstrap5/privatebin.css
+++ b/css/bootstrap5/privatebin.css
@ -36,6 +36,10 @@
 	margin-bottom: 10px;
 }

+#message {
+	height: 70vh;
+}
+
 #message, .replymessage {
 	font-family: monospace;
 	resize: vertical;
--- a/doc/Installation.md
+++ b/doc/Installation.md
@ -201,7 +201,7 @@ CREATE INDEX parent ON prefix_comment(pasteid);
 CREATE TABLE prefix_config (
    id CHAR(16) NOT NULL, value TEXT, PRIMARY KEY (id)
 );
-INSERT INTO prefix_config VALUES('VERSION', '1.7.3');
+INSERT INTO prefix_config VALUES('VERSION', '1.7.4');
 ```

 In **PostgreSQL**, the `data`, `attachment`, `nickname` and `vizhash` columns
--- a/js/package-lock.json
+++ b/js/package-lock.json
@ -1,12 +1,12 @@
 {
  "name": "privatebin",
-  "version": "1.7.3",
+  "version": "1.7.4",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "privatebin",
-      "version": "1.7.3",
+      "version": "1.7.4",
      "license": "zlib-acknowledgement",
      "devDependencies": {
        "@peculiar/webcrypto": "^1.1.1",
--- a/js/package.json
+++ b/js/package.json
@ -1,6 +1,6 @@
 {
  "name": "privatebin",
-  "version": "1.7.3",
+  "version": "1.7.4",
  "description": "PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bit AES in Galois Counter mode (GCM).",
  "main": "privatebin.js",
  "directories": {
--- a/lib/Controller.php
+++ b/lib/Controller.php
@ -27,7 +27,7 @@ class Controller
     *
     * @const string
     */
-    const VERSION = '1.7.3';
+    const VERSION = '1.7.4';

    /**
     * minimal required PHP version
--- a/lib/Data/Database.php
+++ b/lib/Data/Database.php
@ -598,18 +598,8 @@ class Database extends AbstractData
                $sql = 'SELECT table_name FROM all_tables';
                break;
            case 'pgsql':
-                $sql = 'SELECT c."relname" AS "table_name" '
-                     . 'FROM "pg_class" c, "pg_user" u '
-                     . 'WHERE c."relowner" = u."usesysid" AND c."relkind" = \'r\' '
-                     . 'AND NOT EXISTS (SELECT 1 FROM "pg_views" WHERE "viewname" = c."relname") '
-                     . "AND c.\"relname\" !~ '^(pg_|sql_)' "
-                     . 'UNION '
-                     . 'SELECT c."relname" AS "table_name" '
-                     . 'FROM "pg_class" c '
-                     . "WHERE c.\"relkind\" = 'r' "
-                     . 'AND NOT EXISTS (SELECT 1 FROM "pg_views" WHERE "viewname" = c."relname") '
-                     . 'AND NOT EXISTS (SELECT 1 FROM "pg_user" WHERE "usesysid" = c."relowner") '
-                     . "AND c.\"relname\" !~ '^pg_'";
+                $sql = 'SELECT "tablename" FROM "pg_catalog"."pg_tables" '
+                     . 'WHERE "schemaname" NOT IN (\'pg_catalog\', \'information_schema\')';
                break;
            case 'sqlite':
                $sql = 'SELECT "name" FROM "sqlite_master" WHERE "type"=\'table\' '
--- a/lib/YourlsProxy.php
+++ b/lib/YourlsProxy.php
@ -47,7 +47,7 @@ class YourlsProxy
     */
    public function __construct(Configuration $conf, $link)
    {
-        if (strpos($link, $conf->getKey('basepath') . '?') === false) {
+        if (strpos($link, $conf->getKey('basepath') . '?') !== 0) {
            $this->_error = 'Trying to shorten a URL that isn\'t pointing at our instance.';
            return;
        }
--- a/tst/JsonApiTest.php
+++ b/tst/JsonApiTest.php
@ -325,6 +325,9 @@ class JsonApiTest extends TestCase
     */
    public function testShortenViaYourlsFailure()
    {
+        $options                            = parse_ini_file(CONF, true);
+        $options['main']['basepath']        = 'https://example.com/path'; // missing slash gets added by Configuration constructor
+        Helper::createIniFile(CONF, $options);
        $_SERVER['REQUEST_URI'] = '/path/shortenviayourls?link=https%3A%2F%2Fexample.com%2Fpath%2F%3Ffoo%23bar';
        $_GET['link']           = 'https://example.com/path/?foo#bar';
        ob_start();
--- a/tst/YourlsProxyTest.php
+++ b/tst/YourlsProxyTest.php
@ -54,6 +54,13 @@ class YourlsProxyTest extends TestCase
        $this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
    }

+    public function testSneakyForeignUrl()
+    {
+        $yourls = new YourlsProxy($this->_conf, 'https://other.example.com/?q=https://example.com/?foo#bar');
+        $this->assertTrue($yourls->isError());
+        $this->assertEquals($yourls->getError(), 'Trying to shorten a URL that isn\'t pointing at our instance.');
+    }
+
    public function testYourlsError()
    {
        // when statusCode is not 200, shorturl may not have been set