From ebbb850b27dfbd9f4d82825e7ab8ce2aef3ef460 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Fri, 31 May 2019 07:05:40 +0200
Subject: [PATCH] clone array instead of passing the reference, adresses #436

---
 js/privatebin.js  | 10 +++++-----
 tpl/bootstrap.php |  2 +-
 tpl/page.php      |  2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index 71ec01a6..0de85941 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -1033,17 +1033,18 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          */
         me.decipher = async function(key, password, data)
         {
-            let adataString, encodedSpec, cipherMessage;
+            let adataString, spec, cipherMessage;
             if (data instanceof Array) {
                 // version 2
                 adataString = JSON.stringify(data[1]);
-                encodedSpec = (data[1][0] instanceof Array ? data[1][0] : data[1]);
+                // clone the array instead of passing the reference
+                spec = (data[1][0] instanceof Array ? data[1][0] : data[1]).slice();
                 cipherMessage = data[0];
             } else if (typeof data === 'string') {
                 // version 1
                 let object = JSON.parse(data);
                 adataString = atob(object.adata);
-                encodedSpec = [
+                spec = [
                     object.iv,
                     object.salt,
                     object.iter,
@@ -1057,7 +1058,6 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             } else {
                 throw 'unsupported message format';
             }
-            let spec = encodedSpec, plainText = '';
             spec[0] = atob(spec[0]);
             spec[1] = atob(spec[1]);
             try {
@@ -1069,7 +1069,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                             atob(cipherMessage)
                         )
                     ),
-                    encodedSpec[7]
+                    spec[7]
                 );
             } catch(err) {
                 return '';
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 1851e1bd..b45dc5f2 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-2I6gqibyMdzEM03U4c4T2h0Yv1omWkPT16VUURnv8s/rfTPIh/r9+GOKttWoaJUXYFJgJLWNkgzJRErPb53DDQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-y7sTS+OUdMRwxzi+T1OLLYdF5fagvAwPs4FmftyOEISFQl2YcZA8NrUGR0QkOAXJ5LclWdd4P3ifbYey/TXIbQ==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tpl/page.php b/tpl/page.php
index 4bd1910b..288bca55 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-2I6gqibyMdzEM03U4c4T2h0Yv1omWkPT16VUURnv8s/rfTPIh/r9+GOKttWoaJUXYFJgJLWNkgzJRErPb53DDQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-y7sTS+OUdMRwxzi+T1OLLYdF5fagvAwPs4FmftyOEISFQl2YcZA8NrUGR0QkOAXJ5LclWdd4P3ifbYey/TXIbQ==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->