From 09162a3c570fbb699ad670e56d5e4f84f6fce468 Mon Sep 17 00:00:00 2001
From: El RIDO <elrido@gmx.net>
Date: Wed, 15 May 2019 07:44:03 +0200
Subject: [PATCH] fix display of v2 pastes in JS, fixing parsing of comments in
 PHP, avoid exposing expiration date (we provide time_to_live, would allow
 calculation of creation date of paste)

---
 js/privatebin.js             |  23 +++----
 js/test/PasteStatus.js       |  47 +++++++++++--
 lib/Controller.php           |   4 +-
 lib/FormatV2.php             |  22 ++++---
 lib/Model/Paste.php          |   1 +
 tpl/bootstrap.php            |   2 +-
 tpl/page.php                 |   2 +-
 tst/Bootstrap.php            |   1 +
 tst/ControllerTest.php       | 124 +++++++++++++++++------------------
 tst/ControllerWithDbTest.php |   2 +-
 10 files changed, 136 insertions(+), 92 deletions(-)

diff --git a/js/privatebin.js b/js/privatebin.js
index ddd3d625..a4b0daa0 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -1621,11 +1621,11 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          *
          * @name PasteStatus.showRemainingTime
          * @function
-         * @param {object} pasteMetaData
+         * @param {object} paste
          */
-        me.showRemainingTime = function(pasteMetaData)
+        me.showRemainingTime = function(paste)
         {
-            if (pasteMetaData.burnafterreading) {
+            if ((paste.adata && paste.adata[3]) || paste.meta.burnafterreading) {
                 // display paste "for your eyes only" if it is deleted
 
                 // the paste has been deleted when the JSON with the ciphertext
@@ -1637,9 +1637,9 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                 // discourage cloning (it cannot really be prevented)
                 TopNav.hideCloneButton();
 
-            } else if (pasteMetaData.expire_date) {
+            } else if (paste.meta.time_to_live || paste.meta.remaining_time) {
                 // display paste expiration
-                let expiration = Helper.secondsToHuman(pasteMetaData.time_to_live || pasteMetaData.remaining_time),
+                let expiration = Helper.secondsToHuman(paste.meta.time_to_live || paste.meta.remaining_time),
                     expirationLabel = [
                         'This document will expire in %d ' + expiration[1] + '.',
                         'This document will expire in %d ' + expiration[1] + 's.'
@@ -2885,14 +2885,14 @@ jQuery.PrivateBin = (function($, RawDeflate) {
 
             // set date
             $commentEntry.find('span.commentdate')
-                      .text(' (' + (new Date(comment.meta.postdate * 1000).toLocaleString()) + ')')
+                      .text(' (' + (new Date((comment.meta.created || comment.meta.postdate) * 1000).toLocaleString()) + ')')
                       .attr('title', 'CommentID: ' + comment.id);
 
             // if an avatar is available, display it
-            if (comment.meta.vizhash) {
+            if (comment.meta.icon || comment.meta.vizhash) {
                 $commentEntry.find('span.nickname')
                              .before(
-                                '<img src="' + comment.meta.vizhash + '" class="vizhash" /> '
+                                '<img src="' + (comment.meta.icon || comment.meta.vizhash) + '" class="vizhash" /> '
                              );
                 $(document).on('languageLoaded', function () {
                     $commentEntry.find('img.vizhash')
@@ -4038,6 +4038,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             }
 
             await ServerInteraction.setCipherMessage(cipherMessage).catch(Alert.showError);
+            ServerInteraction.run();
         };
 
         /**
@@ -4246,7 +4247,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                 if (paste.comments[i].hasOwnProperty('v') && paste.comments[i].v === 2) {
                     // version 2 comment
                     commentDecryptionPromises.push(
-                        CryptTool.decipher(key, password, paste.comments[i].ct)
+                        CryptTool.decipher(key, password, [paste.comments[i].ct, paste.comments[i].adata])
                             .then((commentJson) => {
                                 const commentMessage = JSON.parse(commentJson);
                                 return [
@@ -4335,12 +4336,12 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             decryptionPromises.push(decryptPaste(paste, key, password))
 
