From a4a32f6b9e0213797ad43b9b458dbd5fbc86614b Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sun, 20 Jun 2021 08:43:44 +0200 Subject: [PATCH 01/10] switch to streaming WASM loading, fixes #814 --- js/zlib-1.2.11.js | 57 ++++++++++++++++++++--------------------------- tpl/bootstrap.php | 2 +- tpl/page.php | 2 +- 3 files changed, 26 insertions(+), 35 deletions(-) diff --git a/js/zlib-1.2.11.js b/js/zlib-1.2.11.js index ed0abea8..835cb968 100644 --- a/js/zlib-1.2.11.js +++ b/js/zlib-1.2.11.js @@ -1,6 +1,6 @@ 'use strict'; -(function() { +(function () { let ret; async function initialize() { @@ -23,16 +23,7 @@ _abort: errno => { console.error(`Error: ${errno}`) }, _grow: () => { }, }; - - let buff; - if (typeof fetch === 'undefined') { - buff = fs.readFileSync('zlib-1.2.11.wasm'); - } else { - const resp = await fetch('js/zlib-1.2.11.wasm'); - buff = await resp.arrayBuffer(); - } - const module = await WebAssembly.compile(buff); - const ins = await WebAssembly.instantiate(module, { env }); + const ins = await WebAssembly.instantiateStreaming(fetch('js/zlib-1.2.11.wasm'), { env }); const srcPtr = ins.exports._malloc(CHUNK_SIZE); const dstPtr = ins.exports._malloc(CHUNK_SIZE); @@ -116,28 +107,28 @@ } ret = { - inflate(rawDeflateBuffer) { - const rawInf = new RawInf(); - for (let offset = 0; offset < rawDeflateBuffer.length; offset += CHUNK_SIZE) { - const end = Math.min(offset + CHUNK_SIZE, rawDeflateBuffer.length); - const chunk = rawDeflateBuffer.subarray(offset, end); - rawInf.inflate(chunk); - } - const ret = rawInf.getBuffer(); - rawInf.destroy(); - return ret; - }, - deflate(rawInflateBuffer) { - const rawDef = new RawDef(); - for (let offset = 0; offset < rawInflateBuffer.length; offset += CHUNK_SIZE) { - const end = Math.min(offset + CHUNK_SIZE, rawInflateBuffer.length); - const chunk = rawInflateBuffer.subarray(offset, end); - rawDef.deflate(chunk, rawInflateBuffer.length <= offset + CHUNK_SIZE); - } - const ret = rawDef.getBuffer(); - rawDef.destroy(); - return ret; - }, + inflate(rawDeflateBuffer) { + const rawInf = new RawInf(); + for (let offset = 0; offset < rawDeflateBuffer.length; offset += CHUNK_SIZE) { + const end = Math.min(offset + CHUNK_SIZE, rawDeflateBuffer.length); + const chunk = rawDeflateBuffer.subarray(offset, end); + rawInf.inflate(chunk); + } + const ret = rawInf.getBuffer(); + rawInf.destroy(); + return ret; + }, + deflate(rawInflateBuffer) { + const rawDef = new RawDef(); + for (let offset = 0; offset < rawInflateBuffer.length; offset += CHUNK_SIZE) { + const end = Math.min(offset + CHUNK_SIZE, rawInflateBuffer.length); + const chunk = rawInflateBuffer.subarray(offset, end); + rawDef.deflate(chunk, rawInflateBuffer.length <= offset + CHUNK_SIZE); + } + const ret = rawDef.getBuffer(); + rawDef.destroy(); + return ret; + }, } return ret; diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index 1e4eae00..86c15de2 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -54,7 +54,7 @@ if ($ZEROBINCOMPATIBILITY) : - + diff --git a/tpl/page.php b/tpl/page.php index 28f37b90..f3b26d4e 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -33,7 +33,7 @@ if ($ZEROBINCOMPATIBILITY): - + Date: Sun, 20 Jun 2021 08:44:25 +0200 Subject: [PATCH 02/10] remove unsafe-eval from CSP --- cfg/conf.sample.php | 2 +- lib/Configuration.