diff --git a/js/common.js b/js/common.js
index 08a4907f..f0482ae6 100644
--- a/js/common.js
+++ b/js/common.js
@@ -21,11 +21,13 @@ require('./bootstrap-3.3.7');
require('./privatebin');
// internal variables
-var a2zString = ['a','b','c','d','e','f','g','h','i','j','k','l','m',
- 'n','o','p','q','r','s','t','u','v','w','x','y','z'],
- alnumString = a2zString.concat(['0','1','2','3','4','5','6','7','8','9']),
- queryString = alnumString.concat(['+','%','&','.','*','-','_']),
- hashString = queryString.concat(['!']),
+var a2zString = ['a','b','c','d','e','f','g','h','i','j','k','l','m',
+ 'n','o','p','q','r','s','t','u','v','w','x','y','z'],
+ digitString = ['0','1','2','3','4','5','6','7','8','9'],
+ alnumString = a2zString.concat(digitString),
+ hexString = digitString.concat(['a','b','c','d','e','f']),
+ queryString = alnumString.concat(['+','%','&','.','*','-','_']),
+ hashString = queryString.concat(['!']),
base64String = alnumString.concat(['+','/','=']).concat(
a2zString.map(function(c) {
return c.toUpperCase();
@@ -118,6 +120,11 @@ exports.jscAlnumString = function() {
return jsc.elements(alnumString);
};
+//provides random characters allowed in hexadecimal notation
+exports.jscHexString = function() {
+ return jsc.elements(hexString);
+};
+
// provides random characters allowed in GET queries
exports.jscQueryString = function() {
return jsc.elements(queryString);
diff --git a/js/privatebin.js b/js/privatebin.js
index f4bb3caf..766e6124 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -1026,13 +1026,44 @@ jQuery.PrivateBin = (function($, RawDeflate) {
*/
me.getPasteId = function()
{
- if (id === null) {
- // Attention: This also returns the delete token inside of the ID, if it is specified
- id = window.location.search.substring(1);
+ const idRegEx = /^[a-z0-9]{16}$/;
+ const idRegExFind = /[a-z0-9]{16}/;
- if (id === '') {
- throw 'no paste id given';
+ // return cached value
+ if (id !== null) {
+ return id;
+ }
+
+ // do use URL interface, if possible
+ if (window.URL && window.URL.prototype && ('searchParams' in window.URL.prototype)) {
+ try {
+ const url = new URL(window.location);
+
+ for (const param of url.searchParams) {
+ const key = param[0];
+ const value = param[1];
+
+ if (value === '' && idRegEx.test(key)) {
+ // safe, as the whole regex is matched
+ id = key;
+ return id;
+ }
+ }
+ } catch (e) {
+ // fallback below
+ console.error('URL interface not properly supported, error:', e);
}
+ } else {
+ console.warn('URL interface appears not to be supported in this browser.');
+ }
+
+ // fallback to simple RegEx
+ console.warn('fallback to simple RegEx search');
+ // Attention: This also returns the delete token inside of the ID, if it is specified
+ id = (window.location.search.match(idRegExFind) || [''])[0];
+
+ if (id === '') {
+ throw 'no paste id given';
}
return id;
diff --git a/js/test/Model.js b/js/test/Model.js
index f9acc5c3..d5a92b38 100644
--- a/js/test/Model.js
+++ b/js/test/Model.js
@@ -81,18 +81,23 @@ describe('Model', function () {
'returns the query string without separator, if any',
jsc.nearray(common.jscA2zString()),
jsc.nearray(common.jscA2zString()),
- jsc.nearray(common.jscHashString()),
+ jsc.tuple(new Array(16).fill(common.jscHexString)),
+ jsc.array(common.jscQueryString()),
+ jsc.array(common.jscQueryString()),
'string',
- function (schema, address, query, fragment) {
- var queryString = query.join(''),
- clean = jsdom('', {
+ function (schema, address, pasteId, queryStart, queryEnd, fragment) {
+ var pasteIdString = pasteId.join(''),
+ queryStartString = queryStart.join('') + (queryStart.length > 0 ? '&' : ''),
+ queryEndString = (queryEnd.length > 0 ? '&' : '') + queryEnd.join(''),
+ queryString = queryStartString + pasteIdString + queryEndString,
+ clean = jsdom('', {
url: schema.join('') + '://' + address.join('') +
'/?' + queryString + '#' + fragment
}),
result = $.PrivateBin.Model.getPasteId();
$.PrivateBin.Model.reset();
clean();
- return queryString === result;
+ return pasteIdString === result;
}
);
jsc.property(
diff --git a/js/test/Prompt.js b/js/test/Prompt.js
index 310c4240..94abaabf 100644
--- a/js/test/Prompt.js
+++ b/js/test/Prompt.js
@@ -16,7 +16,7 @@ describe('Prompt', function () {
'string',
function (password) {
password = password.replace(/\r+/g, '');
- var clean = jsdom('', {url: 'ftp://example.com/?0'});
+ var clean = jsdom('', {url: 'ftp://example.com/?0000000000000000'});
$('body').html(
'
' +
'
' +
diff --git a/lib/Request.php b/lib/Request.php
index 65549a90..3e6e902e 100644
--- a/lib/Request.php
+++ b/lib/Request.php
@@ -72,6 +72,27 @@ class Request
*/
private $_isJsonApi = false;
+ /**
+ * Return the paste ID of the current paste.
