2012-04-30 01:15:06 +08:00
|
|
|
<?php
|
|
|
|
/**
|
|
|
|
* ZeroBin
|
|
|
|
*
|
|
|
|
* a zero-knowledge paste bin
|
|
|
|
*
|
|
|
|
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
|
|
|
|
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
|
|
|
|
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
|
|
|
|
* @version 0.15
|
|
|
|
*/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* zerobin
|
|
|
|
*
|
|
|
|
* Controller, puts it all together.
|
|
|
|
*/
|
|
|
|
class zerobin
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* @const string version
|
|
|
|
*/
|
|
|
|
const VERSION = 'Alpha 0.15';
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @access private
|
|
|
|
* @var array
|
|
|
|
*/
|
|
|
|
private $_conf = array(
|
|
|
|
'model' => 'zerobin_data',
|
|
|
|
);
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @access private
|
|
|
|
* @var string
|
|
|
|
*/
|
|
|
|
private $_data = '';
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @access private
|
|
|
|
* @var string
|
|
|
|
*/
|
|
|
|
private $_error = '';
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @access private
|
|
|
|
* @var zerobin_data
|
|
|
|
*/
|
|
|
|
private $_model;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* constructor
|
|
|
|
*
|
|
|
|
* initializes and runs ZeroBin
|
|
|
|
*
|
|
|
|
* @access public
|
|
|
|
*/
|
|
|
|
public function __construct()
|
|
|
|
{
|
|
|
|
if (version_compare(PHP_VERSION, '5.2.6') < 0)
|
|
|
|
die('ZeroBin requires php 5.2.6 or above to work. Sorry.');
|
|
|
|
|
|
|
|
// In case stupid admin has left magic_quotes enabled in php.ini.
|
|
|
|
if (get_magic_quotes_gpc())
|
|
|
|
{
|
|
|
|
require_once PATH . 'lib/filter.php';
|
|
|
|
$_POST = array_map('filter::stripslashes_deep', $_POST);
|
|
|
|
$_GET = array_map('filter::stripslashes_deep', $_GET);
|
|
|
|
$_COOKIE = array_map('filter::stripslashes_deep', $_COOKIE);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Load config from ini file.
|
|
|
|
$this->_init();
|
|
|
|
|
|
|
|
// Create new paste or comment.
|
|
|
|
if (!empty($_POST['data']))
|
|
|
|
{
|
|
|
|
$this->_create();
|
|
|
|
}
|
|
|
|
// Display an existing paste.
|
|
|
|
elseif (!empty($_SERVER['QUERY_STRING']))
|
|
|
|
{
|
|
|
|
$this->_read();
|
|
|
|
}
|
|
|
|
|
|
|
|
// Display ZeroBin frontend
|
|
|
|
$this->_view();
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* initialize zerobin
|
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @return void
|
|
|
|
*/
|
|
|
|
private function _init()
|
|
|
|
{
|
2012-04-30 19:58:29 +08:00
|
|
|
foreach (array('cfg', 'lib') as $dir)
|
|
|
|
{
|
|
|
|
if (!is_file(PATH . $dir . '/.htaccess')) file_put_contents(
|
|
|
|
PATH . $dir . '/.htaccess',
|
|
|
|
'Allow from none' . PHP_EOL .
|
|
|
|
'Deny from all'. PHP_EOL
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2012-04-30 01:15:06 +08:00
|
|
|
$this->_conf = parse_ini_file(PATH . 'cfg/conf.ini');
|
|
|
|
$this->_model = $this->_conf['model'];
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* get the model, create one if needed
|
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @return zerobin_data
|
|
|
|
*/
|
|
|
|
private function _model()
|
|
|
|
{
|
|
|
|
// if needed, initialize the model
|
|
|
|
if(is_string($this->_model)) {
|
|
|
|
require_once PATH . 'lib/' . $this->_model . '.php';
|
|
|
|
$this->_model = forward_static_call(array($this->_model, 'getInstance'), $this->_conf['model_options']);
|
|
|
|
}
|
|
|
|
return $this->_model;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Store new paste or comment.