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cfg/conf.sample.php b/cfg/conf.sample.php index d362f3f2..bfae7563 100644 --- a/cfg/conf.sample.php +++ b/cfg/conf.sample.php @@ -87,7 +87,7 @@ languageselection = false ; async functions and display an error if not and for Chrome to enable ; webassembly support (used for zlib compression). You can remove it if Chrome ; doesn't need to be supported and old browsers don't need to be warned. -; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads" +; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads" ; stay compatible with PrivateBin Alpha 0.19, less secure ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of diff --git a/lib/Configuration.php b/lib/Configuration.php index 7c4eb106..35e5b40f 100644 --- a/lib/Configuration.php +++ b/lib/Configuration.php @@ -54,7 +54,7 @@ class Configuration 'urlshortener' => '', 'qrcode' => true, 'icon' => 'identicon', - 'cspheader' => 'default-src \'none\'; base-uri \'self\'; form-action \'none\'; manifest-src \'self\'; connect-src * blob:; script-src \'self\' \'unsafe-eval\' resource:; style-src \'self\'; font-src \'self\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads', + 'cspheader' => 'default-src \'none\'; base-uri \'self\'; form-action \'none\'; manifest-src \'self\'; connect-src * blob:; script-src \'self\' resource:; style-src \'self\'; font-src \'self\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads', 'zerobincompatibility' => false, 'httpwarning' => true, 'compression' => 'zlib', From 6587466a9b29a5f2af49d849243e3783cf4ab9ca Mon Sep 17 00:00:00 2001 From: El RIDO Date: Tue, 26 Nov 2024 07:01:34 +0100 Subject: [PATCH 03/10] remove async & ES6 feature detection It requires eval and webcrypto got introduced in older Chrome & Firefox versions, so seems superfluous to keep. --- CHANGELOG.md | 1 + js/legacy.js | 12 ------------ lib/Configuration.php | 2 +- 3 files changed, 2 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 456c6c29..262edc9e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,7 @@ # PrivateBin version history ## 1.7.6 (not yet released) +* CHANGED: Switched to WASM streaming and replace unsafe-eval with wasm-unsafe-eval CSP declaration (#1464), requires webserver to have `application/wasm` MIME type configured. ## 1.7.5 (2024-11-16) * ADDED: Allow non persistent SQL connections, if configured (#1394) diff --git a/js/legacy.js b/js/legacy.js index be85f981..922e9a0e 100644 --- a/js/legacy.js +++ b/js/legacy.js @@ -174,18 +174,6 @@ )) { return true; } - - // async & ES6 support - try { - async () => {}; - } catch (e) { - if (e instanceof SyntaxError) { - return true; - } else { - throw e; // throws CSP error - } - } - return false; } diff --git a/lib/Configuration.php b/lib/Configuration.php index 78aa9fe5..9dd7f4f3 100644 --- a/lib/Configuration.php +++ b/lib/Configuration.php @@ -106,7 +106,7 @@ class Configuration 'js/dark-mode-switch.js' => 'sha512-CCbdHdeWDbDO7aqFFmhgnvFESzaILHbUYmbhNjTpcjyO/XYdouQ9Pw8W9rpV8oJT1TsK5FbwSHU1oazmnb7BWA==', 'js/jquery-3.7.1.js' => 'sha512-v2CJ7UaYy4JwqLDIrZUI/4hqeoQieOmAZNXBeQyjo21dadnwR+8ZaIJVT8EE2iyI61OV8e6M8PP2/4hpQINQ/g==', 'js/kjua-0.9.0.js' => 'sha512-CVn7af+vTMBd9RjoS4QM5fpLFEOtBCoB0zPtaqIDC7sF4F8qgUSRFQQpIyEDGsr6yrjbuOLzdf20tkHHmpaqwQ==', - 'js/legacy.js' => 'sha512-p76t5AT6YHgvhG5RqWGOQ6o87aObfYWYwOPHYhhN4KfExVEZJ0/I0D+1daKprxgbL37/gtXxbd1qZx4PIhSU3g==', + 'js/legacy.js' => 'sha512-UxW/TOZKon83n6dk/09GsYKIyeO5LeBHokxyIq+r7KFS5KMBeIB/EM7NrkVYIezwZBaovnyNtY2d9tKFicRlXg==', 'js/prettify.js' => 'sha512-puO0Ogy++IoA2Pb9IjSxV1n4+kQkKXYAEUtVzfZpQepyDPyXk8hokiYDS7ybMogYlyyEIwMLpZqVhCkARQWLMg==', 'js/privatebin.js' => 'sha512-JUj/Sbl/bMHlIoIUT1U9e89JU33fDBxCxLSGxwwaeydBFXOBHyfdF7hwSIjgbPxb4d9CO7CSe4meouTIRMy8Vg==', 'js/purify-3.1.7.js' => 'sha512-LegvqULiMtOfboJZw9MpETN/b+xnLRXZI90gG7oIFHW+yAeHmKvRtEUbiMFx2WvUqQoL9XB3gwU+hWXUT0X+8A==', From 652cf0cf26f34e29f2fb373ead49630085cfc52c Mon Sep 17 00:00:00 2001 