+ *
+ * @access private
+ * @return string
+ */
+ private function getPasteId()
+ {
+ // RegEx to check for valid paste ID (16 base64 chars)
+ $pasteIdRegEx = '/^[a-f0-9]{16}$/';
+
+ foreach ($_GET as $key => $value) {
+ // only return if value is empty and key matches RegEx
+ if (($value === '') and preg_match($pasteIdRegEx, $key, $match)) {
+ return $match[0];
+ }
+ }
+
+ return 'invalid id';
+ }
+
/**
* Constructor
*
@@ -100,7 +121,7 @@ class Request
array_key_exists('QUERY_STRING', $_SERVER) &&
!empty($_SERVER['QUERY_STRING'])
) {
- $this->_params['pasteid'] = $_SERVER['QUERY_STRING'];
+ $this->_params['pasteid'] = $this->getPasteId();
}
// prepare operation, depending on current parameters
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 3d9a8434..25dbf1af 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -71,7 +71,7 @@ if ($MARKDOWN):
endif;
?>
-
+
diff --git a/tpl/page.php b/tpl/page.php
index fa368fc2..4165e727 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -49,7 +49,7 @@ if ($MARKDOWN):
endif;
?>
-
+
diff --git a/tst/ConfigurationTestGenerator.php b/tst/ConfigurationTestGenerator.php
index ccf7c829..0aaec88a 100755
--- a/tst/ConfigurationTestGenerator.php
+++ b/tst/ConfigurationTestGenerator.php
@@ -507,6 +507,7 @@ EOT;
$code .= PHP_EOL . <<<'EOT'
$this->_model->create(Helper::getPasteId(), Helper::getPaste());
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
+ $_GET[Helper::getPasteId()] = '';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
EOT;
break;
diff --git a/tst/ControllerTest.php b/tst/ControllerTest.php
index 432c829f..88d53016 100644
--- a/tst/ControllerTest.php
+++ b/tst/ControllerTest.php
@@ -680,6 +680,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
public function testReadInvalidId()
{
$_SERVER['QUERY_STRING'] = 'foo';
+ $_GET['foo'] = '';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
ob_start();
new Controller;
@@ -696,6 +697,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
public function testReadNonexisting()
{
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
+ $_GET[Helper::getPasteId()] = '';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
ob_start();
new Controller;
@@ -714,6 +716,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
$expiredPaste = Helper::getPaste(array('expire_date' => 1344803344));
$this->_model->create(Helper::getPasteId(), $expiredPaste);
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
+ $_GET[Helper::getPasteId()] = '';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
ob_start();
new Controller;
@@ -732,6 +735,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
$paste = Helper::getPaste(array('burnafterreading' => true));
$this->_model->create(Helper::getPasteId(), $paste);
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
+ $_GET[Helper::getPasteId()] = '';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
ob_start();
new Controller;
@@ -760,6 +764,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
$paste = Helper::getPaste();
$this->_model->create(Helper::getPasteId(), $paste);
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
+ $_GET[Helper::getPasteId()] = '';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
ob_start();
new Controller;
@@ -790,6 +795,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
);
$this->_model->create(Helper::getPasteId(), $paste);
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
+ $_GET[Helper::getPasteId()] = '';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
ob_start();
new Controller;
@@ -897,6 +903,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
$this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists before deleting data');
$_POST['deletetoken'] = 'burnafterreading';
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