             // if the discussion is opened on this paste, display it
-            if (paste.meta.opendiscussion) {
+            if ((paste.adata && paste.adata[2]) || paste.meta.opendiscussion) {
                 decryptionPromises.push(decryptComments(paste, key, password));
             }
 
             // shows the remaining time (until) deletion
-            PasteStatus.showRemainingTime(paste.meta);
+            PasteStatus.showRemainingTime(paste);
 
             Promise.all(decryptionPromises)
                 .then(() => {
diff --git a/js/test/PasteStatus.js b/js/test/PasteStatus.js
index 6b0805d3..823840a7 100644
--- a/js/test/PasteStatus.js
+++ b/js/test/PasteStatus.js
@@ -44,7 +44,45 @@ describe('PasteStatus', function () {
         });
 
         jsc.property(
-            'shows burn after reading message or remaining time',
+            'shows burn after reading message or remaining time v1',
+            'bool',
+            'nat',
+            jsc.nearray(common.jscA2zString()),
+            jsc.nearray(common.jscA2zString()),
+            jsc.nearray(common.jscQueryString()),
+            'string',
+            function (
+                burnafterreading, remainingTime,
+                schema, address, query, fragment
+            ) {
+                var clean = jsdom('', {
+                        url: schema.join('') + '://' + address.join('') +
+                             '/?' + query.join('') + '#' + fragment
+                    }),
+                    result;
+                $('body').html('<div id="remainingtime" class="hidden"></div>');
+                $.PrivateBin.PasteStatus.init();
+                $.PrivateBin.PasteStatus.showRemainingTime({'meta': {
+                    'burnafterreading': burnafterreading,
+                    'remaining_time': remainingTime
+                }});
+                if (burnafterreading) {
+                    result = $('#remainingtime').hasClass('foryoureyesonly') &&
+                            !$('#remainingtime').hasClass('hidden');
+                } else if (remainingTime) {
+                    result =!$('#remainingtime').hasClass('foryoureyesonly') &&
+                            !$('#remainingtime').hasClass('hidden');
+                } else {
+                    result = $('#remainingtime').hasClass('hidden') &&
+                            !$('#remainingtime').hasClass('foryoureyesonly');
+                }
+                clean();
+                return result;
+            }
+        );
+
+        jsc.property(
+            'shows burn after reading message or remaining time v2',
             'bool',
             'nat',
             jsc.nearray(common.jscA2zString()),
@@ -63,9 +101,10 @@ describe('PasteStatus', function () {
                 $('body').html('<div id="remainingtime" class="hidden"></div>');
                 $.PrivateBin.PasteStatus.init();
                 $.PrivateBin.PasteStatus.showRemainingTime({
-                    'burnafterreading': burnafterreading,
-                    'remaining_time': remainingTime,
-                    'expire_date': remainingTime ? ((new Date()).getTime() / 1000) + remainingTime : 0
+                    'adata': [null, null, null, burnafterreading],
+                    'meta': {
+                        'time_to_live': remainingTime
+                    }
                 });
                 if (burnafterreading) {
                     result = $('#remainingtime').hasClass('foryoureyesonly') &&
diff --git a/lib/Controller.php b/lib/Controller.php
index 1b50ab66..2ab1ea7b 100644
--- a/lib/Controller.php
+++ b/lib/Controller.php
@@ -213,7 +213,7 @@ class Controller
             array_key_exists('parentid', $data) &&
             !empty($data['parentid']);
         if (!FormatV2::isValid($data, $isComment)) {
-            return $this->_return_message(1, 'Invalid data.');
+            return $this->_return_message(1, I18n::_('Invalid data.'));
         }
         $sizelimit = $this->_conf->getKey('sizelimit');
         // Ensure content is not too big.
@@ -240,7 +240,7 @@ class Controller
                 }
                 $this->_return_message(0, $comment->getId());
             } else {
-                $this->_return_message(1, 'Invalid data.');
+                $this->_return_message(1, I18n::_('Invalid data.'));
             }
         }
         // The user posts a standard paste.
diff --git a/lib/FormatV2.php b/lib/FormatV2.php
index 7835e817..358d834e 100644
--- a/lib/FormatV2.php
+++ b/lib/FormatV2.php
@@ -52,13 +52,15 @@ class FormatV2
             }
         }
 
