Commit Graph

341 Commits

Author SHA1 Message Date
El RIDO 8cfcf1c9f5
Adding HTTP headers to address certain XSS attacks, resolves #91 2016-09-18 11:29:37 +02:00
rugk 1a159c973f
Prevent referrer to be send
Uses both CSP and Referrer-Policy
Fixes #96
2016-09-03 18:12:24 +02:00
rugk b7184b92a3 Fix csp config unit tests 2016-08-27 14:47:21 +02:00
rugk b11866a63b Allow manifest loading via CSP (2) 2016-08-27 00:02:50 +02:00
El RIDO a13266a784 ensure the server salt path is initialized, instead of relying on the default 2016-08-25 15:02:38 +02:00
El RIDO e925833090 bumping version number to 1.0 2016-08-25 09:53:31 +02:00
El RIDO 6aba39488f adding check for PATH ending in DIRECTORY_SEPARATOR, fixes #86 2016-08-22 09:46:26 +02:00
El RIDO f72e260ee7 adding subresource integrity hashes for all javascript includes, resolves #6 2016-08-16 11:11:03 +02:00
rugk 75cb771e4b Merge branch 'master' into prng, resolve merge conflicts 2016-08-15 18:15:57 +02:00
El RIDO 72aac25f68 added configuration for PHP Coding Standards Fixer, including its fixes, resolving #47 2016-08-15 16:45:47 +02:00
rugk 8038fde29d Revert #44
Scrutinizer-ci confirmed the detection of this was a false-positive, so we can remove this workaround.
They added it to their internal issue tracker.
2016-08-12 18:30:14 +02:00
El RIDO 0a628e83c1 Merge pull request #59 from PrivateBin/52-identicons
Implementation of Identicons library
2016-08-12 12:22:20 +02:00
El RIDO ca66653d0c applying: php-cs-fixer fix lib/ --level=psr2 2016-08-11 15:05:43 +02:00
El RIDO 6cb7454d07 Added tests for JSON errors, should help us figure out the cause of the problem in #11 2016-08-11 14:41:52 +02:00
rugk bea9a577a6 Use better random number generator #29 2016-08-10 23:15:06 +02:00
El RIDO c237337cd2 some minor whitespace improvements detected by scrutinizer 2016-08-10 18:22:28 +02:00
El RIDO 3988b860b0 implemented Identicon library as new default for comment icons, made Vizhash an optional alternative, refactored Vizhash and removed string lenghtening 2016-08-10 17:41:46 +02:00
El RIDO 1ef28d7a5c minor fixes, typos 2016-08-10 15:03:06 +02:00
El RIDO addb666a23 introducing CSP header to mitigate XSS attacks, closes #10 2016-08-09 14:46:32 +02:00
El RIDO 5b7b234821 doc bloc corrections 2016-08-09 13:07:11 +02:00
El RIDO c2efe2e609 some optimization 2016-08-09 12:45:26 +02:00
El RIDO 3fa0881c07 updated documentation, small cleanups 2016-08-09 12:21:32 +02:00
El RIDO b45bef8388 Renamed classes for full PSR-2 compliance, some cleanup 2016-08-09 11:54:42 +02:00
Sobak 5d7003ecc1 Convert to PSR-2 coding style (using phpcs-fixer) 2016-07-26 08:19:35 +02:00
Sobak 884310add6 Oficially bump minimal PHP version to 5.3.0 2016-07-26 08:06:40 +02:00
Simon Rupf d14eb0efe4 fixing configuration and its test to match the new namespaces 2016-07-25 11:02:39 +02:00
Sobak b1305beb0f Improve workaround for keeping config file format BC 2016-07-22 15:31:42 +02:00
Sobak 54f96b9938 Introduce PSR-4 autoloading 2016-07-22 12:11:48 +02:00
El RIDO 9a9362789b addressing issues with failed attachement uploads due to webserver configuration, resolves #15 2016-07-19 15:26:41 +02:00
El RIDO 002046cc62 some minor cleanups 2016-07-19 14:44:17 +02:00
El RIDO be4c845129 Merge branch 'master' of github.com:PrivateBin/PrivateBin 2016-07-19 14:02:45 +02:00
El RIDO c5606a47fe refactoring away RainTPL and templating, resolves #36 2016-07-19 14:02:26 +02:00
rugk 38ab755733 Replace HTTP links with HTTPS
Using this regexp: https://regex101.com/r/rZ2dE2/1
2016-07-19 13:56:52 +02:00
El RIDO 03306dabff using TEXT data type for PostgreSQL instead of BLOB, hopefully resolves #8 2016-07-18 15:55:51 +02:00
El RIDO e7dde4d212 cleaning REQUEST_URI for good measure 2016-07-18 15:21:32 +02:00
El RIDO e1d6db88a1 Merge pull request #44 from PrivateBin/rugk-itBugsMe
Change array used for language selection
2016-07-18 15:15:41 +02:00
El RIDO afaa111d22 code style 2016-07-18 15:13:56 +02:00
El RIDO b53efda635 improving code coverage and unit testing 2016-07-18 14:47:32 +02:00
rugk 2e863e3ed9 Search key first
Looks a bit complicated, but well...
2016-07-18 13:25:41 +02:00
rugk 80e9d75477 Remove unnecessary array
Now it is right...
2016-07-18 13:12:54 +02:00
rugk 19d5659a8f Change array
https://github.com/PrivateBin/PrivateBin/issues/41

