diff --git a/LICENSE.md b/LICENSE.md index aaac281e..2e7e76f6 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -2,10 +2,10 @@ PrivateBin consists of PHP and JS code which was originally written by Sébastien Sauvage in 2012 and falls unter the Zlib/libpng license. Also included are -libraries that fall under the LGPLv3 (RainTPL), GPLv2 (SJCL, rawinflate, -rawdeflate), BSD 2-clause (SJCL), BSD 3-clause (base64.js version 2.1.9, -Showdown), MIT (base64.js version 1.7, Bootstrap) and Apache (prettify.js) -licenses. All of these license terms can be found here below: +libraries that fall under the GPLv2 (SJCL, rawinflate, rawdeflate), BSD +2-clause (SJCL), BSD 3-clause (base64.js version 2.1.9, Showdown), MIT +(base64.js version 1.7, Bootstrap), Apache (prettify.js) and CC-BY (favicon, +icon, logo) licenses. All of these license terms can be found here below: ## Zlib/libpng license for PrivateBin @@ -29,169 +29,6 @@ the following restrictions: 3. This notice may not be removed or altered from any source distribution. -## GNU Lesser General Public License, version 3.0, for RainTPL - -_Version 3, 29 June 2007_ -_Copyright © 2007 Free Software Foundation, Inc. - -Everyone is permitted to copy and distribute verbatim copies -of this license document, but changing it is not allowed. - - -This version of the GNU Lesser General Public License incorporates -the terms and conditions of version 3 of the GNU General Public -License, supplemented by the additional permissions listed below. - -### 0. Additional Definitions - -As used herein, “this License” refers to version 3 of the GNU Lesser -General Public License, and the “GNU GPL” refers to version 3 of the GNU -General Public License. - -“The Library” refers to a covered work governed by this License, -other than an Application or a Combined Work as defined below. - -An “Application” is any work that makes use of an interface provided -by the Library, but which is not otherwise based on the Library. -Defining a subclass of a class defined by the Library is deemed a mode -of using an interface provided by the Library. - -A “Combined Work” is a work produced by combining or linking an -Application with the Library. The particular version of the Library -with which the Combined Work was made is also called the “Linked -Version”. - -The “Minimal Corresponding Source” for a Combined Work means the -Corresponding Source for the Combined Work, excluding any source code -for portions of the Combined Work that, considered in isolation, are -based on the Application, and not on the Linked Version. - -The “Corresponding Application Code” for a Combined Work means the -object code and/or source code for the Application, including any data -and utility programs needed for reproducing the Combined Work from the -Application, but excluding the System Libraries of the Combined Work. - -### 1. Exception to Section 3 of the GNU GPL - -You may convey a covered work under sections 3 and 4 of this License -without being bound by section 3 of the GNU GPL. - -### 2. Conveying Modified Versions - -If you modify a copy of the Library, and, in your modifications, a -facility refers to a function or data to be supplied by an Application -that uses the facility (other than as an argument passed when the -facility is invoked), then you may convey a copy of the modified -version: - -* **a)** under this License, provided that you make a good faith effort to -ensure that, in the event an Application does not supply the -function or data, the facility still operates, and performs -whatever part of its purpose remains meaningful, or - -* **b)** under the GNU GPL, with none of the additional permissions of -this License applicable to that copy. - -### 3. Object Code Incorporating Material from Library Header Files - -The object code form of an Application may incorporate material from -a header file that is part of the Library. You may convey such object -code under terms of your choice, provided that, if the incorporated -material is not limited to numerical parameters, data structure -layouts and accessors, or small macros, inline functions and templates -(ten or fewer lines in length), you do both of the following: - -* **a)** Give prominent notice with each copy of the object code that the -Library is used in it and that the Library and its use are -covered by this License. -* **b)** Accompany the object code with a copy of the GNU GPL and this license -document. - -### 4. Combined Works - -You may convey a Combined Work under terms of your choice that, -taken together, effectively do not restrict modification of the -portions of the Library contained in the Combined Work and reverse -engineering for debugging such modifications, if you also do each of -the following: - -* **a)** Give prominent notice with each copy of the Combined Work that -the Library is used in it and that the Library and its use are -covered by this License. - -* **b)** Accompany the Combined Work with a copy of the GNU GPL and this license -document. - -* **c)** For a Combined Work that displays copyright notices during -execution, include the copyright notice for the Library