Merge branch 'master' into attachment-handling
This commit is contained in:
commit
08972e4da3
|
@ -35,5 +35,4 @@ If you have access to the server log files, also copy them here.
|
||||||
<!-- The version of PrivateBin, if you use an unstable version paste the commit hash or the GitHub link to the commit here (you can get it by running `git rev-parse HEAD`) -->
|
<!-- The version of PrivateBin, if you use an unstable version paste the commit hash or the GitHub link to the commit here (you can get it by running `git rev-parse HEAD`) -->
|
||||||
**PrivateBin version:**
|
**PrivateBin version:**
|
||||||
|
|
||||||
* I can reproduce this issue on <https://privatebin.net>: Yes / No
|
I can reproduce this issue on <https://privatebin.net>: Yes / No
|
||||||
|
|
||||||
|
|
|
@ -15,7 +15,7 @@ before_script:
|
||||||
- composer install -n
|
- composer install -n
|
||||||
- npm install -g mocha
|
- npm install -g mocha
|
||||||
- cd js
|
- cd js
|
||||||
- npm install jsverify jsdom jsdom-global
|
- npm install jsverify jsdom@9 jsdom-global@2
|
||||||
- cd ..
|
- cd ..
|
||||||
|
|
||||||
script:
|
script:
|
||||||
|
|
155
INSTALL.md
155
INSTALL.md
|
@ -1,154 +1 @@
|
||||||
# Installation
|
For installation instructions, see [our wiki](https://github.com/PrivateBin/PrivateBin/wiki/Installation).
|
||||||
|
|
||||||
**TL;DR:** Download the
|
|
||||||
[latest release archive](https://github.com/PrivateBin/PrivateBin/releases/latest)
|
|
||||||
and extract it in your web hosts folder where you want to install your PrivateBin
|
|
||||||
instance. We try to provide a safe default configuration, but we advise you to
|
|
||||||
check the options and adjust them as you see fit.
|
|
||||||
|
|
||||||
## Basic installation
|
|
||||||
|
|
||||||
### Requirements
|
|
||||||
|
|
||||||
- PHP version 5.4 or above
|
|
||||||
- _one_ of the following sources of cryptographically safe randomness is required:
|
|
||||||
- PHP 7 or higher
|
|
||||||
- [Libsodium](https://download.libsodium.org/libsodium/content/installation/) and it's [PHP extension](https://paragonie.com/book/pecl-libsodium/read/00-intro.md#installing-libsodium)
|
|
||||||
- open_basedir access to `/dev/urandom`
|
|
||||||
- mcrypt extension
|
|
||||||
- com_dotnet extension
|
|
||||||
|
|
||||||
Mcrypt needs to be able to access `/dev/urandom`. This means if `open_basedir` is set, it must include this file.
|
|
||||||
- GD extension
|
|
||||||
- some disk space or (optional) a database supported by [PDO](https://secure.php.net/manual/book.pdo.php)
|
|
||||||
- ability to create files and folders in the installation directory and the PATH
|
|
||||||
- A web browser with javascript support
|
|
||||||
|
|
||||||
### Configuration
|
|
||||||
|
|
||||||
In the file `cfg/conf.ini` you can configure PrivateBin. A `cfg/conf.ini.sample`
|
|
||||||
is provided containing all options and default values. You can copy it to
|
|
||||||
`cfg/conf.ini` and adapt it as needed. The config file is divided into multiple
|
|
||||||
sections, which are enclosed in square brackets.
|
|
||||||
|
|
||||||
In the `[main]` section you can enable or disable the discussion feature, set
|
|
||||||
the limit of stored pastes and comments in bytes. The `[traffic]` section lets
|
|
||||||
you set a time limit in seconds. Users may not post more often then this limit
|
|
||||||
to your PrivateBin installation.
|
|
||||||
|
|
||||||
More details can be found in the
|
|
||||||
[configuration documentation](https://github.com/PrivateBin/PrivateBin/wiki/Configuration).