Not tested locally, let's say what Travis says... 😄
2016-07-18 13:11:15 +02:00
El RIDO ff0c55c0d6 introduce option to disable vizhash for paranoid admins, resolves #20 point 2.4 2016-07-18 10:14:38 +02:00
El RIDO f8bc40b4e4 introducing automatic purging of expired pastes, triggered by default at least 5 minutes apart, deleting a maximum of 10 pastes - resolves #3 2016-07-15 17:02:59 +02:00
El RIDO 4d10fd9690 fixing support for pre renaming configuration file format, resolves #37 2016-07-13 09:41:45 +02:00
El RIDO 90a26d8fcb removing some code smells, found in the various code checker tools 2016-07-11 15:47:42 +02:00
El RIDO c33c50f775 using table name sanitation function to ensure no weird characters are used by accident (e.g. by oddly configured table prefix) 2016-07-11 14:33:45 +02:00
El RIDO 3b3b5277eb refactoring to improve code quality 2016-07-11 14:15:20 +02:00
El RIDO 79509ad48a renaming the fork to PrivateBin 2016-07-11 11:58:15 +02:00
El RIDO b8080acc78 fixing an unhandled case found with scrutinizer-ci 2016-07-06 14:58:06 +02:00
El RIDO c13caee981 fixing some documentation issues detected by scrutinizer-ci 2016-07-06 14:12:14 +02:00
El RIDO 0e217a42c5 introduce new zerobincompatibility option, replacing the base64 one, if it is enabled, delete tokens use sha256; added per paste salt with server salt fallback; this resolves the points 2.2 & 2.9 in #103 2016-07-06 11:37:13 +02:00
El RIDO 6b0b814dc6 removing leftover from previously using a different function, resolves #83 2016-07-06 09:41:07 +02:00
El RIDO 5980f8b603 removing some unused code detected by codacy 2016-07-04 20:46:45 +02:00
rugk fd5a7a07ae Soft fail for chmod errors 2016-06-22 18:08:25 +02:00
rugk 54f1cb9d34 Only protect file if it was written 2016-06-21 21:47:03 +02:00
rugk 8a48e9ce78 Set permissions when saving files
Fixes https://github.com/elrido/ZeroBin/issues/80
2016-06-21 17:18:11 +02:00
rugk 1a1818660d Missing space 2016-05-12 20:07:58 +02:00
El RIDO 4918bef4dc Although there usually are no plurals in chinese, there's an exception
for words related to persons, when not preceeded by a numeric word.

