diff --git a/.styleci.yml b/.styleci.yml index 238f41a..9c2c76c 100644 --- a/.styleci.yml +++ b/.styleci.yml @@ -17,7 +17,7 @@ disabled: - concat_without_spaces - declare_equal_normalize - heredoc_to_nowdoc - - method_argument_space + - method_argument_space_strict - new_with_braces - no_alternative_syntax - phpdoc_align diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e95452..ae23725 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,12 @@ # PrivateBin version history * **1.4 (not yet released)** + * **1.3.4 (2020-03-22)** * CHANGED: Minimum required PHP version is 5.6, due to a change in the identicon library and to use php's native hash_equals() * CHANGED: Upgrading libraries to: identicon 2.0.0 + * FIXED: Support custom expiration options in email function (#586) + * FIXED: Regression with encoding of HTML entities (#588) + * FIXED: Unable to paste password on paste with attachment (#565 & #595) * **1.3.3 (2020-02-16)** * CHANGED: Upgrading libraries to: DOMpurify 2.0.8 * CHANGED: Several translations got updated with missing messages diff --git a/INSTALL.md b/INSTALL.md index 2f3900c..93a1284 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -187,7 +187,7 @@ CREATE INDEX parent ON prefix_comment(pasteid); CREATE TABLE prefix_config ( id CHAR(16) NOT NULL, value TEXT, PRIMARY KEY (id) ); -INSERT INTO prefix_config VALUES('VERSION', '1.3.3'); +INSERT INTO prefix_config VALUES('VERSION', '1.3.4'); ``` In **PostgreSQL**, the data, attachment, nickname and vizhash columns needs to be TEXT and not BLOB or MEDIUMBLOB. diff --git a/README.md b/README.md index d05a865..d35035f 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # [![PrivateBin](https://cdn.rawgit.com/PrivateBin/assets/master/images/preview/logoSmall.png)](https://privatebin.info/) -*Current version: 1.3.3* +*Current version: 1.3.4* **PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin) where the server has zero knowledge of pasted data. diff --git a/SECURITY.md b/SECURITY.md index f3b02da..1a5bf96 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,8 +4,8 @@ | Version | Supported | | ------- | ------------------ | -| 1.3.3 | :heavy_check_mark: | -| < 1.3.3 | :x: | +| 1.3.4 | :heavy_check_mark: | +| < 1.3.4 | :x: | ## Reporting a Vulnerability diff --git a/css/bootstrap/privatebin.css b/css/bootstrap/privatebin.css index 7bd85f5..72e420e 100644 --- a/css/bootstrap/privatebin.css +++ b/css/bootstrap/privatebin.css @@ -6,7 +6,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ body { diff --git a/css/noscript.css b/css/noscript.css index 3679c27..e44670f 100644 --- a/css/noscript.css +++ b/css/noscript.css @@ -6,7 +6,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ /* When there is no script at all other */ diff --git a/css/privatebin.css b/css/privatebin.css index 350d621..a3ab5ea 100644 --- a/css/privatebin.css +++ b/css/privatebin.css @@ -6,7 +6,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ /* CSS Reset from YUI 3.4.1 (build 4118) - Copyright 2011 Yahoo! Inc. All rights reserved. diff --git a/index.php b/index.php index f346a59..a6d7cdf 100644 --- a/index.php +++ b/index.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ // change this, if your php files and data is outside of your webservers document root diff --git a/js/privatebin.js b/js/privatebin.js index 139ecc7..6ed9325 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -6,7 +6,7 @@ * @see {@link https://github.com/PrivateBin/PrivateBin} * @copyright 2012 Sébastien SAUVAGE ({@link http://sebsauvage.net}) * @license {@link https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License} - * @version 1.3.3 + * @version 1.3.4 * @name PrivateBin * @namespace */ @@ -375,7 +375,7 @@ jQuery.PrivateBin = (function($, RawDeflate) { }; /** - * convert URLs to clickable links. + * convert URLs to clickable links in the provided element. * * URLs to handle: *