|
|
||||||
|
|
||||||
## Further configuration
|
|
||||||
|
|
||||||
After (or before) setting up PrivateBin, also set up HTTPS, as without HTTPS
|
|
||||||
PrivateBin is not secure. (
|
|
||||||
[More information](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-should-i-setup-https))
|
|
||||||
|
|
||||||
If you want to use PrivateBin behind Cloudflare, make sure you disabled Rocket
|
|
||||||
loader and unchecked "Javascript" for Auto Minify, found in your domain settings,
|
|
||||||
under "Speed". (More information
|
|
||||||
[in this FAQ entry](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection))
|
|
||||||
|
|
||||||
## Advanced installation
|
|
||||||
|
|
||||||
### Changing the path
|
|
||||||
|
|
||||||
In the index.php you can define a different `PATH`. This is useful to secure your
|
|
||||||
installation. You can move the configuration, data files, templates and PHP
|
|
||||||
libraries (directories cfg, doc, data, lib, tpl, tst and vendor) outside of your
|
|
||||||
document root. This new location must still be accessible to your webserver / PHP
|
|
||||||
process (see also
|
|
||||||
[open_basedir setting](https://secure.php.net/manual/en/ini.core.php#ini.open-basedir)).
|
|
||||||
|
|
||||||
> #### PATH Example
|
|
||||||
> Your PrivateBin installation lives in a subfolder called "paste" inside of
|
|
||||||
> your document root. The URL looks like this:
|
|
||||||
> https://example.com/paste/
|
|
||||||
>
|
|
||||||
> The full path of PrivateBin on your webserver is:
|
|
||||||
> /home/example.com/htdocs/paste
|
|
||||||
>
|
|
||||||
> When setting the path like this:
|
|
||||||
> define('PATH', '../../secret/privatebin/');
|
|
||||||
>
|
|
||||||
> PrivateBin will look for your includes / data here:
|
|
||||||
> /home/example.com/secret/privatebin
|
|
||||||
|
|
||||||
### Web server configuration
|
|
||||||
|
|
||||||
A `robots.txt` file is provided in the root dir of PrivateBin. It disallows all
|
|
||||||
robots from accessing your pastes. It is recommend to place it into the root of
|
|
||||||
your web directory if you have installed PrivateBin in a subdirectory. Make sure
|
|
||||||
to adjust it, so that the file paths match your installation. Of course also
|
|
||||||
adjust the file if you already use a `robots.txt`.
|
|
||||||
|
|
||||||
A `.htaccess.disabled` file is provided in the root dir of PrivateBin. It blocks
|
|
||||||
some known robots and link-scanning bots. If you use Apache, you can rename the
|
|
||||||
file to `.htaccess` to enable this feature. If you use another webserver, you
|
|
||||||
have to configure it manually to do the same.
|
|
||||||
|
|
||||||
### Using a database instead of flat files
|
|
||||||
|
|
||||||
In the configuration file the `[model]` and `[model_options]` sections let you
|
|
||||||
configure your favourite way of storing the pastes and discussions on your
|
|
||||||
server.
|
|
||||||
|
|
||||||
`Filesystem` is the default model, which stores everything in files in the
|
|
||||||
data folder. This is the recommended setup for most sites.
|
|
||||||
|
|
||||||
Under high load, in distributed setups or if you are not allowed to store files
|
|
||||||
locally, you might want to switch to the `Database` model. This lets you
|
|
||||||
store your data in a database. Basically all databases that are supported by
|
|
||||||
[PDO](https://secure.php.net/manual/en/book.pdo.php) may be used. Automatic table
|
|
||||||
creation is provided for `pdo_ibm`, `pdo_informix`, `pdo_mssql`, `pdo_mysql`,
|
|
||||||
`pdo_oci`, `pdo_pgsql` and `pdo_sqlite`. You may want to provide a table prefix,
|
|
||||||
if you have to share the PrivateBin database with another application or you want
|
|
||||||
to use a prefix for
|
|
||||||
[security reasons](https://security.stackexchange.com/questions/119510/is-using-a-db-prefix-for-tables-more-secure).