Sources:
- http://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html#f3
- https://answers.yahoo.com/question/index?qid=20110606153553AAAW5zX
2016-04-26 20:21:30 +02:00
El RIDO 3a92c940a9 implementing media type negotiation (based on language negotiation
logic) in cases both JSON and (X)HTML are being requested, resolving #68
2016-04-08 23:29:44 +02:00
El RIDO a4ebdbc606 re-introducing (optional) URL shortener support, resolves #58 2016-01-31 09:56:06 +01:00
El RIDO 09dd79dbc7 switching to SHA256 HMAC of IPs in traffic limiter, resolves #57 2015-12-22 20:58:23 +01:00
Mihail Fedorov a13ad6368f MD5 instead of IP 2015-12-22 06:02:41 +03:00
El RIDO 24a4328c55 incrementing version, updating changelog, added missing phpdoc comments 2015-11-09 21:39:42 +01:00
El RIDO 42a9c92b5e improved database backend support for larger files (100 KiB - 16 MiB),
introduced database versioning to reduce amount of checks done per
request
2015-11-01 17:02:20 +01:00
El RIDO d42975580a expire_options and formatter_options should not be filled up with
default values, resolves #52
2015-10-24 08:44:17 +02:00
El RIDO 176dff3b70 renaming config file to make updates easier, resolving #50 2015-10-22 21:13:15 +02:00
El RIDO e3f4aa982c adding configuration option to set a default language and/or force it,
resolves #39
2015-10-18 20:38:07 +02:00
El RIDO ca07398b66 adding option to hide clone button on expiring pastes, resolves #34 2015-10-18 17:56:45 +02:00
El RIDO 14d08ec56d working on JSON-LD validity, added CORS headers preparing external API
call support
2015-10-18 14:37:58 +02:00
El RIDO 22d0b1ec22 updating comment format to match defined JSON-LD API context 2015-10-18 11:38:48 +02:00
El RIDO f21567133c changing paste read output for API refactoring 2015-10-18 11:08:28 +02:00
El RIDO b92b38cee8 found and resolved issues in database layer, thanks to report in #42 2015-10-16 23:13:36 +02:00
El RIDO 2e3bacb699 fixing deletion issue in request refactoring, starting work on API read
refactoring
2015-10-15 22:04:57 +02:00
El RIDO 512b3d1172 fixing "missing" comments when they were posted during the same second 2015-10-12 21:07:41 +02:00
El RIDO 1d6cfb7f3b refactoring delete API, added external JSON-LD context 2015-10-11 21:22:00 +02:00
El RIDO 9e6e29bc93 working on API: simplifying PUT request mocking 2015-10-11 18:50:48 +02:00
El RIDO e5b096ed8c found and fixed a bug when using expiration together with discussion 2015-10-03 17:54:18 +02:00
El RIDO add980d36f adding UI tests for database configuration, fixed an issue with comment
table creation
2015-10-03 15:52:37 +02:00
El RIDO 7ec94e0db5 implementing request refactoring, beginning JS changes for JSON API, but
discovered that DELETE and PUT are not available on all webservers by
default
2015-09-27 20:34:39 +02:00
El RIDO 6b7dc44039 preparing unit test for request object 2015-09-27 15:37:17 +02:00
El RIDO ce3f10f143 improving unit tests, fixing regression in DB model 2015-09-27 14:36:20 +02:00
El RIDO 694138c5d4 mostly finished with data model refactoring 2015-09-27 03:03:55 +02:00
El RIDO 211d3e4622 preparing unit test for model refactoring, refactoring traffic limiter 2015-09-26 17:57:46 +02:00
El RIDO d04eab52c9 refactoring how attachments are stored 2015-09-26 12:29:27 +02:00
El RIDO 6d24ff824e refactoring configuration 2015-09-22 23:21:31 +02:00
El RIDO 9f68658106 incrementing version number, updating changelog 2015-09-21 22:43:00 +02:00
El RIDO 0de9f868fa improving unit tests, fixing #38 2015-09-21 22:32:52 +02:00
El RIDO 608605cd54 incrementing version number, updating docs 2015-09-19 17:23:10 +02:00
El RIDO a41d0ca4dd various fixes:
- changing default formatter option to plain text to make upgrading from
  0.19 Alpha smoother
- fixing translation message change in bootstrap templates
- adjusting how image uploads are displayed in bootstrap templates
2015-09-19 14:22:29 +02:00
El RIDO a111357fae add optional (since it uses a session cookie) language selection 2015-09-19 11:21:13 +02:00
El RIDO 47efedf23c traffic limiter would fail behind a reverse proxy / load balancer.
Adding configuration option to set the trusted HTTP header to get the
visitors IP in such a case (avoiding security issue if malicious clients
just set these headers themselfs)
2015-09-18 22:31:01 +02:00
El RIDO ed9c4f45f4 adding file name support for #20, solving issue with unencryptable file 2015-09-18 12:33:10 +02:00
El RIDO ec8851e46c support < 0.21 syntax highlighting 2015-09-17 20:47:00 +02:00
El RIDO 106141efa4 merging @vikstrous file upload feature for #20 from
8a6d268278
2015-09-16 22:51:48 +02:00
El RIDO 0e53d1ee86 added markdown support and a dropdown for the format selection. The
options other then markdown are plain text and source code (syntax
highlighting). Resolves #25
2015-09-12 17:33:16 +02:00
El RIDO b060d57524 - implemented php side of plural translation
- using it to generate labels dynamically for the expire options
(deprecating the [expire_labels] configuration).
- added translation of the human readable data sizes to support the
french octet
- fixed IEC label for kibibytes
2015-09-06 19:21:17 +02:00
El RIDO eee7b0144a covering JS side of translations (#7), added the messages to the
translation files and translated the german ones
2015-09-06 13:07:46 +02:00
El RIDO a2af88a36e initial work on translations, covering the PHP side of it 2015-09-05 02:24:56 +02:00
El RIDO 28776ac178 formatting RainTPL class 2015-09-05 01:55:19 +02:00
El RIDO 411419d597 adding tests and unifying paste creation output 2015-09-03 22:55:36 +02:00
El RIDO 2d79ba8243 updating docs, bumping version to 0.20 2015-09-03 22:22:59 +02:00
El RIDO 602fc4705e change for API consistency 2015-09-01 23:51:31 +02:00
El RIDO b25022e403 refactored JSON API, its now possible to retrieve pastes as JSON, which
is now used when posting comments, eliminating the need to store the
password in sessionStorage
2015-09-01 22:33:07 +02:00
El RIDO 802a0b26b9 burn after reading messages are only deleted after callback by JS when
successfully decrypted, resolves #11
2015-08-31 22:10:41 +02:00
El RIDO d3c4600806 slight configuration changes, template modifications to make discussions
and password configurable, removed generated configuration test as it
grows quite big and a new one can be generated easily if needed
2015-08-31 00:01:35 +02:00
El RIDO 2d0668af03 concluding work on configuration test generator for #16. Replaced a few
die()s in the code with Exception, making it possible to test properly.
Fixed some outdated unit tests.
2015-08-29 20:29:14 +02:00
El RIDO 1c4d1aa6b6 working on configuration unit test generator as described in #16 2015-08-29 01:26:48 +02:00
El RIDO ae82e84ef8 correcting php doc comments 2015-08-27 23:58:56 +02:00
El RIDO d57d6cf44b created initial unit tests for main zerobin class 2015-08-27 23:30:35 +02:00
El RIDO f775da3931 fixing nasty deletion bug from #15, included unit tests to trigger it
and reworked persistence classes to through exceptions rather to fail
silently
2015-08-27 21:41:21 +02:00
El RIDO cb28056223 made highlighting more configurable, added all four themes, there is now a configurable flavour text (notice) 2015-08-17 23:18:33 +02:00
El RIDO 24d18c5313 cleaned up phpdoc comments, added README on how to install and use it 2015-08-16 15:55:31 +02:00
El RIDO 49c6e3c1b6 updated base64.js to version 2.1.9, using minified version found at
9192c510f5/base64.min.js
kudos Dan Kogai