+        $cipherParams = $isComment ? $message['adata'] : $message['adata'][0];
+
         // Make sure some fields are base64 data:
         // - initialization vector
-        if (!base64_decode($message['adata'][0][0], true)) {
+        if (!base64_decode($cipherParams[0], true)) {
             return false;
         }
         // - salt
-        if (!base64_decode($message['adata'][0][1], true)) {
+        if (!base64_decode($cipherParams[1], true)) {
             return false;
         }
         // - cipher text
@@ -68,11 +70,11 @@ class FormatV2
 
         // Make sure some fields have a reasonable size:
         // - initialization vector
-        if (strlen($message['adata'][0][0]) > 24) {
+        if (strlen($cipherParams[0]) > 24) {
             return false;
         }
         // - salt
-        if (strlen($message['adata'][0][1]) > 14) {
+        if (strlen($cipherParams[1]) > 14) {
             return false;
         }
 
@@ -82,27 +84,27 @@ class FormatV2
             return false;
         }
         // - iterations, refuse less then 10000 iterations (minimum NIST recommendation)
-        if (!is_int($message['adata'][0][2]) || $message['adata'][0][2] <= 10000) {
+        if (!is_int($cipherParams[2]) || $cipherParams[2] <= 10000) {
             return false;
         }
         // - key size
-        if (!in_array($message['adata'][0][3], array(128, 192, 256), true)) {
+        if (!in_array($cipherParams[3], array(128, 192, 256), true)) {
             return false;
         }
         // - tag size
-        if (!in_array($message['adata'][0][4], array(64, 96, 128), true)) {
+        if (!in_array($cipherParams[4], array(64, 96, 128), true)) {
             return false;
         }
         // - algorithm, must be AES
-        if ($message['adata'][0][5] !== 'aes') {
+        if ($cipherParams[5] !== 'aes') {
             return false;
         }
         // - mode
-        if (!in_array($message['adata'][0][6], array('ctr', 'cbc', 'gcm'), true)) {
+        if (!in_array($cipherParams[6], array('ctr', 'cbc', 'gcm'), true)) {
             return false;
         }
         // - compression
-        if (!in_array($message['adata'][0][7], array('zlib', 'none'), true)) {
+        if (!in_array($cipherParams[7], array('zlib', 'none'), true)) {
             return false;
         }
 
diff --git a/lib/Model/Paste.php b/lib/Model/Paste.php
index 11640816..cb572fcf 100644
--- a/lib/Model/Paste.php
+++ b/lib/Model/Paste.php
@@ -45,6 +45,7 @@ class Paste extends AbstractModel
             }
             // We kindly provide the remaining time before expiration (in seconds)
             $data['meta']['time_to_live'] = $data['meta']['expire_date'] - time();
+            unset($data['meta']['expire_date']);
         }
 