|
|
||||||
The table prefix option is called `tbl`.
|
|
||||||
|
|
||||||
> #### Note
|
|
||||||
> The `Database` model has only been tested with SQLite, MySQL and PostgreSQL,
|
|
||||||
> although it would not be recommended to use SQLite in a production environment.
|
|
||||||
> If you gain any experience running PrivateBin on other RDBMS, please let us
|
|
||||||
> know.
|
|
||||||
|
|
||||||
For reference or if you want to create the table schema for yourself (replace
|
|
||||||
`prefix_` with your own table prefix and create the table schema with phpMyAdmin
|
|
||||||
or the MYSQL console):
|
|
||||||
|
|
||||||
```sql
|
|
||||||
CREATE TABLE prefix_paste (
|
|
||||||
dataid CHAR(16) NOT NULL,
|
|
||||||
data BLOB,
|
|
||||||
postdate INT,
|
|
||||||
expiredate INT,
|
|
||||||
opendiscussion INT,
|
|
||||||
burnafterreading INT,
|
|
||||||
meta TEXT,
|
|
||||||
attachment MEDIUMBLOB,
|
|
||||||
attachmentname BLOB,
|
|
||||||
PRIMARY KEY (dataid)
|
|
||||||
);
|
|
||||||
|
|
||||||
CREATE TABLE prefix_comment (
|
|
||||||
dataid CHAR(16),
|
|
||||||
pasteid CHAR(16),
|
|
||||||
parentid CHAR(16),
|
|
||||||
data BLOB,
|
|
||||||
nickname BLOB,
|
|
||||||
vizhash BLOB,
|
|
||||||
postdate INT,
|
|
||||||
PRIMARY KEY (dataid)
|
|
||||||
);
|
|
||||||
CREATE INDEX parent ON prefix_comment(pasteid);
|
|
||||||
|
|
||||||
CREATE TABLE prefix_config (
|
|
||||||
id CHAR(16) NOT NULL, value TEXT, PRIMARY KEY (id)
|
|
||||||
);
|
|
||||||
INSERT INTO prefix_config VALUES('VERSION', '1.1');
|
|
||||||
```
|
|
||||||
|
|
||||||
In PostgreSQL the attachment column needs to be TEXT and not BLOB or MEDIUMBLOB.
|
|
||||||
|
|
||||||
|
|
42
README.md
42
README.md
|
@ -12,13 +12,13 @@
|
||||||
**PrivateBin** is a minimalist, open source online pastebin where the server has
|
**PrivateBin** is a minimalist, open source online pastebin where the server has
|
||||||
zero knowledge of pasted data.
|
zero knowledge of pasted data.
|
||||||
|
|
||||||
Data is encrypted/decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
|
Data is encrypted and decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
|
||||||
|
|
||||||
This is a fork of ZeroBin, originally developed by
|
This is a fork of ZeroBin, originally developed by
|
||||||
[Sébastien Sauvage](https://github.com/sebsauvage/ZeroBin). It was refactored
|
[Sébastien Sauvage](https://github.com/sebsauvage/ZeroBin). ZeroBin was refactored
|
||||||
to allow easier and cleaner extensions and has now many more features than the
|
to allow easier and cleaner extensions. PrivateBin has many more features than the
|
||||||
original. It is however still fully compatible to the original ZeroBin 0.19
|
original ZeroBin. It is, however, still fully compatible to the original ZeroBin 0.19
|
||||||
data storage scheme. Therefore such installations can be upgraded to this fork
|
data storage scheme. Therefore, such installations can be upgraded to PrivateBin
|
||||||
without losing any data.
|
without losing any data.
|
||||||
|
|
||||||
## What PrivateBin provides
|
## What PrivateBin provides
|
||||||
|
@ -38,37 +38,37 @@ without losing any data.
