From 7825471d70c39baf6042c52a453c8fe705d9ed75 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 13 Mar 2025 08:14:01 +0100 Subject: [PATCH] avoid duplication of ID check --- lib/Model/AbstractModel.php | 2 +- lib/Request.php | 3 ++- tst/ModelTest.php | 6 +++++- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/lib/Model/AbstractModel.php b/lib/Model/AbstractModel.php index 71f7c14a..59edb10d 100644 --- a/lib/Model/AbstractModel.php +++ b/lib/Model/AbstractModel.php @@ -155,7 +155,7 @@ abstract class AbstractModel */ public static function isValidId($id) { - return (bool) preg_match('#\A[a-f\d]{16}\z#', (string) $id); + return (bool) preg_match('#\A[a-f0-9]{16}\z#', (string) $id); } /** diff --git a/lib/Request.php b/lib/Request.php index 0a2c11d5..c72a59fe 100644 --- a/lib/Request.php +++ b/lib/Request.php @@ -12,6 +12,7 @@ namespace PrivateBin; use Exception; +use PrivateBin\Model\Paste; /** * Request @@ -84,7 +85,7 @@ class Request foreach ($_GET as $key => $value) { // only return if value is empty and key is 16 hex chars $key = (string) $key; - if (($value === '') && strlen($key) === 16 && ctype_xdigit($key)) { + if (empty($value) && Paste::isValidId($key)) { return $key; } } diff --git a/tst/ModelTest.php b/tst/ModelTest.php index 99acba1f..301856bc 100644 --- a/tst/ModelTest.php +++ b/tst/ModelTest.php @@ -317,7 +317,11 @@ class ModelTest extends TestCase public function testPasteIdValidation() { $this->assertTrue(Paste::isValidId('a242ab7bdfb2581a'), 'valid paste id'); - $this->assertFalse(Paste::isValidId('foo'), 'invalid hex values'); + $this->assertFalse(Paste::isValidId('foo'), 'invalid hex values & length'); + $this->assertFalse(Paste::isValidId('f00'), 'invalid length'); + $this->assertFalse(Paste::isValidId('foo bar baz quux'), 'invalid hex values'); + $this->assertFalse(Paste::isValidId("\n01234567feedcafe"), 'invalid line breaks'); + $this->assertFalse(Paste::isValidId("deadbeef01234567\n"), 'invalid line breaks'); $this->assertFalse(Paste::isValidId('../bar/baz'), 'path attack'); }