|
|
|
|
*
|
|
|
|
* POST contains:
|
|
|
|
* data (mandatory) = json encoded SJCL encrypted text (containing keys: iv,salt,ct)
|
|
|
|
*
|
|
|
|
* All optional data will go to meta information:
|
|
|
|
* expire (optional) = expiration delay (never,10min,1hour,1day,1month,1year,burn) (default:never)
|
|
|
|
* opendiscusssion (optional) = is the discussion allowed on this paste ? (0/1) (default:0)
|
|
|
|
* nickname (optional) = in discussion, encoded SJCL encrypted text nickname of author of comment (containing keys: iv,salt,ct)
|
|
|
|
* parentid (optional) = in discussion, which comment this comment replies to.
|
|
|
|
* pasteid (optional) = in discussion, which paste this comment belongs to.
|
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @return void
|
|
|
|
*/
|
|
|
|
private function _create()
|
|
|
|
{
|
|
|
|
header('Content-type: application/json');
|
|
|
|
$error = false;
|
|
|
|
|
|
|
|
// Make sure last paste from the IP address was more than 10 seconds ago.
|
|
|
|
require_once PATH . 'lib/traffic_limiter.php';
|
|
|
|
traffic_limiter::setLimit($this->_conf['traffic_limit']);
|
|
|
|
traffic_limiter::setPath($this->_conf['traffic_dir']);
|
|
|
|
if (
|
|
|
|
!traffic_limiter::canPass($_SERVER['REMOTE_ADDR'])
|
|
|
|
) $this->_return_message(1, 'Please wait 10 seconds between each post.');
|
|
|
|
|
|
|
|
// Make sure content is not too big.
|
|
|
|
$data = $_POST['data'];
|
|
|
|
if (
|
|
|
|
strlen($data) > 2000000
|
|
|
|
) $this->_return_message(1, 'Paste is limited to 2 MB of encrypted data.');
|
|
|
|
|
|
|
|
// Make sure format is correct.
|
|
|
|
require_once PATH . 'lib/sjcl.php';
|
|
|
|
if (!sjcl::isValid($data)) $this->_return_message(1, 'Invalid data.');
|
|
|
|
|
|
|
|
// Read additional meta-information.
|
|
|
|
$meta=array();
|
|
|
|
|
|
|
|
// Read expiration date
|
|
|
|
if (!empty($_POST['expire']))
|
|
|
|
{
|
|
|
|
switch ($_POST['expire'])
|
|
|
|
{
|
|
|
|
case '10min':
|
|
|
|
$meta['expire_date'] = time()+10*60;
|
|
|
|
break;
|
|
|
|
case '1hour':
|
|
|
|
$meta['expire_date'] = time()+60*60;
|
|
|
|
break;
|
|
|
|
case '1day':
|
|
|
|
$meta['expire_date'] = time()+24*60*60;
|
|
|
|
break;
|
|
|
|
case '1month':
|
|
|
|
$meta['expire_date'] = strtotime('+1 month');
|
|
|
|
break;
|
|
|
|
case '1year':
|
|
|
|
$meta['expire_date'] = strtotime('+1 year');
|
|
|
|
break;
|
|
|
|
case 'burn':
|
|
|
|
$meta['burnafterreading'] = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Read open discussion flag.
|
|
|
|
if (!empty($_POST['opendiscussion']))
|
|
|
|
{
|
|
|
|
$opendiscussion = $_POST['opendiscussion'];
|
|
|
|
if ($opendiscussion != 0)
|
|
|
|
{
|
|
|
|
if ($opendiscussion != 1) $error = true;
|
|
|
|
$meta['opendiscussion'] = true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// You can't have an open discussion on a "Burn after reading" paste:
|
|
|
|
if (isset($meta['burnafterreading'])) unset($meta['opendiscussion']);
|
|
|
|
|
|
|
|
// Optional nickname for comments
|
|
|
|
if (!empty($_POST['nickname']))
|
|
|
|
{
|
|
|
|
// Generation of the anonymous avatar (Vizhash):
|
|
|
|
// If a nickname is provided, we generate a Vizhash.