|
||||||
|
|
||||||
## What it doesn't provide
|
## What it doesn't provide
|
||||||
|
|
||||||
- As a user you have to trust the server administrator, your internet provider
|
- As a user you have to trust the server administrator not to inject any malicious
|
||||||
and any country the traffic passes not to inject any malicious javascript code.
|
javascript code.
|
||||||
For a basic security the PrivateBin installation *has to provide HTTPS*!
|
For basic security, the PrivateBin installation *has to provide HTTPS*!
|
||||||
Additionally it should be secured by
|
Otherwise you would also have to trust your internet provider, and any country
|
||||||
|
the traffic passes through.
|
||||||
|
Additionally the instance should be secured by
|
||||||
[HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) and
|
[HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) and
|
||||||
ideally by [HPKP](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) using a
|
ideally by [HPKP](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) using a
|
||||||
certificate either validated by a trusted third party (check the certificate
|
certificate. It can use traditional certificate authorities and/or use
|
||||||
when first using a new PrivateBin instance) or self-signed by the server
|
|
||||||
operator, validated using a
|
|
||||||
[DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions)
|
[DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions)
|
||||||
protected
|
protected
|
||||||
[DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities)
|
[DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities)
|
||||||
record.
|
record.
|
||||||
|
|
||||||
- The "key" used to encrypt the paste is part of the URL. If you publicly post
|
- The "key" used to encrypt the paste is part of the URL. If you publicly post
|
||||||
the URL of a paste that is not password-protected, everybody can read it.
|
the URL of a paste that is not password-protected, anyone can read it.
|
||||||
Use a password if you want your paste to be private. In this case make sure to
|
Use a password if you want your paste to be private. In this case, make sure to
|
||||||
use a strong password and do only share it privately and end-to-end-encrypted.
|
use a strong password and only share it privately and end-to-end-encrypted.
|
||||||
|
|
||||||
- A server admin might be forced to hand over access logs to the authorities.
|
- A server admin might be forced to hand over access logs to the authorities.
|
||||||
PrivateBin encrypts your text and the discussion contents, but who accessed it
|
PrivateBin encrypts your text and the discussion contents, but who accessed a
|
||||||
first might still be disclosed via such access logs.
|
paste (first) might still be disclosed via access logs.
|
||||||
|
|
||||||
- In case of a server breach your data is secure as it is only stored encrypted
|
- In case of a server breach your data is secure as it is only stored encrypted
|
||||||
on the server. However the server could be misused or the server admin could
|
on the server. However, the server could be misused or the server admin could
|
||||||
be legally forced into sending malicious JavaScript to all web users, which
|
be legally forced into sending malicious JavaScript to all web users, which
|
||||||
grabs the decryption key and send it to the server when a user accesses a
|
grabs the decryption key and sends it to the server when a user accesses a
|
||||||
PrivateBin.
|
PrivateBin.
|
||||||
Therefore do not access any PrivateBin instance if you think it has been
|
Therefore, do not access any PrivateBin instance if you think it has been
|
||||||
compromised. As long as no user accesses this instance with a previously
|
compromised. As long as no user accesses this instance with a previously
|
||||||
generated URL, the content can''t be decrypted.
|
generated URL, the content can't be decrypted.