small improvements to input checking
implementing default values for most configuration options
switching to versioned JS files to avoid version hack used in template
2015-08-16 12:27:06 +02:00
El RIDO 769768d25e updated jquery to 1.11.3 2015-08-16 11:20:06 +02:00
El RIDO 8881b3047a changing version string 2015-08-16 00:04:14 +02:00
Sebastien SAUVAGE 43a439e7d0 Time attack protection on hmac comparison
This fixes issue 2.7 of https://defuse.ca/audits/zerobin.htm, and thus
(with commit a24212afda90ca3e4b4ff5ce30d2012709b58a28) also issue 2.8.

(cherry picked from commit 0b4db7ece313dd268e51fc47a0293a649927558a)

Conflicts:
	index.php
2015-08-15 23:44:03 +02:00
Sebastien SAUVAGE e7feca0e53 Stronger server salt
ZeroBin now generates a much stronger salt. This fixes issue #68
(mentioned in section 2.1 of https://defuse.ca/audits/zerobin.htm)

(cherry picked from commit a24212afda90ca3e4b4ff5ce30d2012709b58a28)

Conflicts:
	lib/serversalt.php
	lib/vizhash16x16.php
2015-08-15 22:18:57 +02:00
jeldrik 4f72f04eda Prevent inconstitent /data/trafic_limiter.php due to file read while writing
(cherry picked from commit 71a7f6adaea9a86a84fa8ebbcb9e5c506a785527)

Conflicts:
	index.php
2015-08-15 22:10:05 +02:00
Sébastien SAUVAGE 5b54ca34ad Update index.php
Removed ugly error message when paste identifier is invalid (eg. http://mydomain.com/zerobin?foo)
(cherry picked from commit 43fa904979a29e4c205b9f4f08e1c487555bbe1c)

Conflicts:
	index.php
2015-08-15 22:07:07 +02:00
Sebastien SAUVAGE bc8b23d35e XSS flaw correction
With a client IE < 10 there was a XSS security flaw. Other browsers were
not affected.
Also corrected spacing display with IE<10.