         // check if non-expired burn after reading paste needs to be deleted
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index c3063e23..286af010 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -71,7 +71,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-YCn+cUn5IWzAnD+URrUMfDVZ9SjPtPw//qVIYf7ZIMxmh+oODCN/NbZq30K/8ldA1Al0udP5RQg4PyE6j6wdBQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-h1C1N6TZ+iqfDWbftNalmtkkjmOfeFM7UB5ozNkH7zvaE4LkyCxhpvMGLObFycpCdA0W7VF8nVoLhRkRTmrQmg==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tpl/page.php b/tpl/page.php
index f7acd637..a79ac369 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -49,7 +49,7 @@ if ($MARKDOWN):
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-1.0.7.js" integrity="sha512-VnKJHLosO8z2ojNvWk9BEKYqnhZyWK9rM90FgZUUEp/PRnUqR5OLLKE0a3BkVmn7YgB7LXRrjHgFHQYKd6DAIA==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-YCn+cUn5IWzAnD+URrUMfDVZ9SjPtPw//qVIYf7ZIMxmh+oODCN/NbZq30K/8ldA1Al0udP5RQg4PyE6j6wdBQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-h1C1N6TZ+iqfDWbftNalmtkkjmOfeFM7UB5ozNkH7zvaE4LkyCxhpvMGLObFycpCdA0W7VF8nVoLhRkRTmrQmg==" crossorigin="anonymous"></script>
 		<!--[if lt IE 10]>
 		<style type="text/css">body {padding-left:60px;padding-right:60px;} #ienotice {display:block;} #oldienotice {display:block;}</style>
 		<![endif]-->
diff --git a/tst/Bootstrap.php b/tst/Bootstrap.php
index 31b31ed6..b5393510 100644
--- a/tst/Bootstrap.php
+++ b/tst/Bootstrap.php
@@ -192,6 +192,7 @@ class Helper
     {
         $example         = $version === 1 ? self::$commentV1 : self::$pasteV2;
         if ($version === 2) {
+            $example['adata']           = $example['adata'][0];
             $example['pasteid']         = $example['parentid']         = self::getPasteId();
             $example['meta']['created'] = self::$commentV1['meta']['postdate'];
             $example['meta']['icon']    = self::$commentV1['meta']['vizhash'];
diff --git a/tst/ControllerTest.php b/tst/ControllerTest.php
index 540a7d7f..9463a130 100644
--- a/tst/ControllerTest.php
+++ b/tst/ControllerTest.php
@@ -8,7 +8,7 @@ use PrivateBin\Request;
 
 class ControllerTest extends PHPUnit_Framework_TestCase
 {
-    protected $_model;
+    protected $_data;
 
     protected $_path;
 
@@ -16,7 +16,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
     {
         /* Setup Routine */
         $this->_path  = sys_get_temp_dir() . DIRECTORY_SEPARATOR . 'privatebin_data';
-        $this->_model = Filesystem::getInstance(array('dir' => $this->_path));
+        $this->_data = Filesystem::getInstance(array('dir' => $this->_path));
         $this->reset();
     }
 
@@ -33,8 +33,8 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         $_POST   = array();
         $_GET    = array();
         $_SERVER = array();
-        if ($this->_model->exists(Helper::getPasteId())) {
-            $this->_model->delete(Helper::getPasteId());
+        if ($this->_data->exists(Helper::getPasteId())) {
+            $this->_data->delete(Helper::getPasteId());
         }
         $options                         = parse_ini_file(CONF_SAMPLE, true);
         $options['purge']['dir']         = $this->_path;
@@ -180,8 +180,8 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(0, $response['status'], 'outputs status');
-        $this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
-        $paste = $this->_model->read($response['id']);
+        $this->assertTrue($this->_data->exists($response['id']), 'paste exists after posting data');
+        $paste = $this->_data->read($response['id']);
         $this->assertEquals(
             hash_hmac('sha256', $response['id'], $paste['meta']['salt']),
             $response['deletetoken'],
@@ -211,8 +211,8 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(0, $response['status'], 'outputs status');
-        $this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
-        $paste = $this->_model->read($response['id']);
+        $this->assertTrue($this->_data->exists($response['id']), 'paste exists after posting data');
+        $paste = $this->_data->read($response['id']);
         $this->assertEquals(
             hash_hmac('sha256', $response['id'], $paste['meta']['salt']),
             $response['deletetoken'],
@@ -242,7 +242,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(1, $response['status'], 'outputs error status');
-        $this->assertFalse($this->_model->exists(Helper::getPasteId()), 'paste exists after posting data');
+        $this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste exists after posting data');
     }
 