among -these notices, as well as a reference directing the user to the -copies of the GNU GPL and this license document. - -* **d)** Do one of the following: - - **0)** Convey the Minimal Corresponding Source under the terms of this -License, and the Corresponding Application Code in a form -suitable for, and under terms that permit, the user to -recombine or relink the Application with a modified version of -the Linked Version to produce a modified Combined Work, in the -manner specified by section 6 of the GNU GPL for conveying -Corresponding Source. - - **1)** Use a suitable shared library mechanism for linking with the -Library. A suitable mechanism is one that **(a)** uses at run time -a copy of the Library already present on the user's computer -system, and **(b)** will operate properly with a modified version -of the Library that is interface-compatible with the Linked -Version. - -* **e)** Provide Installation Information, but only if you would otherwise -be required to provide such information under section 6 of the -GNU GPL, and only to the extent that such information is -necessary to install and execute a modified version of the -Combined Work produced by recombining or relinking the -Application with a modified version of the Linked Version. (If -you use option **4d0**, the Installation Information must accompany -the Minimal Corresponding Source and Corresponding Application -Code. If you use option **4d1**, you must provide the Installation -Information in the manner specified by section 6 of the GNU GPL -for conveying Corresponding Source.) - -### 5. Combined Libraries - -You may place library facilities that are a work based on the -Library side by side in a single library together with other library -facilities that are not Applications and are not covered by this -License, and convey such a combined library under terms of your -choice, if you do both of the following: - -* **a)** Accompany the combined library with a copy of the same work based -on the Library, uncombined with any other library facilities, -conveyed under the terms of this License. -* **b)** Give prominent notice with the combined library that part of it -is a work based on the Library, and explaining where to find the -accompanying uncombined form of the same work. - -### 6. Revised Versions of the GNU Lesser General Public License - -The Free Software Foundation may publish revised and/or new versions -of the GNU Lesser General Public License from time to time. Such new -versions will be similar in spirit to the present version, but may -differ in detail to address new problems or concerns. - -Each version is given a distinguishing version number. If the -Library as you received it specifies that a certain numbered version -of the GNU Lesser General Public License “or any later version” -applies to it, you have the option of following the terms and -conditions either of that published version or of any later version -published by the Free Software Foundation. If the Library as you -received it does not specify a version number of the GNU Lesser -General Public License, you may choose any version of the GNU Lesser -General Public License ever published by the Free Software Foundation. - -If the Library as you received it specifies that a proxy can decide -whether future versions of the GNU Lesser General Public License shall -apply, that proxy's public statement of acceptance of any version is -permanent authorization for you to choose that version for the -Library. - ## GNU General Public License, version 2.0, for SJCL, rawdeflate and rawinflate _Version 2, June 1991_ @@ -770,3 +607,281 @@ sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. + +## [Creative Commons Attribution 4.0 International Public License](https://creativecommons.org/licenses/by/4.0/) for [PrivateBin favicons, icons & logos](https://github.com/PrivateBin/assets) by [rugk](https://github.com/rugk) + +By exercising the Licensed Rights (defined below), You accept and agree to be +bound by the terms and conditions of this Creative Commons Attribution 4.0 +International Public License ("Public License"). To the extent this Public +License may be interpreted as a contract, You are granted the Licensed Rights in +consideration of Your acceptance of these terms and conditions, and the Licensor +grants You such rights in consideration of benefits the Licensor receives from +making the Licensed Material available under these terms and conditions. + +### Section 1 – Definitions. + +a. __Adapted Material__ means material subject to Copyright and Similar Rights +that is derived from or based upon the Licensed Material and in which the +Licensed Material is translated, altered, arranged, transformed, or otherwise +modified in a manner requiring permission under the Copyright and Similar Rights +held by the Licensor. For purposes of this Public License, where the Licensed +Material is a musical work, performance, or sound recording, Adapted Material is +always produced where the Licensed Material is synched in timed relation with a +moving image. + +b. __Adapter's License__ means the license You apply to Your