+ $_GET[Helper::getPasteId()] = '';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
$_SERVER['REQUEST_METHOD'] = 'POST';
ob_start();
@@ -917,6 +924,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
$this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists before deleting data');
$_POST['deletetoken'] = 'burnafterreading';
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
+ $_GET[Helper::getPasteId()] = '';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
$_SERVER['REQUEST_METHOD'] = 'POST';
ob_start();
diff --git a/tst/JsonApiTest.php b/tst/JsonApiTest.php
index 1f8d53ac..6914d3fb 100644
--- a/tst/JsonApiTest.php
+++ b/tst/JsonApiTest.php
@@ -82,6 +82,7 @@ class JsonApiTest extends PHPUnit_Framework_TestCase
file_put_contents($file, http_build_query($paste));
Request::setInputStream($file);
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
+ $_GET[Helper::getPasteId()] = '';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
$_SERVER['REQUEST_METHOD'] = 'PUT';
$_SERVER['REMOTE_ADDR'] = '::1';
@@ -117,6 +118,7 @@ class JsonApiTest extends PHPUnit_Framework_TestCase
)));
Request::setInputStream($file);
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
+ $_GET[Helper::getPasteId()] = '';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
$_SERVER['REQUEST_METHOD'] = 'DELETE';
ob_start();
@@ -164,6 +166,7 @@ class JsonApiTest extends PHPUnit_Framework_TestCase
unset($paste['attachmentname']);
$this->_model->create(Helper::getPasteId(), $paste);
$_SERVER['QUERY_STRING'] = Helper::getPasteId();
+ $_GET[Helper::getPasteId()] = '';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
ob_start();
new Controller;
diff --git a/tst/RequestTest.php b/tst/RequestTest.php
index 29b0dade..e5567d6f 100644
--- a/tst/RequestTest.php
+++ b/tst/RequestTest.php
@@ -21,6 +21,36 @@ class RequestTest extends PHPUnit_Framework_TestCase
$_POST = array();
}
+ /**
+ * Returns 16 random hexadecimal characters.
+ *
+ * @access public
+ * @return string
+ */
+ public function getRandomId()
+ {
+ // 8 binary bytes are 16 characters long in hex
+ return bin2hex(random_bytes(8));
+ }
+
+ /**
+ * Returns random query safe characters.
+ *
+ * @access public
+ * @return string
+ */
+ public function getRandomQueryChars()
+ {
+ $queryChars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ=';
+ $queryCharCount = strlen($queryChars) - 1;
+ $resultLength = random_int(1, 10);
+ $result = '';
+ for ($i = 0; $i < $resultLength; ++$i) {
+ $result .= $queryChars[random_int(0, $queryCharCount)];
+ }
+ return $result;
+ }
+
public function testView()
{
$this->reset();
@@ -33,24 +63,27 @@ class RequestTest extends PHPUnit_Framework_TestCase
public function testRead()
{
$this->reset();
+ $id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'GET';
- $_SERVER['QUERY_STRING'] = 'foo';
+ $_SERVER['QUERY_STRING'] = $id;
+ $_GET[$id] = '';
$request = new Request;
$this->assertFalse($request->isJsonApiCall(), 'is HTML call');
- $this->assertEquals('foo', $request->getParam('pasteid'));
+ $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('read', $request->getOperation());
}
public function testDelete()
{
$this->reset();
+ $id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'GET';
- $_GET['pasteid'] = 'foo';
+ $_GET['pasteid'] = $id;
$_GET['deletetoken'] = 'bar';
$request = new Request;
$this->assertFalse($request->isJsonApiCall(), 'is HTML call');
$this->assertEquals('delete', $request->getOperation());
- $this->assertEquals('foo', $request->getParam('pasteid'));
+ $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('bar', $request->getParam('deletetoken'));
}
@@ -84,74 +117,103 @@ class RequestTest extends PHPUnit_Framework_TestCase
public function testApiRead()
{
$this->reset();
+ $id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['HTTP_ACCEPT'] = 'application/json, text/javascript, */*; q=0.01';