From: El RIDO Date: Thu, 28 Nov 2024 07:48:27 +0100 Subject: [PATCH 04/10] bump PHP libraries --- CHANGELOG.md | 1 + composer.json | 4 ++-- composer.lock | 12 ++++++------ vendor/composer/installed.php | 4 ++-- 4 files changed, 11 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 262edc9e..d96eabb1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## 1.7.6 (not yet released) * CHANGED: Switched to WASM streaming and replace unsafe-eval with wasm-unsafe-eval CSP declaration (#1464), requires webserver to have `application/wasm` MIME type configured. +* CHANGED: Upgrading libraries to: cloud-storage 1.44.0, aws-sdk-php 3.331.0 ## 1.7.5 (2024-11-16) * ADDED: Allow non persistent SQL connections, if configured (#1394) diff --git a/composer.json b/composer.json index d16a562b..10024a08 100644 --- a/composer.json +++ b/composer.json @@ -30,8 +30,8 @@ "yzalis/identicon": "2.0.0" }, "suggest" : { - "google/cloud-storage" : "1.43.0", - "aws/aws-sdk-php" : "3.325.0" + "google/cloud-storage" : "1.44.0", + "aws/aws-sdk-php" : "3.331.0" }, "require-dev" : { "phpunit/phpunit" : "^9" diff --git a/composer.lock b/composer.lock index 3b298cb5..a72fb37c 100644 --- a/composer.lock +++ b/composer.lock @@ -257,16 +257,16 @@ }, { "name": "myclabs/deep-copy", - "version": "1.12.0", + "version": "1.12.1", "source": { "type": "git", "url": "https://github.com/myclabs/DeepCopy.git", - "reference": "3a6b9a42cd8f8771bd4295d13e1423fa7f3d942c" + "reference": "123267b2c49fbf30d78a7b2d333f6be754b94845" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/myclabs/DeepCopy/zipball/3a6b9a42cd8f8771bd4295d13e1423fa7f3d942c", - "reference": "3a6b9a42cd8f8771bd4295d13e1423fa7f3d942c", + "url": "https://api.github.com/repos/myclabs/DeepCopy/zipball/123267b2c49fbf30d78a7b2d333f6be754b94845", + "reference": "123267b2c49fbf30d78a7b2d333f6be754b94845", "shasum": "" }, "require": { @@ -305,7 +305,7 @@ ], "support": { "issues": "https://github.com/myclabs/DeepCopy/issues", - "source": "https://github.com/myclabs/DeepCopy/tree/1.12.0" + "source": "https://github.com/myclabs/DeepCopy/tree/1.12.1" }, "funding": [ { @@ -313,7 +313,7 @@ "type": "tidelift" } ], - "time": "2024-06-12T14:39:25+00:00" + "time": "2024-11-08T17:47:46+00:00" }, { "name": "nikic/php-parser", diff --git a/vendor/composer/installed.php b/vendor/composer/installed.php index 6631bab7..7c68f160 100644 --- a/vendor/composer/installed.php +++ b/vendor/composer/installed.php @@ -3,7 +3,7 @@ 'name' => 'privatebin/privatebin', 'pretty_version' => 'dev-master', 'version' => 'dev-master', - 'reference' => '365782ebeb864a851a9ece915028f6cac97f8fab', + 'reference' => '1c7d63954642b3852177793c0c17963303484051', 'type' => 'project', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), @@ -31,7 +31,7 @@ 'privatebin/privatebin' => array( 'pretty_version' => 'dev-master', 'version' => 'dev-master', - 'reference' => '365782ebeb864a851a9ece915028f6cac97f8fab', + 'reference' => '1c7d63954642b3852177793c0c17963303484051', 'type' => 'project', 'install_path' => __DIR__ . '/../../', 'aliases' => array(), From 75ec510f2dfea3d4b2bc92a445f8e9f5971c4e17 Mon Sep 17 00:00:00 2001 From: PrivateBin Translator Bot <72346835+privatebin-translator@users.noreply.github.com> Date: Thu, 28 Nov 2024 14:44:35 +0100 Subject: [PATCH 05/10] New translations en.json (Corsican) --- i18n/co.