handle regression due to base58 stripping NULL bytes, discovered via JSVerify RNG state 0dec6b2a5f04d19873

This commit is contained in:
El RIDO 2019-05-19 09:54:40 +02:00
parent 909ff2daa7
commit 353d08daf6
No known key found for this signature in database
GPG Key ID: 0F5C940A6BD81F92
4 changed files with 11 additions and 21 deletions

View File

@ -1140,7 +1140,9 @@ jQuery.PrivateBin = (function($, RawDeflate) {
// version 2 uses base58, version 1 uses base64 without decoding
try {
symmetricKey = CryptTool.base58decode(newKey);
// base58 encode strips NULL bytes at the beginning of the
// string, so we re-add them if necessary
symmetricKey = CryptTool.base58decode(newKey).padStart(32, '\u0000');
} catch(e) {
symmetricKey = newKey;
}

View File

@ -138,7 +138,7 @@ describe('Model', function () {
jsc.array(common.jscQueryString()),
'nestring',
function (schema, address, query, fragment) {
const fragmentString = common.btoa(fragment.padStart(32, String.fromCharCode(0)));
const fragmentString = common.btoa(fragment.padStart(32, '\u0000'));
let clean = jsdom('', {
url: schema.join('') + '://' + address.join('') +
'/?' + query.join('') + '#' + fragmentString
@ -157,7 +157,7 @@ describe('Model', function () {
'nestring',
jsc.array(common.jscHashString()),
function (schema, address, query, fragment, trail) {
const fragmentString = common.btoa(fragment.padStart(32, String.fromCharCode(0)));
const fragmentString = common.btoa(fragment.padStart(32, '\u0000'));
let clean = jsdom('', {
url: schema.join('') + '://' + address.join('') + '/?' +
query.join('') + '#' + fragmentString + '&' + trail.join('')
@ -175,14 +175,8 @@ describe('Model', function () {
jsc.array(common.jscQueryString()),
'nestring',
function (schema, address, query, fragment) {
// base58 strips leading NULL bytes
while(fragment.charAt(0) === '\u0000') {
fragment = fragment.substr(1);
}
// string may not be empty (when only NULL bytes and trimmed)
if (fragment.length === 0) {
return true;
}
// base58 strips leading NULL bytes, so the string is padded with these if not found
fragment = fragment.padStart(32, '\u0000');
let fragmentString = $.PrivateBin.CryptTool.base58encode(fragment),
clean = jsdom('', {
url: schema.join('') + '://' + address.join('') +
@ -202,14 +196,8 @@ describe('Model', function () {
'nestring',
jsc.array(common.jscHashString()),
function (schema, address, query, fragment, trail) {
// base58 strips leading NULL bytes
while(fragment.charAt(0) === '\u0000') {
fragment = fragment.substr(1);
}
// string may not be empty (when only NULL bytes and trimmed)
if (fragment.length === 0) {
return true;
}
// base58 strips leading NULL bytes, so the string is padded with these if not found
fragment = fragment.padStart(32, '\u0000');
let fragmentString = $.PrivateBin.CryptTool.base58encode(fragment),
clean = jsdom('', {
url: schema.join('') + '://' + address.join('') + '/?' +

View File

@ -72,7 +72,7 @@ if ($MARKDOWN):
endif;
?>
<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-TSifriilo4vMoDqvA2clM4dX0ywBJnYZTnx417dJYydyAfu1sH3WIR5DhqxrAyn1p4wo1pS0z2JbyoDxRSO7Zg==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-30YZX80ZfNAAMVDZdnHCp8rY1X66o9LhQ1LShA0JqGtFfvboDuoX9z9fuv/gIvo/MBs8qH6/14omf0bFlmnXkg==" crossorigin="anonymous"></script>
<!--[if lt IE 10]>
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
<![endif]-->

View File

@ -50,7 +50,7 @@ if ($MARKDOWN):
endif;
?>
<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-TSifriilo4vMoDqvA2clM4dX0ywBJnYZTnx417dJYydyAfu1sH3WIR5DhqxrAyn1p4wo1pS0z2JbyoDxRSO7Zg==" crossorigin="anonymous"></script>
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-30YZX80ZfNAAMVDZdnHCp8rY1X66o9LhQ1LShA0JqGtFfvboDuoX9z9fuv/gIvo/MBs8qH6/14omf0bFlmnXkg==" crossorigin="anonymous"></script>
<!--[if lt IE 10]>
<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
<![endif]-->