     /**
@@ -267,8 +267,8 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(0, $response['status'], 'outputs status');
-        $this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
-        $paste = $this->_model->read($response['id']);
+        $this->assertTrue($this->_data->exists($response['id']), 'paste exists after posting data');
+        $paste = $this->_data->read($response['id']);
         $this->assertEquals(
             hash_hmac('sha256', $response['id'], $paste['meta']['salt']),
             $response['deletetoken'],
@@ -284,7 +284,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         $options                     = parse_ini_file(CONF, true);
         $options['traffic']['limit'] = 0;
         Helper::createIniFile(CONF, $options);
-        $this->_model->create(Helper::getPasteId(), Helper::getPaste());
+        $this->_data->create(Helper::getPasteId(), Helper::getPaste());
         $paste = Helper::getPasteJson();
         $file  = tempnam(sys_get_temp_dir(), 'FOO');
         file_put_contents($file, $paste);
@@ -298,7 +298,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(1, $response['status'], 'outputs error status');
-        $this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists after posting data');
+        $this->assertTrue($this->_data->exists(Helper::getPasteId()), 'paste exists after posting data');
     }
 
     /**
@@ -323,8 +323,8 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(0, $response['status'], 'outputs status');
-        $this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
-        $paste = $this->_model->read($response['id']);
+        $this->assertTrue($this->_data->exists($response['id']), 'paste exists after posting data');
+        $paste = $this->_data->read($response['id']);
         $this->assertEquals(
             hash_hmac('sha256', $response['id'], $paste['meta']['salt']),
             $response['deletetoken'],
@@ -355,8 +355,8 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(0, $response['status'], 'outputs status');
-        $this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
-        $paste = $this->_model->read($response['id']);
+        $this->assertTrue($this->_data->exists($response['id']), 'paste exists after posting data');
+        $paste = $this->_data->read($response['id']);
         $this->assertEquals(
             hash_hmac('sha256', $response['id'], $paste['meta']['salt']),
             $response['deletetoken'],
@@ -387,8 +387,8 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(0, $response['status'], 'outputs status');
-        $this->assertTrue($this->_model->exists($response['id']), 'paste exists after posting data');
-        $paste = $this->_model->read($response['id']);
+        $this->assertTrue($this->_data->exists($response['id']), 'paste exists after posting data');
+        $paste = $this->_data->read($response['id']);
         $this->assertEquals(
             hash_hmac('sha256', $response['id'], $paste['meta']['salt']),
             $response['deletetoken'],
@@ -418,7 +418,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(1, $response['status'], 'outputs error status');
-        $this->assertFalse($this->_model->exists(Helper::getPasteId()), 'paste exists after posting data');
+        $this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste exists after posting data');
     }
 
     /**
@@ -443,7 +443,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(1, $response['status'], 'outputs error status');
-        $this->assertFalse($this->_model->exists(Helper::getPasteId()), 'paste exists after posting data');
+        $this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste exists after posting data');
     }
 
     /**
@@ -463,9 +463,9 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
         $_SERVER['REQUEST_METHOD']        = 'POST';
         $_SERVER['REMOTE_ADDR']           = '::1';
-        $this->assertFalse($this->_model->exists(Helper::getPasteId()), 'paste does not exists before posting data');
+        $this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste does not exists before posting data');
         new Controller;
-        $this->assertFalse($this->_model->exists(Helper::getPasteId()), 'paste exists after posting data');
+        $this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste exists after posting data');
     }
 
     /**
@@ -483,14 +483,14 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_start();
         new Controller;
         ob_end_clean();
-        $this->_model->delete(Helper::getPasteId());
+        $this->_data->delete(Helper::getPasteId());
         ob_start();
         new Controller;
         $content = ob_get_contents();
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(1, $response['status'], 'outputs error status');
-        $this->assertFalse($this->_model->exists(Helper::getPasteId()), 'paste exists after posting data');
+        $this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste exists after posting data');
     }
 
     /**
@@ -508,14 +508,14 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
         $_SERVER['REQUEST_METHOD']        = 'POST';
         $_SERVER['REMOTE_ADDR']           = '::1';
-        $this->_model->create(Helper::getPasteId(), Helper::getPaste());
+        $this->_data->create(Helper::getPasteId(), Helper::getPaste());
         ob_start();
         new Controller;
         $content = ob_get_contents();
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(0, $response['status'], 'outputs status');
-        $this->assertTrue($this->_model->existsComment(Helper::getPasteId(), Helper::getPasteId(), $response['id']), 'paste exists after posting data');
+        $this->assertTrue($this->_data->existsComment(Helper::getPasteId(), Helper::getPasteId(), $response['id']), 'paste exists after posting data');
     }
 