@@ -386,14 +386,15 @@ jQuery.PrivateBin = (function($, RawDeflate) { * * @name Helper.urls2links * @function - * @param {string} html - * @return {string} + * @param {HTMLElement} element */ - me.urls2links = function(html) + me.urls2links = function(element) { - return html.replace( - /(((https?|ftp):\/\/[\w?!=&.\/-;#@~%+*-]+(?![\w\s?!&.\/;#~%"=-]*>))|((magnet):[\w?=&.\/-;#@~%+*-]+))/ig, - '$1' + element.html( + element.html().replace( + /(((https?|ftp):\/\/[\w?!=&.\/-;#@~%+*-]+(?![\w\s?!&.\/;#~%"=-]>))|((magnet):[\w?=&.\/-;#@~%+*-]+))/ig, + '$1' + ) ); }; @@ -2504,36 +2505,24 @@ jQuery.PrivateBin = (function($, RawDeflate) { return; } - // escape HTML entities, link URLs, sanitize - const escapedLinkedText = Helper.urls2links(text), - sanitizedLinkedText = DOMPurify.sanitize( - escapedLinkedText, { - ALLOWED_TAGS: ['a'], - ALLOWED_ATTR: ['href', 'rel'] - } - ); - $plainText.html(sanitizedLinkedText); - $prettyPrint.html(sanitizedLinkedText); - - switch (format) { - case 'markdown': - const converter = new showdown.Converter({ - strikethrough: true, - tables: true, - tablesHeaderId: true, - simplifiedAutoLink: true, - excludeTrailingPunctuationFromURLs: true - }); - // let showdown convert the HTML and sanitize HTML *afterwards*! - $plainText.html( - DOMPurify.sanitize( - converter.makeHtml(text) - ) - ); - // add table classes from bootstrap css - $plainText.find('table').addClass('table-condensed table-bordered'); - break; - case 'syntaxhighlighting': + if (format === 'markdown') { + const converter = new showdown.Converter({ + strikethrough: true, + tables: true, + tablesHeaderId: true, + simplifiedAutoLink: true, + excludeTrailingPunctuationFromURLs: true + }); + // let showdown convert the HTML and sanitize HTML *afterwards*! + $plainText.html( + DOMPurify.sanitize( + converter.makeHtml(text) + ) + ); + // add table classes from bootstrap css + $plainText.find('table').addClass('table-condensed table-bordered'); + } else { + if (format === 'syntaxhighlighting') { // yes, this is really needed to initialize the environment if (typeof prettyPrint === 'function') { @@ -2541,15 +2530,18 @@ jQuery.PrivateBin = (function($, RawDeflate) { } $prettyPrint.html( - DOMPurify.sanitize( - prettyPrintOne(escapedLinkedText, null, true) + prettyPrintOne( + Helper.htmlEntities(text), null, true ) ); - // fall through, as the rest is the same - default: // = 'plaintext' - $prettyPrint.css('white-space', 'pre-wrap'); - $prettyPrint.css('word-break', 'normal'); - $prettyPrint.removeClass('prettyprint'); + } else { + // = 'plaintext' + $prettyPrint.text(text); + } + Helper.urls2links($prettyPrint); + $prettyPrint.css('white-space', 'pre-wrap'); + $prettyPrint.css('word-break', 'normal'); + $prettyPrint.removeClass('prettyprint'); } } @@ -3323,14 +3315,8 @@ jQuery.PrivateBin = (function($, RawDeflate) { const $commentEntryData = $commentEntry.find('div.commentdata'); // set & parse text - $commentEntryData.html( - DOMPurify.sanitize( - Helper.urls2links(commentText), { - ALLOWED_TAGS: ['a'], - ALLOWED_ATTR: ['href', 'rel'] - } - ) - ); + $commentEntryData.text(commentText); + Helper.urls2links($commentEntryData); // set nickname if (nickname.length > 0) { @@ -3461,6 +3447,7 @@ jQuery.PrivateBin = (function($, RawDeflate) { if (fadeOut === true) { setTimeout(function () { $comment.removeClass('highlight'); + }, 300); } }; @@ -4263,7 +4250,7 @@ jQuery.PrivateBin = (function($, RawDeflate) { */ me.isAttachmentReadonly = function() { - return $attach.hasClass('hidden'); + return createButtonsDisplayed && $attach.hasClass('hidden'); } /** diff --git a/js/test/Helper.js b/js/test/Helper.js index dd38e3c..f58d73a 100644 --- a/js/test/Helper.js +++ b/js/test/Helper.js @@ -73,6 +73,7 @@ describe('Helper', function () { }); describe('urls2links', function () { + this.timeout(30000); before(function () { cleanup = jsdom(); }); @@ -81,7 +82,15 @@ describe('Helper', function () { 'ignores non-URL content', 'string', function (content) { - return content === $.PrivateBin.Helper.urls2links(content); + content = content.replace(/\r/g, '\n').replace(/\u0000/g, ''); + let clean = jsdom(); + $('body').html(''); + let e = $('#foo'); + e.text(content); + $.PrivateBin.Helper.urls2links(e); + let result = e.text(); + clean(); + return content === result; } ); jsc.property( @@ -95,9 +104,12 @@ describe('Helper', function () { function (prefix, schema, address, query, fragment, postfix) { query = query.join(''); fragment = fragment.join(''); - prefix = $.PrivateBin.Helper.htmlEntities(prefix); - postfix = ' ' + $.PrivateBin.Helper.htmlEntities(postfix); - let url = schema + '://' + address.join('') + '/?' + query + '#' + fragment; + prefix = prefix.replace(/\r/g, '\n').replace(/\u0000/g, ''); + postfix = ' ' + postfix.replace(/\r/g, '\n').replace(/\u0000/g, ''); + let url = schema + '://' + address.join('') + '/?' + query + '#' + fragment, + clean = jsdom(); + $('body').html(''); + let e = $('#foo'); // special cases: When the query string and fragment imply the beginning of an HTML entity, eg. or if ( @@ -108,8 +120,12 @@ describe('Helper', function () { url = schema + '://' + address.join('') + '/?' + query.substring(0, query.length - 1); postfix = ''; } - - return prefix + '' + url + '' + postfix === $.PrivateBin.Helper.urls2links(prefix + url + postfix); + e.text(prefix + url + postfix); + $.PrivateBin.Helper.urls2links(e); + let result = e.html(); + clean(); + url = $('').text(url).html(); + return $('').text(prefix).html() + '' + url + '' + $('').text(postfix).html() === result; } ); jsc.property( @@ -118,10 +134,18 @@ describe('Helper', function () { jsc.array(common.jscQueryString()), 'string', function (prefix, query, postfix) { - prefix = $.PrivateBin.Helper.htmlEntities(prefix); - postfix = $.PrivateBin.Helper.htmlEntities(postfix); - let url = 'magnet:?' + query.join('').replace(/^&+|&+$/gm,''); - return prefix + '' + url + ' ' + postfix === $.PrivateBin.Helper.urls2links(prefix + url + ' ' + postfix); + prefix = prefix.replace(/\r/g, '\n').replace(/\u0000/g, ''); + postfix = ' ' + postfix.replace(/\r/g, '\n').replace(/\u0000/g, ''); + let url = 'magnet:?' + query.join('').replace(/^&+|&+$/gm,''), + clean = jsdom(); + $('body').html(''); + let e = $('#foo'); + e.text(prefix + url + postfix); + $.PrivateBin.Helper.urls2links(e); + let result = e.html(); + clean(); + url = $('').text(url).html(); + return $('').text(prefix).html() + '' + url + '' + $('').text(postfix).html() === result; } ); }); diff --git a/lib/Configuration.php b/lib/Configuration.php index d7877e2..06edf68 100644 --- a/lib/Configuration.php +++ b/lib/Configuration.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin; diff --git a/lib/Controller.php b/lib/Controller.php index 0a3e69c..21a27b2 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin; @@ -28,7 +28,7 @@ class Controller * * @const string */ - const VERSION = '1.3.3'; + const VERSION = '1.3.4'; /** * minimal required PHP version diff --git a/lib/Data/AbstractData.php b/lib/Data/AbstractData.php index f0572ac..9c92583 100644 --- a/lib/Data/AbstractData.php +++ b/lib/Data/AbstractData.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin\Data; diff --git a/lib/Data/Database.php b/lib/Data/Database.php index ed52a63..aa05e95 100644 --- a/lib/Data/Database.php +++ b/lib/Data/Database.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin\Data; diff --git a/lib/Data/Filesystem.php b/lib/Data/Filesystem.php index 372fb02..3e9b237 100644 --- a/lib/Data/Filesystem.php +++ b/lib/Data/Filesystem.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin\Data; diff --git a/lib/Filter.php b/lib/Filter.php index cc4a6a2..547e239 100644 --- a/lib/Filter.php +++ b/lib/Filter.