|
|
|
|
// (We assume that if the user did not enter a nickname, he/she wants
|
|
|
|
// to be anonymous and we will not generate the vizhash.)
|
|
|
|
$nick = $_POST['nickname'];
|
|
|
|
if (!sjcl::isValid($nick))
|
|
|
|
{
|
|
|
|
$error = true;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
require_once PATH . 'lib/vizhash_gd_zero.php';
|
|
|
|
$meta['nickname'] = $nick;
|
|
|
|
$vz = new vizhash16x16();
|
|
|
|
$pngdata = $vz->generate($_SERVER['REMOTE_ADDR']);
|
|
|
|
if ($pngdata != '')
|
|
|
|
{
|
|
|
|
$meta['vizhash'] = 'data:image/png;base64,' . base64_encode($pngdata);
|
|
|
|
}
|
|
|
|
// Once the avatar is generated, we do not keep the IP address, nor its hash.
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if ($error) $this->_return_message(1, 'Invalid data.');
|
|
|
|
|
|
|
|
// Add post date to meta.
|
|
|
|
$meta['postdate'] = time();
|
|
|
|
|
|
|
|
// We just want a small hash to avoid collisions:
|
|
|
|
// Half-MD5 (64 bits) will do the trick
|
|
|
|
$dataid = substr(hash('md5', $data), 0, 16);
|
|
|
|
|
|
|
|
$storage = array('data' => $data);
|
|
|
|
|
|
|
|
// Add meta-information only if necessary.
|
|
|
|
if (count($meta)) $storage['meta'] = $meta;
|
|
|
|
|
|
|
|
// The user posts a comment.
|
|
|
|
if (
|
|
|
|
!empty($_POST['parentid']) &&
|
|
|
|
!empty($_POST['pasteid'])
|
|
|
|
)
|
|
|
|
{
|
|
|
|
$pasteid = $_POST['pasteid'];
|
|
|
|
$parentid = $_POST['parentid'];
|
|
|
|
if (
|
|
|
|
!preg_match('/[a-f\d]{16}/', $pasteid) ||
|
|
|
|
!preg_match('/[a-f\d]{16}/', $parentid)
|
|
|
|
) $this->_return_message(1, 'Invalid data.');
|
|
|
|
|
|
|
|
// Comments do not expire (it's the paste that expires)
|
|
|
|
unset($storage['expire_date']);
|
|
|
|
unset($storage['opendiscussion']);
|
|
|
|
|
|
|
|
// Make sure paste exists.
|
|
|
|
if (
|
|
|
|
!$this->_model()->exists($pasteid)
|
|
|
|
) $this->_return_message(1, 'Invalid data.');
|
|
|
|
|
|
|
|
// Make sure the discussion is opened in this paste.
|
|
|
|
$paste = $this->_model()->read($pasteid);
|
|
|
|
if (
|
|
|
|
!$paste->meta->opendiscussion
|
|
|
|
) $this->_return_message(1, 'Invalid data.');
|
|
|
|
|
|
|
|
// Check for improbable collision.
|
|
|
|
if (
|
|
|
|
$this->_model()->existsComment($pasteid, $parentid, $dataid)
|
|
|
|
) $this->_return_message(1, 'You are unlucky. Try again.');
|
|
|
|
|
|
|
|
// New comment
|
|
|
|
if (
|
|
|
|
$this->_model()->createComment($pasteid, $parentid, $dataid, $storage) === false
|
|
|
|
) $this->_return_message(1, 'Error saving comment. Sorry.');
|
|
|
|
|
|
|
|
// 0 = no error
|
|
|
|
$this->_return_message(0, $dataid);
|
|
|
|
}
|
|
|
|
// The user posts a standard paste.
|
|
|
|
else
|
|
|
|
{
|
|
|
|
// Check for improbable collision.
|
|
|
|
if (
|
|
|
|
$this->_model()->exists($dataid)
|
|
|
|
) $this->_return_message(1, 'You are unlucky. Try again.');
|
|
|
|
|
|
|
|
// New paste
|
|
|
|
if (
|
|
|
|
$this->_model()->create($dataid, $storage) === false
|
|
|
|
) $this->_return_message(1, 'Error saving paste. Sorry.');
|
|
|
|
|
|
|
|
// 0 = no error
|
|
|
|
$this->_return_message(0, $dataid);
|
|
|
|
}
|
|
|
|
|
|
|
|
$this->_return_message(1, 'Server error.');
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Read an existing paste or comment.
