From 7fddefeb05d837e41e4ebf313eec2563fb912883 Mon Sep 17 00:00:00 2001 From: Tobias Gurtzick Date: Mon, 8 Jan 2024 10:36:59 +0100 Subject: [PATCH 1/2] password Signed-off-by: Tobias Gurtzick --- js/privatebin.js | 50 +++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 45 insertions(+), 5 deletions(-) diff --git a/js/privatebin.js b/js/privatebin.js index a3756f21..41ef9da0 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -228,7 +228,7 @@ jQuery.PrivateBin = (function($, RawDeflate) { '<': '<', '>': '>', '"': '"', - "'": ''', + '\'': ''', '/': '/', '`': '`', '=': '=' @@ -2197,7 +2197,7 @@ jQuery.PrivateBin = (function($, RawDeflate) { * @function * @param {Event} event */ - function submitPasswordModal(event) + async function submitPasswordModal(event) { event.preventDefault(); @@ -2207,6 +2207,19 @@ jQuery.PrivateBin = (function($, RawDeflate) { // hide modal $passwordModal.modal('hide'); + // check if protected pathname + const url = new URL(window.location); + + // if protected request password + if(url.pathname === '/protected') { + const enc = CryptTool.base58decode(newKey).padStart(32, '\u0000'); + const cipherdata = [enc.ct, enc.adata]; + + const plaindata = await CryptTool.decipher(enc.k, password, cipherdata); + window.location.replace(Helper.baseUri() + plaindata); + return; + } + PasteDecrypter.run(); } @@ -4778,16 +4791,32 @@ jQuery.PrivateBin = (function($, RawDeflate) { * @param {int} status * @param {object} data */ - function showCreatedPaste(status, data) { + async function showCreatedPaste(status, data) { Alert.hideLoading(); Alert.hideMessages(); // show notification const baseUri = Helper.baseUri() + '?', - url = baseUri + data.id + '#' + CryptTool.base58encode(data.encryptionKey), - deleteUrl = baseUri + 'pasteid=' + data.id + '&deletetoken=' + data.deletetoken; + deleteUrl = baseUri + 'pasteid=' + data.id + '&deletetoken=' + data.deletetoken; PasteStatus.createPasteNotification(url, deleteUrl); + const pw = TopNav.getPassword() + const sm = CryptTool.getSymmetricKey(); + + let openUri = + '?' + data.id + '#' + CryptTool.base58encode(data.encryptionKey); + let cipherResult = await CryptTool.cipher(sm, pw, openUri, []); + + let dt = {} + dt['v'] = 2; + dt['ct'] = cipherResult[0]; + dt['adata'] = cipherResult[1]; + dt['k'] = sm; + + const encUrl = CryptTool.base58encode(JSON.stringify(dt)) + + const url = baseUri + 'protected/#' + encUrl; + + // show new URL in browser bar history.pushState({type: 'newpaste'}, document.title, url); @@ -5518,6 +5547,17 @@ jQuery.PrivateBin = (function($, RawDeflate) { try { Model.getPasteId(); } catch (e) { + + // check if protected pathname + const url = new URL(window.location); + + // if protected request password + if(url.pathname === '/protected') { + const enc = CryptTool.base58decode(newKey).padStart(32, '\u0000'); + return Prompt.requestPassword(); + + } + // otherwise create a new paste return me.newPaste(); } From 2cc2cf0de769cee96311f639a3b338a7da50b0f9 Mon Sep 17 00:00:00 2001 From: Tobias Gurtzick Date: Mon, 8 Jan 2024 12:28:41 +0100 Subject: [PATCH 2/2] working browser password Signed-off-by: Tobias Gurtzick --- js/privatebin.js | 80 +++++++++++++++++++++++++++++++++--------------- 1 file changed, 56 insertions(+), 24 deletions(-) diff --git a/js/privatebin.js b/js/privatebin.js index bd5466f2..ed94a356 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -1512,7 +1512,12 @@ jQuery.PrivateBin = (function($, RawDeflate) { me.getPasteKey = function() { if (symmetricKey === null) { - let newKey = window.location.hash.substring(1); + let pos = 1; + const pt = '#protected/'; + if(window.location.hash.startsWith(pt)) { + pos = pt.length; + } + let newKey = window.location.hash.substring(pos); if (newKey === '') { throw 'no encryption key given'; } @@ -2229,13 +2234,28 @@ jQuery.PrivateBin = (function($, RawDeflate) { const url = new URL(window.location); // if protected request password - if(url.pathname === '/protected') { - const enc = CryptTool.base58decode(newKey).padStart(32, '\u0000'); - const cipherdata = [enc.ct, enc.adata]; + if(url.hash.startsWith('#protected/')) { + const pt = '#protected/'; + let pos = pt.length; + let newKey = window.location.hash.substring(pos); + if (newKey === '') { + throw 'no encryption key given'; + } - const plaindata = await CryptTool.decipher(enc.k, password, cipherdata); + // Some web 2.0 services and redirectors add data AFTER the anchor + // (such as &utm_source=...). We will strip any additional data. + let ampersandPos = newKey.indexOf('&'); + if (ampersandPos > -1) + { + newKey = newKey.substring(0, ampersandPos); + } + const enc = CryptTool.base58decode(newKey).padStart(32, '\u0000'); + const dt = JSON.parse(enc); + const cipherdata = [dt.ct, dt.adata] + + const plaindata = await CryptTool.decipher(dt.k, password, cipherdata); window.location.replace(Helper.baseUri() + plaindata); - return; + return; } PasteDecrypter.run(); @@ -4814,25 +4834,36 @@ jQuery.PrivateBin = (function($, RawDeflate) { Alert.hideMessages(); // show notification - const baseUri = Helper.baseUri() + '?', - deleteUrl = baseUri + 'pasteid=' + data.id + '&deletetoken=' + data.deletetoken; - PasteStatus.createPasteNotification(url, deleteUrl); + const baseUri = Helper.baseUri(), + deleteUrl = baseUri + '?pasteid=' + data.id + '&deletetoken=' + data.deletetoken; + let url; const pw = TopNav.getPassword() - const sm = CryptTool.getSymmetricKey(); - - let openUri = + '?' + data.id + '#' + CryptTool.base58encode(data.encryptionKey); - let cipherResult = await CryptTool.cipher(sm, pw, openUri, []); - let dt = {} - dt['v'] = 2; - dt['ct'] = cipherResult[0]; - dt['adata'] = cipherResult[1]; - dt['k'] = sm; + if(pw && pw.length) { + + const sm = CryptTool.getSymmetricKey(); + + let openUri = '?' + data.id + '#' + CryptTool.base58encode(data.encryptionKey); + let cipherResult = await CryptTool.cipher(sm, pw, openUri, []); + + let dt = {} + dt['v'] = 2; + dt['ct'] = cipherResult[0]; + dt['adata'] = cipherResult[1]; + dt['k'] = sm; + + const encUrl = CryptTool.base58encode(JSON.stringify(dt)) + + url = baseUri + '#protected/' + encUrl; + } else { + url = baseUri + '?' + data.id + '#' + CryptTool.base58encode(data.encryptionKey); + } + + PasteStatus.createPasteNotification(url, deleteUrl); + - const encUrl = CryptTool.base58encode(JSON.stringify(dt)) - const url = baseUri + 'protected/#' + encUrl; // show new URL in browser bar @@ -4979,7 +5010,9 @@ jQuery.PrivateBin = (function($, RawDeflate) { // prepare server interaction ServerInteraction.prepare(); - ServerInteraction.setCryptParameters(TopNav.getPassword()); + // This is not needed when encrypting browser side + // ServerInteraction.setCryptParameters(TopNav.getPassword()); + ServerInteraction.setCryptParameters(''); // set success/fail functions ServerInteraction.setSuccess(showCreatedPaste); @@ -5565,13 +5598,12 @@ jQuery.PrivateBin = (function($, RawDeflate) { try { Model.getPasteId(); } catch (e) { - + // check if protected pathname const url = new URL(window.location); // if protected request password - if(url.pathname === '/protected') { - const enc = CryptTool.base58decode(newKey).padStart(32, '\u0000'); + if(url.hash.startsWith('#protected/')) { return Prompt.requestPassword(); }