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin; diff --git a/lib/FormatV2.php b/lib/FormatV2.php index 127b6a8..31cc5b8 100644 --- a/lib/FormatV2.php +++ b/lib/FormatV2.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin; diff --git a/lib/I18n.php b/lib/I18n.php index ffb781f..a5ddaea 100644 --- a/lib/I18n.php +++ b/lib/I18n.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin; diff --git a/lib/Json.php b/lib/Json.php index b00d2c5..6916d27 100644 --- a/lib/Json.php +++ b/lib/Json.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin; diff --git a/lib/Model.php b/lib/Model.php index b3c66a3..f5dd557 100644 --- a/lib/Model.php +++ b/lib/Model.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin; diff --git a/lib/Model/AbstractModel.php b/lib/Model/AbstractModel.php index 9e1ac61..b727339 100644 --- a/lib/Model/AbstractModel.php +++ b/lib/Model/AbstractModel.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin\Model; diff --git a/lib/Model/Comment.php b/lib/Model/Comment.php index 2e45a03..68045aa 100644 --- a/lib/Model/Comment.php +++ b/lib/Model/Comment.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin\Model; diff --git a/lib/Model/Paste.php b/lib/Model/Paste.php index 263a06f..0aa2a96 100644 --- a/lib/Model/Paste.php +++ b/lib/Model/Paste.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin\Model; diff --git a/lib/Persistence/AbstractPersistence.php b/lib/Persistence/AbstractPersistence.php index 7d5a4b2..a4011d2 100644 --- a/lib/Persistence/AbstractPersistence.php +++ b/lib/Persistence/AbstractPersistence.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin\Persistence; diff --git a/lib/Persistence/DataStore.php b/lib/Persistence/DataStore.php index 27ebd9c..f60fc97 100644 --- a/lib/Persistence/DataStore.php +++ b/lib/Persistence/DataStore.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.1 + * @version 1.3.4 */ namespace PrivateBin\Persistence; diff --git a/lib/Persistence/PurgeLimiter.php b/lib/Persistence/PurgeLimiter.php index 22e2e1a..0e98795 100644 --- a/lib/Persistence/PurgeLimiter.php +++ b/lib/Persistence/PurgeLimiter.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin\Persistence; diff --git a/lib/Persistence/ServerSalt.php b/lib/Persistence/ServerSalt.php index 3e8a290..7764129 100644 --- a/lib/Persistence/ServerSalt.php +++ b/lib/Persistence/ServerSalt.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin\Persistence; diff --git a/lib/Persistence/TrafficLimiter.php b/lib/Persistence/TrafficLimiter.php index b5c0de6..0e6a34b 100644 --- a/lib/Persistence/TrafficLimiter.php +++ b/lib/Persistence/TrafficLimiter.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin\Persistence; diff --git a/lib/Request.php b/lib/Request.php index 636a0f0..785f0f4 100644 --- a/lib/Request.php +++ b/lib/Request.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin; diff --git a/lib/View.php b/lib/View.php index d0993dd..b154ed8 100644 --- a/lib/View.php +++ b/lib/View.php @@ -7,7 +7,7 @@ * @link https://github.com/PrivateBin/PrivateBin * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 1.3.3 + * @version 1.3.4 */ namespace PrivateBin; diff --git a/lib/Vizhash16x16.php b/lib/Vizhash16x16.php index 14d8d49..0292de3 100644 --- a/lib/Vizhash16x16.php +++ b/lib/Vizhash16x16.php @@ -8,7 +8,7 @@ * @link http://sebsauvage.net/wiki/doku.php?id=php:vizhash_gd * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License - * @version 0.0.5 beta PrivateBin 1.3.3 + * @version 0.0.5 beta PrivateBin 1.3.4 */ namespace PrivateBin; diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index 94b35cc..87faa55 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -72,8 +72,7 @@ endif; ?> - - + @@ -82,18 +81,6 @@ endif; - - - - - - - - - - - - - - + @@ -60,18 +59,6 @@ endif; - - - - - - - - - - - -