[TEST] Try to disallow vulnerable cases
This commit is contained in:
parent
01414e43ca
commit
ebc2d649c4
@ -620,6 +620,9 @@ jQuery.PrivateBin = (function($, RawDeflate) {
|
|||||||
|
|
||||||
// messageID may contain links, but only the first parameter, as that is from a trusted source (code or translation JSON files)
|
// messageID may contain links, but only the first parameter, as that is from a trusted source (code or translation JSON files)
|
||||||
let containsLinks = args[0].indexOf('<a') !== -1;
|
let containsLinks = args[0].indexOf('<a') !== -1;
|
||||||
|
if (containsLinks && args.length > 0) {
|
||||||
|
throw new Error('security violation detected: do not concatenate links and untrusted data!');
|
||||||
|
}
|
||||||
|
|
||||||
// format string
|
// format string
|
||||||
let output = Helper.sprintf.apply(this, args);
|
let output = Helper.sprintf.apply(this, args);
|
||||||
|
40
test.diff
Normal file
40
test.diff
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
diff --git a/js/privatebin.js b/js/privatebin.js
|
||||||
|
index c83d8ff..5c0aecc 100644
|
||||||
|
--- a/js/privatebin.js
|
||||||
|
+++ b/js/privatebin.js
|
||||||
|
@@ -620,6 +620,9 @@ jQuery.PrivateBin = (function($, RawDeflate) {
|
||||||
|
|
||||||
|
// messageID may contain links, but only the first parameter, as that is from a trusted source (code or translation JSON files)
|
||||||
|
let containsLinks = args[0].indexOf('<a') !== -1;
|
||||||
|
+ if (containsLinks && args.length > 0) {
|
||||||
|
+ throw new Error('security violation detected: do not concatenate links and untrusted data!');
|
||||||
|
+ }
|
||||||
|
|
||||||
|
// format string
|
||||||
|
let output = Helper.sprintf.apply(this, args);
|
||||||
|
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
|
||||||
|
index 59c730e..0e949da 100644
|
||||||
|
--- a/tpl/bootstrap.php
|
||||||
|
+++ b/tpl/bootstrap.php
|
||||||
|
@@ -72,7 +72,7 @@ endif;
|
||||||
|
?>
|
||||||
|
<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
|
||||||
|
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
|
||||||
|
- <script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-/d5+ju4pY94Jnb3o2poZNQRxKxJqgmbV4SojFKq/4Gzyz7ft99ptmhwho7pvSVggoh0xlOR3d8EV+sEr3gDxTA==" crossorigin="anonymous"></script>
|
||||||
|
+ <script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-NQ2iciSmIAeXCmdpJm5BGKvyGjkvN0Ob82mmbxSpgBpJpLypKZEQksbkIti+dyQ3XVjXIGyi9yiLxEgvpzG3hw==" crossorigin="anonymous"></script>
|
||||||
|
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
|
||||||
|
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
|
||||||
|
<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
|
||||||
|
diff --git a/tpl/page.php b/tpl/page.php
|
||||||
|
index 0f8df18..ff2d5f5 100644
|
||||||
|
--- a/tpl/page.php
|
||||||
|
+++ b/tpl/page.php
|
||||||
|
@@ -50,7 +50,7 @@ endif;
|
||||||
|
?>
|
||||||
|
<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
|
||||||
|
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
|
||||||
|
- <script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-/d5+ju4pY94Jnb3o2poZNQRxKxJqgmbV4SojFKq/4Gzyz7ft99ptmhwho7pvSVggoh0xlOR3d8EV+sEr3gDxTA==" crossorigin="anonymous"></script>
|
||||||
|
+ <script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-NQ2iciSmIAeXCmdpJm5BGKvyGjkvN0Ob82mmbxSpgBpJpLypKZEQksbkIti+dyQ3XVjXIGyi9yiLxEgvpzG3hw==" crossorigin="anonymous"></script>
|
||||||
|
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
|
||||||
|
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
|
||||||
|
<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
|
@ -72,7 +72,7 @@ endif;
|
|||||||
?>
|
?>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-/d5+ju4pY94Jnb3o2poZNQRxKxJqgmbV4SojFKq/4Gzyz7ft99ptmhwho7pvSVggoh0xlOR3d8EV+sEr3gDxTA==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-NQ2iciSmIAeXCmdpJm5BGKvyGjkvN0Ob82mmbxSpgBpJpLypKZEQksbkIti+dyQ3XVjXIGyi9yiLxEgvpzG3hw==" crossorigin="anonymous"></script>
|
||||||
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
|
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
|
||||||
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
|
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
|
||||||
<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
|
<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
|
||||||
|
@ -50,7 +50,7 @@ endif;
|
|||||||
?>
|
?>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
|
||||||
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-/d5+ju4pY94Jnb3o2poZNQRxKxJqgmbV4SojFKq/4Gzyz7ft99ptmhwho7pvSVggoh0xlOR3d8EV+sEr3gDxTA==" crossorigin="anonymous"></script>
|
<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-NQ2iciSmIAeXCmdpJm5BGKvyGjkvN0Ob82mmbxSpgBpJpLypKZEQksbkIti+dyQ3XVjXIGyi9yiLxEgvpzG3hw==" crossorigin="anonymous"></script>
|
||||||
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
|
<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
|
||||||
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
|
<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
|
||||||
<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
|
<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
|
||||||
|
Loading…
Reference in New Issue
Block a user