extracting only the 16 hex characters of the query string as paste ID, addressing #396

2024-10-01 01:26:10 -04:00 · 2019-01-20 12:20:37 +01:00 · 2019-01-20 12:20:37 +01:00 · 79a858f176
commit 79a858f176
parent cc53d95ed1
5 changed files with 7 additions and 5 deletions
--- a/js/privatebin.js
+++ b/js/privatebin.js
@ -745,7 +745,7 @@ jQuery.PrivateBin = (function($, sjcl, Base64, RawDeflate) {
        {
            if (id === null) {
                // Attention: This also returns the delete token inside of the ID, if it is specified
-                id = window.location.search.substring(1);
+                id = (window.location.search.match(/[a-z0-9]{16}/) || [''])[0];
                if (id === '') {
                    throw 'no paste id given';
--- a/js/test/Prompt.js
+++ b/js/test/Prompt.js
@ -16,7 +16,7 @@ describe('Prompt', function () {
            'string',
            function (password) {
                password = password.replace(/\r+/g, '');
-                var clean = jsdom('', {url: 'ftp://example.com/?0'});
+                var clean = jsdom('', {url: 'ftp://example.com/?0000000000000000'});
                $('body').html(
                    '<div id="passwordmodal" class="modal fade" role="dialog">' +
                    '<div class="modal-dialog"><div class="modal-content">' +
--- a/lib/Request.php
+++ b/lib/Request.php
@ -100,7 +100,9 @@ class Request
            array_key_exists('QUERY_STRING', $_SERVER) &&
            !empty($_SERVER['QUERY_STRING'])
        ) {
-            $this->_params['pasteid'] = $_SERVER['QUERY_STRING'];
+            $this->_params['pasteid'] = preg_match(
                '/[a-f0-9]{16}/', $_SERVER['QUERY_STRING'], $match
            ) ? $match[0] : 'invalid id';
        }
        // prepare operation, depending on current parameters
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@ -76,7 +76,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gFuGN7PD3lRe5ZTe/S2NfugOrjqNWYgEwBmb3Grk2EVckz1UbqVPs8+PQp6SmQ0preKNpXC50omnwGh4MPkoRg==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-qY0AJdr7OzoJBiuVUO9w1HZv8WXoYpbCocgvHW+gMMic9CDU/pwohPkdqbaTh4SkHpRQ8cNpRO7ezTyBs0KMbA==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->
--- a/tpl/page.php
+++ b/tpl/page.php
@ -54,7 +54,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-gFuGN7PD3lRe5ZTe/S2NfugOrjqNWYgEwBmb3Grk2EVckz1UbqVPs8+PQp6SmQ0preKNpXC50omnwGh4MPkoRg==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-qY0AJdr7OzoJBiuVUO9w1HZv8WXoYpbCocgvHW+gMMic9CDU/pwohPkdqbaTh4SkHpRQ8cNpRO7ezTyBs0KMbA==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->