|
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @return void
|
|
|
|
*/
|
|
|
|
private function _read()
|
|
|
|
{
|
|
|
|
$dataid = $_SERVER['QUERY_STRING'];
|
|
|
|
|
|
|
|
// Is this a valid paste identifier?
|
|
|
|
if (preg_match('/[a-f\d]{16}/', $dataid))
|
|
|
|
{
|
|
|
|
// Check that paste exists.
|
|
|
|
if ($this->_model()->exists($dataid))
|
|
|
|
{
|
|
|
|
// Get the paste itself.
|
|
|
|
$paste = $this->_model()->read($dataid);
|
|
|
|
|
|
|
|
// See if paste has expired.
|
|
|
|
if (
|
|
|
|
isset($paste->meta->expire_date) &&
|
|
|
|
$paste->meta->expire_date < time()
|
|
|
|
)
|
|
|
|
{
|
|
|
|
// Delete the paste
|
|
|
|
$this->_model()->delete($dataid);
|
|
|
|
$this->_error = 'Paste does not exist or has expired.';
|
|
|
|
}
|
|
|
|
// If no error, return the paste.
|
|
|
|
else
|
|
|
|
{
|
|
|
|
// We kindly provide the remaining time before expiration (in seconds)
|
|
|
|
if (
|
|
|
|
property_exists($paste->meta, 'expire_date')
|
|
|
|
) $paste->meta->remaining_time = $paste->meta->expire_date - time();
|
|
|
|
|
|
|
|
// The paste itself is the first in the list of encrypted messages.
|
|
|
|
$messages = array($paste);
|
|
|
|
|
|
|
|
// If it's a discussion, get all comments.
|
|
|
|
if (
|
|
|
|
property_exists($paste->meta, 'opendiscussion') &&
|
|
|
|
$paste->meta->opendiscussion
|
|
|
|
)
|
|
|
|
{
|
|
|
|
$messages = array_merge(
|
|
|
|
$messages,
|
|
|
|
$this->_model()->readComments($dataid)
|
|
|
|
);
|
|
|
|
}
|
|
|
|
$this->_data = json_encode($messages);
|
|
|
|
|
|
|
|
// If the paste was meant to be read only once, delete it.
|
|
|
|
if (
|
|
|
|
property_exists($paste->meta, 'burnafterreading') &&
|
|
|
|
$paste->meta->burnafterreading
|
|
|
|
) $this->_model()->delete($dataid);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
$this->_error = 'Paste does not exist or has expired.';
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Display ZeroBin frontend.
|
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @return void
|
|
|
|
*/
|
|
|
|
private function _view()
|
|
|
|
{
|
|
|
|
require_once PATH . 'lib/rain.tpl.class.php';
|
|
|
|
header('Content-Type: text/html; charset=utf-8');
|
|
|
|
$page = new RainTPL;
|
|
|
|
// We escape it here because ENT_NOQUOTES can't be used in RainTPL templates.
|
|
|
|
$page->assign('CIPHERDATA', htmlspecialchars($this->_data, ENT_NOQUOTES));
|
|
|
|
$page->assign('ERRORMESSAGE', $this->_error);
|
|
|
|
$page->assign('VERSION', self::VERSION);
|
|
|
|
$page->draw('page');
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* return JSON encoded message and exit
|
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @param bool $status
|
|
|
|
* @param string $message
|
|
|
|
* @return void
|
|
|
|
*/
|
|
|
|
private function _return_message($status, $message)
|
|
|
|
{
|
|
|
|
$result = array('status' => $status);
|
|
|
|
if ($status)
|
|
|
|
{
|
|
|
|
$result['message'] = $message;
|
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
$result['id'] = $message;
|
|
|
|
}
|
|
|
|
exit(json_encode($result));
|
|
|
|
}
|
|
|
|
}
|