- $_SERVER['QUERY_STRING'] = 'foo';
+ $_SERVER['QUERY_STRING'] = $id;
+ $_GET[$id] = '';
$request = new Request;
$this->assertTrue($request->isJsonApiCall(), 'is JSON Api call');
- $this->assertEquals('foo', $request->getParam('pasteid'));
+ $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('read', $request->getOperation());
}
public function testApiDelete()
{
$this->reset();
+ $id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'POST';
$_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
- $_SERVER['QUERY_STRING'] = 'foo';
+ $_SERVER['QUERY_STRING'] = $id;
+ $_GET = array($id => '');
$_POST['deletetoken'] = 'bar';
$request = new Request;
$this->assertTrue($request->isJsonApiCall(), 'is JSON Api call');
$this->assertEquals('delete', $request->getOperation());
- $this->assertEquals('foo', $request->getParam('pasteid'));
+ $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('bar', $request->getParam('deletetoken'));
}
public function testReadWithNegotiation()
{
$this->reset();
+ $id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['HTTP_ACCEPT'] = 'text/html,text/html; charset=UTF-8,application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8, text/csv,application/json';
- $_SERVER['QUERY_STRING'] = 'foo';
+ $_SERVER['QUERY_STRING'] = $id;
+ $_GET[$id] = '';
$request = new Request;
$this->assertFalse($request->isJsonApiCall(), 'is HTML call');
- $this->assertEquals('foo', $request->getParam('pasteid'));
+ $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('read', $request->getOperation());
}
public function testReadWithXhtmlNegotiation()
{
$this->reset();
+ $id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['HTTP_ACCEPT'] = 'application/xhtml+xml,text/html,text/html; charset=UTF-8, application/xml;q=0.9,*/*;q=0.8, text/csv,application/json';
- $_SERVER['QUERY_STRING'] = 'foo';
+ $_SERVER['QUERY_STRING'] = $id;
+ $_GET[$id] = '';
$request = new Request;
$this->assertFalse($request->isJsonApiCall(), 'is HTML call');
- $this->assertEquals('foo', $request->getParam('pasteid'));
+ $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('read', $request->getOperation());
}
public function testApiReadWithNegotiation()
{
$this->reset();
+ $id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['HTTP_ACCEPT'] = 'text/plain,text/csv, application/xml;q=0.9, application/json, text/html,text/html; charset=UTF-8,application/xhtml+xml, */*;q=0.8';
- $_SERVER['QUERY_STRING'] = 'foo';
+ $_SERVER['QUERY_STRING'] = $id;
+ $_GET[$id] = '';
$request = new Request;
$this->assertTrue($request->isJsonApiCall(), 'is JSON Api call');
- $this->assertEquals('foo', $request->getParam('pasteid'));
+ $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('read', $request->getOperation());
}
public function testReadWithFailedNegotiation()
{
$this->reset();
+ $id = $this->getRandomId();
$_SERVER['REQUEST_METHOD'] = 'GET';
$_SERVER['HTTP_ACCEPT'] = 'text/plain,text/csv, application/xml;q=0.9, */*;q=0.8';
- $_SERVER['QUERY_STRING'] = 'foo';
+ $_SERVER['QUERY_STRING'] = $id;
+ $_GET[$id] = '';
$request = new Request;
$this->assertFalse($request->isJsonApiCall(), 'is HTML call');
- $this->assertEquals('foo', $request->getParam('pasteid'));
+ $this->assertEquals($id, $request->getParam('pasteid'));
$this->assertEquals('read', $request->getOperation());
}
+
+ public function testPasteIdExtraction()
+ {
+ $this->reset();
+ $id = $this->getRandomId();
+ $queryParams = array($id);
+ $queryParamCount = random_int(1, 5);
+ for ($i = 0; $i < $queryParamCount; ++$i) {
+ array_push($queryParams, $this->getRandomQueryChars());
+ }
+ shuffle($queryParams);
+ $_SERVER['REQUEST_METHOD'] = 'GET';
+ $_SERVER['QUERY_STRING'] = implode('&', $queryParams);
+ $_GET[$id] = '';
+ $request = new Request;
+ $this->assertEquals($id, $request->getParam('pasteid'));
+ }
}