ensure ALL read errors are only exposed in the JSON API to avoid information leakage (i.e. beviour for deleted vs expired pastes), updated test cases & removed duplicate test

This commit is contained in:
El RIDO 2018-05-27 14:36:30 +02:00
parent e511613bbc
commit 05c1776ada
No known key found for this signature in database
GPG Key ID: 0F5C940A6BD81F92
2 changed files with 22 additions and 46 deletions

View File

@ -356,38 +356,31 @@ class PrivateBin
}
/**
* Read an existing paste or comment
* Read an existing paste or comment, only allowed via a JSON API call
*
* @access private
* @param string $dataid
*/
private function _read($dataid)
{
if (!$this->_request->isJsonApiCall()) {
return;
}
try {
$paste = $this->_model->getPaste($dataid);
if ($paste->exists()) {
// reading paste is only possible via JSON call
if ($this->_request->isJsonApiCall()) {
$data = $paste->get();
$this->_doesExpire = property_exists($data, 'meta') && property_exists($data->meta, 'expire_date');
if (property_exists($data->meta, 'salt')) {
unset($data->meta->salt);
}
$this->_data = json_encode($data);
}
$this->_return_message(0, $dataid, (array) $data);
} else {
$this->_error = self::GENERIC_ERROR;
$this->_return_message(1, self::GENERIC_ERROR);
}
} catch (Exception $e) {
$this->_error = $e->getMessage();
}
if ($this->_request->isJsonApiCall()) {
if (strlen($this->_error)) {
$this->_return_message(1, $this->_error);
} else {
$this->_return_message(0, $dataid, json_decode($this->_data, true));
}
$this->_return_message(1, $e->getMessage());
}
}

View File

@ -680,15 +680,14 @@ class PrivateBinTest extends PHPUnit_Framework_TestCase
public function testReadInvalidId()
{
$_SERVER['QUERY_STRING'] = 'foo';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
ob_start();
new PrivateBin;
$content = ob_get_contents();
ob_end_clean();
$this->assertRegExp(
'#<div[^>]*id="errormessage"[^>]*>.*Invalid paste ID\.#s',
$content,
'outputs error correctly'
);
$response = json_decode($content, true);
$this->assertEquals(1, $response['status'], 'outputs error status');
$this->assertEquals('Invalid paste ID.', $response['message'], 'outputs error message');
}
/**
@ -697,15 +696,14 @@ class PrivateBinTest extends PHPUnit_Framework_TestCase
public function testReadNonexisting()
{
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
ob_start();
new PrivateBin;
$content = ob_get_contents();
ob_end_clean();
$this->assertRegExp(
'#<div[^>]*id="errormessage"[^>]*>.*Paste does not exist, has expired or has been deleted\.#s',
$content,
'outputs error correctly'
);
$response = json_decode($content, true);
$this->assertEquals(1, $response['status'], 'outputs error status');
$this->assertEquals('Paste does not exist, has expired or has been deleted.', $response['message'], 'outputs error message');
}
/**
@ -779,21 +777,6 @@ class PrivateBinTest extends PHPUnit_Framework_TestCase
$this->assertEquals(0, $response['comment_offset'], 'outputs comment_offset correctly');
}
/**
* @runInSeparateProcess
*/
public function testReadInvalidJson()
{
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
ob_start();
new PrivateBin;
$content = ob_get_contents();
ob_end_clean();
$response = json_decode($content, true);
$this->assertEquals(1, $response['status'], 'outputs error status');
}
/**
* @runInSeparateProcess
*/