(cherry picked from commit 28813cd82ae47e556b610da3c7302a6709e27431)

Conflicts:
	CHANGELOG.md
	index.php
	js/zerobin.js
	lib/vizhash16x16.php
2015-08-15 22:01:43 +02:00
El RIDO e646729b2d fixing regressions from cherrypicking 2015-08-15 21:39:08 +02:00
Sebastien SAUVAGE 5f87ea6843 ZeroBin 0.18
(cherry picked from commit 7a8cbee2f99cd74a50bce7e8df8130e2c477d903)

Conflicts:
	CHANGELOG.md
	index.php
	js/zerobin.js
	lib/vizhash16x16.php
2015-08-15 21:06:19 +02:00
Sebastien SAUVAGE cff4d99f05 "Burn after reading" as a checkbox
"Burn after reading" option has been moved out of Expiration combo to a
separate checkbox.
Reason is: You can prevent a read-once paste to be available ad vitam
eternam on the net.

(cherry picked from commit 190b278402c086ebc4d1a78aae27d1e2666e3e7a)

Conflicts:
	css/zerobin.css
	index.php
	js/zerobin.js
	tpl/page.html
2015-08-15 19:01:03 +02:00
El RIDO ad70051323 reviewed unit tests, fixing line endings, added more tests 2015-08-15 18:32:31 +02:00
Sebastien SAUVAGE 7db76d8d71 Updated json checking.
- adapted to SJCL changed
- added entropy checking (from
f2ee2e8ba2)

(cherry picked from commit 57e6274c64e2c99c754b63586af6b34c374fbc2b)

Conflicts:
	index.php
2015-08-15 18:16:55 +02:00
El RIDO 134d22c958 small unit testing improvements, removing never accessed code 2015-08-15 16:37:44 +02:00
Simon Rupf badf459390 split common persistance logic into abstract class 2013-11-01 01:15:58 +01:00
Sebastien SAUVAGE 5b253cf77c ZeroBin 0.17
* added deletion link.
* small refactoring.
* improved regex checks.
* larger server alt on installation.
2013-11-01 01:15:14 +01:00
Sébastien SAUVAGE c26c4a8bec arbitrary JSON file disclosure correction
The following securit issue has been fixed:
https://github.com/sebsauvage/ZeroBin/issues/30
2013-10-31 22:53:22 +01:00
Simon Rupf d247bff897 syntax highlighting can now be turned off, template can be changed in
configuration
2013-10-31 22:24:40 +01:00
Simon Rupf 630e16c4a0 Added more configuration options, based on patch by Uli Köhler 2013-10-30 23:54:42 +01:00
Simon Rupf 51008d3e68 added test for entropy of cypher text - closes #3 2012-09-08 19:54:24 +02:00
Simon Rupf 2d4f155064 had to revert to HTML5 instead of XHTML5 because of compatibility
problem with code prettifier, fixed some display bugs
2012-08-28 23:28:41 +02:00
Simon Rupf 907538875b removed leftovers from submodule uglifyjs, added credits file,
cleaned up CSS, changed template to output clean XHTML 5,
added unit tests for 60% of the code, found a few bugs by doing
that and fixed them
2012-08-26 00:49:11 +02:00
Simon Rupf 421e6cba97 implemented zerobin_db model, added more options for paste expiration, made comments and max data size configurable 2012-05-19 23:59:41 +02:00
Simon Rupf edf95ff56d added autoloading, configurable paste size limit, changed JS to calculate localized comment times instead of UTC 2012-04-30 22:58:08 +02:00
Simon Rupf 23487ce779 Fixed bug with missing directory separator and added .htaccess files to lib & cfg directories. If those are not present, the application will create them for you. 2012-04-30 13:58:29 +02:00
Simon Rupf ba90d0cae2 Refactoring of code base - modularized code, introduced configuration, started working on a PDO based DB connector 2012-04-29 19:15:06 +02:00
Thierry Poinot 6083c7a23c refactoring files and directory structure 2012-04-22 13:34:17 +02:00
Thierry Poinot d92d8658a5 refactoring zerobin js, adding JSDoc 2012-04-22 12:45:45 +02:00
Sebastien SAUVAGE 52630374e5 Initial commit of version 0.15 alpha. 2012-04-21 21:59:45 +02:00