From f72e260ee72473190868bcad8ec17dcf783e33c2 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Tue, 16 Aug 2016 11:11:03 +0200 Subject: [PATCH] adding subresource integrity hashes for all javascript includes, resolves #6 --- lib/PrivateBin.php | 2 +- tpl/bootstrap-compact.php | 28 ++++++++++++------- tpl/bootstrap-dark-page.php | 28 ++++++++++++------- tpl/bootstrap-dark.php | 28 ++++++++++++------- tpl/bootstrap-page.php | 28 ++++++++++++------- tpl/bootstrap.php | 28 ++++++++++++------- tpl/page.php | 26 ++++++++++++------ tst/Bootstrap.php | 54 +++++++++++++++++++++++++++++++++++++ tst/ViewTest.php | 2 +- 9 files changed, 169 insertions(+), 55 deletions(-) diff --git a/lib/PrivateBin.php b/lib/PrivateBin.php index 5d1bfd6..fa9d353 100644 --- a/lib/PrivateBin.php +++ b/lib/PrivateBin.php @@ -436,7 +436,7 @@ class PrivateBin $page->assign('BURNAFTERREADINGSELECTED', $this->_conf->getKey('burnafterreadingselected')); $page->assign('PASSWORD', $this->_conf->getKey('password')); $page->assign('FILEUPLOAD', $this->_conf->getKey('fileupload')); - $page->assign('BASE64JSVERSION', $this->_conf->getKey('zerobincompatibility') ? '1.7' : '2.1.9'); + $page->assign('ZEROBINCOMPATIBILITY', $this->_conf->getKey('zerobincompatibility')); $page->assign('LANGUAGESELECTION', $languageselection); $page->assign('LANGUAGES', I18n::getLanguageLabels(I18n::getAvailableLanguages())); $page->assign('EXPIRE', $expire); diff --git a/tpl/bootstrap-compact.php b/tpl/bootstrap-compact.php index 560eda3..1df48e4 100644 --- a/tpl/bootstrap-compact.php +++ b/tpl/bootstrap-compact.php @@ -23,25 +23,35 @@ if ($SYNTAXHIGHLIGHTING): endif; endif; ?> - - - - - - + + + + + + + + + + - + - + - + diff --git a/tpl/bootstrap-dark-page.php b/tpl/bootstrap-dark-page.php index fa20d05..f6c9416 100644 --- a/tpl/bootstrap-dark-page.php +++ b/tpl/bootstrap-dark-page.php @@ -23,25 +23,35 @@ if ($SYNTAXHIGHLIGHTING): endif; endif; ?> - - - - - - + + + + + + + + + + - + - + - + diff --git a/tpl/bootstrap-dark.php b/tpl/bootstrap-dark.php index 8ea2a6e..fbe1b55 100644 --- a/tpl/bootstrap-dark.php +++ b/tpl/bootstrap-dark.php @@ -23,25 +23,35 @@ if ($SYNTAXHIGHLIGHTING): endif; endif; ?> - - - - - - + + + + + + + + + + - + - + - + diff --git a/tpl/bootstrap-page.php b/tpl/bootstrap-page.php index 730de92..cbbc242 100644 --- a/tpl/bootstrap-page.php +++ b/tpl/bootstrap-page.php @@ -23,25 +23,35 @@ if ($SYNTAXHIGHLIGHTING): endif; endif; ?> - - - - - - + + + + + + + + + + - + - + - + diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index 623d437..e7c947c 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -23,25 +23,35 @@ if ($SYNTAXHIGHLIGHTING): endif; endif; ?> - - - - - - + + + + + + + + + + - + - + - + diff --git a/tpl/page.php b/tpl/page.php index 79394a4..2de6103 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -19,24 +19,34 @@ if ($SYNTAXHIGHLIGHTING): endif; endif; ?> - - - - - + + + + + + + + + - + - + - + diff --git a/tst/Bootstrap.php b/tst/Bootstrap.php index ea58fdb..590b1ab 100644 --- a/tst/Bootstrap.php +++ b/tst/Bootstrap.php @@ -19,6 +19,7 @@ if (!is_file(CONF)) { } require PATH . 'vendor/autoload.php'; +Helper::updateSubresourceIntegrity(); class Helper { @@ -66,6 +67,13 @@ class Helper ), ); + /** + * JS files and their SRI hashes + * + * @var array + */ + private static $hashes = array(); + /** * get example paste ID * @@ -273,4 +281,50 @@ class Helper return var_export($var, $return); } } + + /** + * update all templates with the latest SRI hashes for all JS files + * + * @return void + */ + public static function updateSubresourceIntegrity() + { + $dir = dir(PATH . 'js'); + while (false !== ($file = $dir->read())) { + if (substr($file, -3) === '.js') { + self::$hashes[$file] = base64_encode( + hash('sha512', file_get_contents( + PATH . 'js' . DIRECTORY_SEPARATOR . $file + ), true) + ); + } + } + + $dir = dir(PATH . 'tpl'); + while (false !== ($file = $dir->read())) { + if (substr($file, -4) === '.php') { + $content = file_get_contents( + PATH . 'tpl' . DIRECTORY_SEPARATOR . $file + ); + $content = preg_replace_callback( + '##', + function ($matches) { + if (array_key_exists($matches[1], Helper::$hashes)) { + return ''; + } else { + return $matches[0]; + } + }, + $content + ); + file_put_contents( + PATH . 'tpl' . DIRECTORY_SEPARATOR . $file, + $content + ); + } + } + } } diff --git a/tst/ViewTest.php b/tst/ViewTest.php index 754c506..a352fdd 100644 --- a/tst/ViewTest.php +++ b/tst/ViewTest.php @@ -47,7 +47,7 @@ class ViewTest extends PHPUnit_Framework_TestCase $page->assign('BURNAFTERREADINGSELECTED', false); $page->assign('PASSWORD', true); $page->assign('FILEUPLOAD', false); - $page->assign('BASE64JSVERSION', '2.1.9'); + $page->assign('ZEROBINCOMPATIBILITY', false); $page->assign('NOTICE', 'example'); $page->assign('LANGUAGESELECTION', ''); $page->assign('LANGUAGES', I18n::getLanguageLabels(i18n::getAvailableLanguages()));