     /**
@@ -534,14 +534,14 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
         $_SERVER['REQUEST_METHOD']        = 'POST';
         $_SERVER['REMOTE_ADDR']           = '::1';
-        $this->_model->create(Helper::getPasteId(), Helper::getPaste());
+        $this->_data->create(Helper::getPasteId(), Helper::getPaste());
         ob_start();
         new Controller;
         $content = ob_get_contents();
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(1, $response['status'], 'outputs error status');
-        $this->assertFalse($this->_model->existsComment(Helper::getPasteId(), Helper::getPasteId(), Helper::getCommentId()), 'paste exists after posting data');
+        $this->assertFalse($this->_data->existsComment(Helper::getPasteId(), Helper::getPasteId(), Helper::getCommentId()), 'paste exists after posting data');
     }
 
     /**
@@ -561,14 +561,14 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         $_SERVER['REMOTE_ADDR']           = '::1';
         $paste                            = Helper::getPaste();
         $paste['adata'][2]                = 0;
-        $this->_model->create(Helper::getPasteId(), $paste);
+        $this->_data->create(Helper::getPasteId(), $paste);
         ob_start();
         new Controller;
         $content = ob_get_contents();
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(1, $response['status'], 'outputs error status');
-        $this->assertFalse($this->_model->existsComment(Helper::getPasteId(), Helper::getPasteId(), Helper::getCommentId()), 'paste exists after posting data');
+        $this->assertFalse($this->_data->existsComment(Helper::getPasteId(), Helper::getPasteId(), Helper::getCommentId()), 'paste exists after posting data');
     }
 
     /**
@@ -592,7 +592,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(1, $response['status'], 'outputs error status');
-        $this->assertFalse($this->_model->existsComment(Helper::getPasteId(), Helper::getPasteId(), Helper::getCommentId()), 'paste exists after posting data');
+        $this->assertFalse($this->_data->existsComment(Helper::getPasteId(), Helper::getPasteId(), Helper::getCommentId()), 'paste exists after posting data');
     }
 
     /**
@@ -603,9 +603,9 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         $options                     = parse_ini_file(CONF, true);
         $options['traffic']['limit'] = 0;
         Helper::createIniFile(CONF, $options);
-        $this->_model->create(Helper::getPasteId(), Helper::getPaste());
-        $this->_model->createComment(Helper::getPasteId(), Helper::getPasteId(), Helper::getPasteId(), Helper::getComment());
-        $this->assertTrue($this->_model->existsComment(Helper::getPasteId(), Helper::getPasteId(), Helper::getPasteId()), 'comment exists before posting data');
+        $this->_data->create(Helper::getPasteId(), Helper::getPaste());
+        $this->_data->createComment(Helper::getPasteId(), Helper::getPasteId(), Helper::getPasteId(), Helper::getComment());
+        $this->assertTrue($this->_data->existsComment(Helper::getPasteId(), Helper::getPasteId(), Helper::getPasteId()), 'comment exists before posting data');
         $comment = Helper::getCommentJson();
         $file  = tempnam(sys_get_temp_dir(), 'FOO');
         file_put_contents($file, $comment);
@@ -619,7 +619,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(1, $response['status'], 'outputs error status');
-        $this->assertTrue($this->_model->existsComment(Helper::getPasteId(), Helper::getPasteId(), Helper::getPasteId()), 'paste exists after posting data');
+        $this->assertTrue($this->_data->existsComment(Helper::getPasteId(), Helper::getPasteId(), Helper::getPasteId()), 'paste exists after posting data');
     }
 
