Infra-Mirrors/PrivateBin
1
0
Fork 0
mirror of https://github.com/PrivateBin/PrivateBin.git synced 2025-08-01 19:16:13 -04:00
Code Issues Projects Releases Packages Wiki Activity

sending challenge on paste creation, adding logic to store and check it on view requests

Browse source
This commit is contained in:
El RIDO 2019-06-28 21:33:52 +02:00
parent d0c8975b89
commit 79db7ddafc
No known key found for this signature in database
GPG key ID: 0F5C940A6BD81F92
13 changed files with 247 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

19
lib/Controller.php
View file

@ -276,9 +276,7 @@ class Controller
// accessing this method ensures that the paste would be
// deleted if it has already expired
$paste->get();
if (
Filter::slowEquals($deletetoken, $paste->getDeleteToken())
) {
if ($paste->isDeleteTokenCorrect($deletetoken)) {
// Paste exists and deletion token is valid: Delete the paste.
$paste->delete();
$this->_status = 'Paste was properly deleted.';
@ -315,9 +313,20 @@ class Controller
try {
$paste = $this->_model->getPaste($dataid);
if ($paste->exists()) {
// handle challenge response
if (!$paste->isTokenCorrect($this->_request->getParam('token'))) {
// we send a generic error to avoid leaking information
// about the existance of a burn after reading pastes
// this avoids an attacker being able to poll, if it has
// been read by the intended recipient or not
$this->_return_message(1, self::GENERIC_ERROR);
return;
}
$data = $paste->get();
if (array_key_exists('salt', $data['meta'])) {
unset($data['meta']['salt']);
foreach (array('salt', 'challenge') as $key) {
if (array_key_exists($key, $data['meta'])) {
unset($data['meta'][$key]);
}
}
$this->_return_message(0, $dataid, (array) $data);
} else {