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/i18n/co.json b/i18n/co.json index b79964a3..d590be28 100644 --- a/i18n/co.json +++ b/i18n/co.json @@ -168,15 +168,15 @@ "Plain Text": "Testu in chjaru", "Source Code": "Codice di fonte", "Markdown": "Markdown", - "Download attachment": "Scaricà a pezza aghjunta", + "Download attachment": "Scaricà a pezza ghjunta", "Cloned: '%s'": "Duppiatu : « %s »", "The cloned file '%s' was attached to this paste.": "U schedariu duppiatu « %s » hè statu aghjuntu à st’appiccicu.", "Attach a file": "Aghjunghje un schedariu", "alternatively drag & drop a file or paste an image from the clipboard": "in alternanza, sguillà è depone un schedariu o incullà una fiura da u preme’papei", - "File too large, to display a preview. Please download the attachment.": "Schedariu troppu maiò per affissà una fighjulata. Scaricate a pezza aghjunta.", - "Remove attachment": "Caccià a pezza aghjunta", + "File too large, to display a preview. Please download the attachment.": "Schedariu troppu maiò per affissà una fighjulata. Scaricate a pezza ghjunta.", + "Remove attachment": "Caccià a pezza ghjunta", "Your browser does not support uploading encrypted files. Please use a newer browser.": "U vostru navigatore ùn accetta micca l’inviu di i schedarii cifrati. Impiegate un navigatore più recente.", - "Invalid attachment.": "A pezza aghjunta hè inaccettevule.", + "Invalid attachment.": "A pezza ghjunta hè inaccettevule.", "Options": "Ozzioni", "Shorten URL": "Ammuzzà l’indirizzu", "Editor": "Editore", From 7ee6bcafc4887981a5d804cee9cd9da35ed9b2fe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 29 Nov 2024 11:11:25 +0000 Subject: [PATCH 06/10] Bump dawidd6/action-download-artifact from 6 to 7 Bumps [dawidd6/action-download-artifact](https://github.com/dawidd6/action-download-artifact) from 6 to 7. - [Release notes](https://github.com/dawidd6/action-download-artifact/releases) - [Commits](https://github.com/dawidd6/action-download-artifact/compare/bf251b5aa9c2f7eeb574a96ee720e24f801b7c11...80620a5d27ce0ae443b965134db88467fc607b43) --- updated-dependencies: - dependency-name: dawidd6/action-download-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/test-results.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-results.yml b/.github/workflows/test-results.yml index 4e20737d..5254960f 100644 --- a/.github/workflows/test-results.yml +++ b/.github/workflows/test-results.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Download and Extract Artifacts - uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 + uses: dawidd6/action-download-artifact@80620a5d27ce0ae443b965134db88467fc607b43 with: run_id: ${{ github.event.workflow_run.id }} path: artifacts From e92f2ac9ca6fb9557f7cb59f252095e726065820 Mon Sep 17 00:00:00 2001 From: PrivateBin Translator Bot <72346835+privatebin-translator@users.noreply.github.com> Date: Tue, 3 Dec 2024 09:49:56 +0100 Subject: [PATCH 07/10] New translations en.json (Thai) --- i18n/th.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/th.json b/i18n/th.json index ddebf39f..089de3fe 100644 --- a/i18n/th.json +++ b/i18n/th.json @@ -217,7 +217,7 @@ "Error parsing YOURLS response.": "เกิดข้อผิดพลาดในการแยกวิเคราะห์การตอบสนองของ YOURLS", "This secret message can only be displayed once. Would you like to see it now?": "This secret message can only be displayed once. Would you like to see it now?", "Yes, see it": "Yes, see it", - "Dark Mode": "โหมดมืด", + "Dark Mode": "โหมดสีเข้ม", "Error compressing paste, due to missing WebAssembly support.": "Error compressing paste, due to missing WebAssembly support.", "Error decompressing paste, your browser does not support WebAssembly. Please use another browser to view this paste.": "Error decompressing paste, your browser does not support WebAssembly. Please use another browser to view this paste.", "Start over": "Start over" From f9094874eb1639a6c6cbb84e118441a6b0d0d42a Mon Sep 17 00:00:00 2001 From: PrivateBin Translator Bot <72346835+privatebin-translator@users.noreply.github.com> Date: Tue, 3 Dec 2024 11:59:49 +0100 Subject: [PATCH 08/10] New translations en.json (Thai) --- i18n/th.