     /**
@@ -662,7 +662,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
     public function testReadExpired()
     {
         $expiredPaste = Helper::getPaste(2, array('expire_date' => 1344803344));
-        $this->_model->create(Helper::getPasteId(), $expiredPaste);
+        $this->_data->create(Helper::getPasteId(), $expiredPaste);
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
         $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
@@ -682,7 +682,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
     {
         $paste             = Helper::getPaste();
         $paste['adata'][3] = 1;
-        $this->_model->create(Helper::getPasteId(), $paste);
+        $this->_data->create(Helper::getPasteId(), $paste);
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
         $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
@@ -702,7 +702,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         $this->assertEquals(0, $response['comment_count'], 'outputs comment_count correctly');
         $this->assertEquals(0, $response['comment_offset'], 'outputs comment_offset correctly');
         // by default it will be deleted instantly after it is read
-        $this->assertFalse($this->_model->exists(Helper::getPasteId()), 'paste exists after reading');
+        $this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste exists after reading');
     }
 
     /**
@@ -711,7 +711,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
     public function testReadJson()
     {
         $paste = Helper::getPaste();
-        $this->_model->create(Helper::getPasteId(), $paste);
+        $this->_data->create(Helper::getPasteId(), $paste);
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
         $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
@@ -743,7 +743,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
             'postdate'       => $paste['meta']['postdate'],
             'opendiscussion' => $paste['meta']['opendiscussion'],
         );
-        $this->_model->create(Helper::getPasteId(), $paste);
+        $this->_data->create(Helper::getPasteId(), $paste);
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
         $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
@@ -770,8 +770,8 @@ class ControllerTest extends PHPUnit_Framework_TestCase
     {
         $burnPaste             = Helper::getPaste();
         $burnPaste['adata'][3] = 1;
-        $this->_model->create(Helper::getPasteId(), $burnPaste);
-        $this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists before deleting data');
+        $this->_data->create(Helper::getPasteId(), $burnPaste);
+        $this->assertTrue($this->_data->exists(Helper::getPasteId()), 'paste exists before deleting data');
         $_SERVER['QUERY_STRING']          = Helper::getPasteId();
         $_GET[Helper::getPasteId()]       = '';
         $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest';
@@ -781,7 +781,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(0, $response['status'], 'outputs status');
-        $this->assertFalse($this->_model->exists(Helper::getPasteId()), 'paste successfully deleted');
+        $this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste successfully deleted');
     }
 
     /**
@@ -789,9 +789,9 @@ class ControllerTest extends PHPUnit_Framework_TestCase
      */
     public function testDelete()
     {
-        $this->_model->create(Helper::getPasteId(), Helper::getPaste());
-        $this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists before deleting data');
-        $paste               = $this->_model->read(Helper::getPasteId());
+        $this->_data->create(Helper::getPasteId(), Helper::getPaste());
+        $this->assertTrue($this->_data->exists(Helper::getPasteId()), 'paste exists before deleting data');
+        $paste               = $this->_data->read(Helper::getPasteId());
         $_GET['pasteid']     = Helper::getPasteId();
         $_GET['deletetoken'] = hash_hmac('sha256', Helper::getPasteId(), $paste['meta']['salt']);
         ob_start();
@@ -803,7 +803,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
             $content,
             'outputs deleted status correctly'
         );
-        $this->assertFalse($this->_model->exists(Helper::getPasteId()), 'paste successfully deleted');
+        $this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste successfully deleted');
     }
 
     /**
@@ -811,7 +811,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
      */
     public function testDeleteInvalidId()
     {
-        $this->_model->create(Helper::getPasteId(), Helper::getPaste());
+        $this->_data->create(Helper::getPasteId(), Helper::getPaste());
         $_GET['pasteid']     = 'foo';
         $_GET['deletetoken'] = 'bar';
         ob_start();
@@ -823,7 +823,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
             $content,
             'outputs delete error correctly'
         );
-        $this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists after failing to delete data');
+        $this->assertTrue($this->_data->exists(Helper::getPasteId()), 'paste exists after failing to delete data');
     }
 
     /**
@@ -849,7 +849,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
      */
     public function testDeleteInvalidToken()
     {
-        $this->_model->create(Helper::getPasteId(), Helper::getPaste());
+        $this->_data->create(Helper::getPasteId(), Helper::getPaste());
         $_GET['pasteid']     = Helper::getPasteId();
         $_GET['deletetoken'] = 'bar';
         ob_start();
@@ -861,7 +861,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
             $content,
             'outputs delete error correctly'
         );
-        $this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists after failing to delete data');
+        $this->assertTrue($this->_data->exists(Helper::getPasteId()), 'paste exists after failing to delete data');
     }
 