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
|
||||||
|
|
34
js/test.js
34
js/test.js
|
@ -561,6 +561,40 @@ describe('CryptTool', function () {
|
||||||
});
|
});
|
||||||
|
|
||||||
describe('Model', function () {
|
describe('Model', function () {
|
||||||
|
describe('getExpirationDefault', function () {
|
||||||
|
before(function () {
|
||||||
|
$.PrivateBin.Model.reset();
|
||||||
|
cleanup();
|
||||||
|
});
|
||||||
|
|
||||||
|
jsc.property(
|
||||||
|
'returns the contents of the element with id "pasteExpiration"',
|
||||||
|
'array asciinestring',
|
||||||
|
'string',
|
||||||
|
'small nat',
|
||||||
|
function (keys, value, key) {
|
||||||
|
keys = keys.map($.PrivateBin.Helper.htmlEntities);
|
||||||
|
value = $.PrivateBin.Helper.htmlEntities(value);
|
||||||
|
var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'),
|
||||||
|
contents = '<select id="pasteExpiration" name="pasteExpiration">';
|
||||||
|
keys.forEach(function(item) {
|
||||||
|
contents += '<option value="' + item + '"';
|
||||||
|
if (item === content) {
|
||||||
|
contents += ' selected="selected"';
|
||||||
|
}
|
||||||
|
contents += '>' + value + '</option>';
|
||||||
|
});
|
||||||
|
contents += '</select>';
|
||||||
|
$('body').html(contents);
|
||||||
|
var result = $.PrivateBin.Helper.htmlEntities(
|
||||||
|
$.PrivateBin.Model.getExpirationDefault()
|
||||||
|
);
|
||||||
|
$.PrivateBin.Model.reset();
|
||||||
|
return content === result;
|
||||||
|
}
|
||||||
|
);
|
||||||
|
});
|
||||||
|
|
||||||
describe('getPasteId', function () {
|
describe('getPasteId', function () {
|
||||||
before(function () {
|
before(function () {
|
||||||
$.PrivateBin.Model.reset();
|
$.PrivateBin.Model.reset();
|
||||||
|
|
|
@ -269,7 +269,7 @@ if ($PASSWORD):
|
||||||
?>
|
?>
|
||||||
<li>
|
<li>
|
||||||
<div id="password" class="navbar-form hidden">
|
<div id="password" class="navbar-form hidden">
|
||||||
<input type="password" id="passwordinput" placeholder="<?php echo I18n::_('Password (recommended)'); ?>" class="form-control" size="19" />
|
<input type="password" id="passwordinput" placeholder="<?php echo I18n::_('Password (recommended)'); ?>" class="form-control" size="23" />
|
||||||
</div>
|
</div>
|
||||||
</li>
|
</li>
|
||||||
<?php
|
<?php
|
||||||
|
|
|
@ -51,7 +51,7 @@ and jsdom-global locally:
|
||||||
```console
|
```console
|
||||||
$ npm install -g mocha istanbul
|
$ npm install -g mocha istanbul
|
||||||
$ cd PrivateBin/js
|
$ cd PrivateBin/js
|
||||||
$ npm install jsverify jsdom jsdom-global
|
$ npm install jsverify jsdom@9 jsdom-global@2
|
||||||
```
|
```
|
||||||
|
|
||||||
Example for Debian and Ubuntu, including steps to allow the current user to
|
Example for Debian and Ubuntu, including steps to allow the current user to
|
||||||
|
@ -63,9 +63,12 @@ $ sudo chown -R $(whoami) $(npm config get prefix)/{lib/node_modules,bin,share}
|
||||||
$ ln -s /usr/bin/nodejs /usr/local/bin/node
|
$ ln -s /usr/bin/nodejs /usr/local/bin/node
|
||||||
$ npm install -g mocha istanbul
|
$ npm install -g mocha istanbul
|
||||||
$ cd PrivateBin/js
|
$ cd PrivateBin/js
|
||||||
$ npm install jsverify jsdom jsdom-global
|
$ npm install jsverify jsdom@9 jsdom-global@2
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Note: If you use a distribution that provides nodeJS >= 6, then you can install
|
||||||
|
the latest jsdom and jsdom-global packages and don't need to use @9 and @2.
|
||||||
|
|
||||||
To run the tests, just change into the `js` directory and run istanbul:
|
To run the tests, just change into the `js` directory and run istanbul:
|
||||||
```console
|
```console
|
||||||
$ cd PrivateBin/js
|
$ cd PrivateBin/js
|
||||||
|
|
Loading…
Reference in New Issue