Infra-Mirrors/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2025-04-11 18:49:21 -04:00
Code Issues Packages Projects Releases Wiki Activity

avoid duplication of ID check

Browse Source
This commit is contained in:
El RIDO 2025-03-13 08:14:01 +01:00
parent 629f263cf5
commit 7825471d70
No known key found for this signature in database
GPG Key ID: 0F5C940A6BD81F92
3 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/Model/AbstractModel.php
View File

@ -155,7 +155,7 @@ abstract class AbstractModel
*/
public static function isValidId($id)
{
return (bool) preg_match('#\A[a-f\d]{16}\z#', (string) $id);
return (bool) preg_match('#\A[a-f0-9]{16}\z#', (string) $id);
}
/**

3
lib/Request.php
View File

@ -12,6 +12,7 @@
namespace PrivateBin;
use Exception;
use PrivateBin\Model\Paste;
/**
* Request
@ -84,7 +85,7 @@ class Request
foreach ($_GET as $key => $value) {
// only return if value is empty and key is 16 hex chars
$key = (string) $key;
if (($value === '') && strlen($key) === 16 && ctype_xdigit($key)) {
if (empty($value) && Paste::isValidId($key)) {
return $key;
}
}

6
tst/ModelTest.php
View File

@ -317,7 +317,11 @@ class ModelTest extends TestCase
public function testPasteIdValidation()
{
$this->assertTrue(Paste::isValidId('a242ab7bdfb2581a'), 'valid paste id');
$this->assertFalse(Paste::isValidId('foo'), 'invalid hex values');
$this->assertFalse(Paste::isValidId('foo'), 'invalid hex values & length');
$this->assertFalse(Paste::isValidId('f00'), 'invalid length');
$this->assertFalse(Paste::isValidId('foo bar baz quux'), 'invalid hex values');
$this->assertFalse(Paste::isValidId("\n01234567feedcafe"), 'invalid line breaks');
$this->assertFalse(Paste::isValidId("deadbeef01234567\n"), 'invalid line breaks');
$this->assertFalse(Paste::isValidId('../bar/baz'), 'path attack');
}