     /**
@@ -869,8 +869,8 @@ class ControllerTest extends PHPUnit_Framework_TestCase
      */
     public function testDeleteInvalidBurnAfterReading()
     {
-        $this->_model->create(Helper::getPasteId(), Helper::getPaste());
-        $this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists before deleting data');
+        $this->_data->create(Helper::getPasteId(), Helper::getPaste());
+        $this->assertTrue($this->_data->exists(Helper::getPasteId()), 'paste exists before deleting data');
         $file  = tempnam(sys_get_temp_dir(), 'FOO');
         file_put_contents($file, json_encode(array(
             'deletetoken' => 'burnafterreading',
@@ -886,7 +886,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
         ob_end_clean();
         $response = json_decode($content, true);
         $this->assertEquals(1, $response['status'], 'outputs status');
-        $this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists after failing to delete data');
+        $this->assertTrue($this->_data->exists(Helper::getPasteId()), 'paste exists after failing to delete data');
     }
 
     /**
@@ -895,9 +895,9 @@ class ControllerTest extends PHPUnit_Framework_TestCase
     public function testDeleteExpired()
     {
         $expiredPaste = Helper::getPaste(2, array('expire_date' => 1000));
-        $this->assertFalse($this->_model->exists(Helper::getPasteId()), 'paste does not exist before being created');
-        $this->_model->create(Helper::getPasteId(), $expiredPaste);
-        $this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists before deleting data');
+        $this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste does not exist before being created');
+        $this->_data->create(Helper::getPasteId(), $expiredPaste);
+        $this->assertTrue($this->_data->exists(Helper::getPasteId()), 'paste exists before deleting data');
         $_GET['pasteid']     = Helper::getPasteId();
         $_GET['deletetoken'] = 'does not matter in this context, but has to be set';
         ob_start();
@@ -909,7 +909,7 @@ class ControllerTest extends PHPUnit_Framework_TestCase
             $content,
             'outputs error correctly'
         );
-        $this->assertFalse($this->_model->exists(Helper::getPasteId()), 'paste successfully deleted');
+        $this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste successfully deleted');
     }
 
     /**
@@ -919,8 +919,8 @@ class ControllerTest extends PHPUnit_Framework_TestCase
     {
         $paste = Helper::getPaste();
         unset($paste['meta']['salt']);
-        $this->_model->create(Helper::getPasteId(), $paste);
-        $this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists before deleting data');
+        $this->_data->create(Helper::getPasteId(), $paste);
+        $this->assertTrue($this->_data->exists(Helper::getPasteId()), 'paste exists before deleting data');
         $_GET['pasteid']     = Helper::getPasteId();
         $_GET['deletetoken'] = hash_hmac('sha256', Helper::getPasteId(), ServerSalt::get());
         ob_start();
@@ -932,6 +932,6 @@ class ControllerTest extends PHPUnit_Framework_TestCase
             $content,
             'outputs deleted status correctly'
         );
-        $this->assertFalse($this->_model->exists(Helper::getPasteId()), 'paste successfully deleted');
+        $this->assertFalse($this->_data->exists(Helper::getPasteId()), 'paste successfully deleted');
     }
 }
diff --git a/tst/ControllerWithDbTest.php b/tst/ControllerWithDbTest.php
index e3c67054..90dee920 100644
--- a/tst/ControllerWithDbTest.php
+++ b/tst/ControllerWithDbTest.php
@@ -23,7 +23,7 @@ class ControllerWithDbTest extends ControllerTest
             mkdir($this->_path);
         }
         $this->_options['dsn'] = 'sqlite:' . $this->_path . DIRECTORY_SEPARATOR . 'tst.sq3';
-        $this->_model          = Database::getInstance($this->_options);
+        $this->_data           = Database::getInstance($this->_options);
         $this->reset();
     }