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/i18n/th.json b/i18n/th.json index 089de3fe..b088d68f 100644 --- a/i18n/th.json +++ b/i18n/th.json @@ -215,10 +215,10 @@ "Trying to shorten a URL that isn't pointing at our instance.": "กำลังพยายามใช้เครื่องมือสร้างลิงก์ย่อ ที่ไม่ได้ชี้ไปที่อินสแตนซ์ของเรา", "Error calling YOURLS. Probably a configuration issue, like wrong or missing \"apiurl\" or \"signature\".": "เกิดข้อผิดพลาดในการเรียก YOURLS อาจเป็นปัญหามาจากการกำหนดค่า เช่น \"apiurl\" หรือ \"signature\" ไม่ถูกต้องหรือขาดหายไป", "Error parsing YOURLS response.": "เกิดข้อผิดพลาดในการแยกวิเคราะห์การตอบสนองของ YOURLS", - "This secret message can only be displayed once. Would you like to see it now?": "This secret message can only be displayed once. Would you like to see it now?", - "Yes, see it": "Yes, see it", + "This secret message can only be displayed once. Would you like to see it now?": "ข้อความลับนี้จะแสดงได้เพียงครั้งเดียวเท่านั้น คุณต้องการดูข้อความนี้ตอนนี้เลยใช่หรือไม่", + "Yes, see it": "ใช่ ดูเลย", "Dark Mode": "โหมดสีเข้ม", - "Error compressing paste, due to missing WebAssembly support.": "Error compressing paste, due to missing WebAssembly support.", - "Error decompressing paste, your browser does not support WebAssembly. Please use another browser to view this paste.": "Error decompressing paste, your browser does not support WebAssembly. Please use another browser to view this paste.", - "Start over": "Start over" + "Error compressing paste, due to missing WebAssembly support.": "ไม่สามารถบีบอัดข้อมูลที่คุณต้องการฝากโค้ดได้ เนื่องจากอุปกรณ์ของคุณขาดการรองรับ WebAssembly", + "Error decompressing paste, your browser does not support WebAssembly. Please use another browser to view this paste.": "ไม่สามารถอ่านข้อมูลที่คุณได้ฝากโค้ดไว้ เบราว์เซอร์ของคุณไม่รองรับ WebAssembly กรุณาลองเปลี่ยนใช้เบราว์เซอร์ตัวอื่นเพื่อดูการฝากโค้ดนี้อีกครั้ง", + "Start over": "เริ่มใหม่" } From f7a9631a2fddf2c78bb08a04422010127850bf7f Mon Sep 17 00:00:00 2001 From: PrivateBin Translator Bot <72346835+privatebin-translator@users.noreply.github.com> Date: Thu, 12 Dec 2024 21:29:46 +0100 Subject: [PATCH 09/10] New translations en.json (Ukrainian) --- i18n/uk.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/i18n/uk.json b/i18n/uk.json index 9b1f2970..2d7796cb 100644 --- a/i18n/uk.json +++ b/i18n/uk.json @@ -220,5 +220,5 @@ "Dark Mode": "Темний режим", "Error compressing paste, due to missing WebAssembly support.": "Помилка при стисканні допису, через відсутність підтримки WebAssembly сервера.", "Error decompressing paste, your browser does not support WebAssembly. Please use another browser to view this paste.": "Помилка при розпакуванні допису, бо ваш браузер не підтримує WebAssembly. Будь ласка, відкрийте в іншому браузері для перегляду цього допису.", - "Start over": "Start over" + "Start over": "Почати знову" } From 15488d3405cfe28d08ca9662456181d48d550fec Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 14 Dec 2024 09:14:44 +0100 Subject: [PATCH 10/10] bump checkout action --- codacy-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/codacy-analysis.yml b/codacy-analysis.yml index 9850708b..31d065cd 100644 --- a/codacy-analysis.yml +++ b/codacy-analysis.yml @@ -24,7 +24,7 @@ jobs: steps: # Checkout the repository to the GitHub Actions runner - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - name: Run Codacy Analysis CLI