Copyright and +Similar Rights in Your contributions to Adapted Material in accordance with the +terms and conditions of this Public License. + +c. __Copyright and Similar Rights__ means copyright and/or similar rights +closely related to copyright including, without limitation, performance, +broadcast, sound recording, and Sui Generis Database Rights, without regard to +how the rights are labeled or categorized. For purposes of this Public License, +the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights. + +d. __Effective Technological Measures__ means those measures that, in the +absence of proper authority, may not be circumvented under laws fulfilling +obligations under Article 11 of the WIPO Copyright Treaty adopted on December +20, 1996, and/or similar international agreements. + +e. __Exceptions and Limitations__ means fair use, fair dealing, and/or any other +exception or limitation to Copyright and Similar Rights that applies to Your use +of the Licensed Material. + +f. __Licensed Material__ means the artistic or literary work, database, or other +material to which the Licensor applied this Public License. + +g. __Licensed Rights__ means the rights granted to You subject to the terms and +conditions of this Public License, which are limited to all Copyright and +Similar Rights that apply to Your use of the Licensed Material and that the +Licensor has authority to license. + +h. __Licensor__ means the individual(s) or entity(ies) granting rights under +this Public License. + +i. __Share__ means to provide material to the public by any means or process +that requires permission under the Licensed Rights, such as reproduction, public +display, public performance, distribution, dissemination, communication, or +importation, and to make material available to the public including in ways that +members of the public may access the material from a place and at a time +individually chosen by them. + +j. __Sui Generis Database Rights__ means rights other than copyright resulting +from Directive 96/9/EC of the European Parliament and of the Council of 11 March +1996 on the legal protection of databases, as amended and/or succeeded, as well +as other essentially equivalent rights anywhere in the world. + +k. __You__ means the individual or entity exercising the Licensed Rights under +this Public License. Your has a corresponding meaning. + +### Section 2 – Scope. + +a. ___License grant.___ + + 1. Subject to the terms and conditions of this Public License, the Licensor + hereby grants You a worldwide, royalty-free, non-sublicensable, + non-exclusive, irrevocable license to exercise the Licensed Rights in the + Licensed Material to: + + A. reproduce and Share the Licensed Material, in whole or in part; and + + B. produce, reproduce, and Share Adapted Material. + + 2. __Exceptions and Limitations.__ For the avoidance of doubt, where + Exceptions and Limitations apply to Your use, this Public License does + not apply, and You do not need to comply with its terms and conditions. + + 3. __Term.__ The term of this Public License is specified in Section 6(a). + + 4. __Media and formats; technical modifications allowed.__ The Licensor + authorizes You to exercise the Licensed Rights in all media and formats + whether now known or hereafter created, and to make technical + modifications necessary to do so. The Licensor waives and/or agrees not + to assert any right or authority to forbid You from making technical + modifications necessary to exercise the Licensed Rights, including + technical modifications necessary to circumvent Effective Technological + Measures. For purposes of this Public License, simply making + modifications authorized by this Section 2(a)(4) never produces Adapted + Material. + + 5. __Downstream recipients.__ + + A. __Offer from the Licensor – Licensed Material.__ Every recipient of + the Licensed Material automatically receives an offer from the + Licensor to exercise the Licensed Rights under the terms and + conditions of this Public License. + + B. __No downstream restrictions.__ You may not offer or impose any + additional or different terms or conditions on, or apply any + Effective Technological Measures to, the Licensed Material if doing + so restricts exercise of the Licensed Rights by any recipient of the + Licensed Material. + + 6. __No endorsement.__ Nothing in this Public License constitutes or may be + construed as permission to assert or imply that You are, or that Your use + of the Licensed Material is, connected with, or sponsored, endorsed, or + granted official status by, the Licensor or others designated to receive + attribution as provided in Section 3(a)(1)(A)(i). + +b. ___Other rights.___ + + 1. Moral rights, such as the right of integrity, are not licensed under this + Public License, nor are publicity, privacy, and/or other similar + personality rights; however, to the extent possible, the Licensor waives + and/or agrees not to assert any such rights held by the Licensor to the + limited extent necessary to allow You to exercise the Licensed Rights, + but not otherwise. + + 2. Patent and trademark rights are not licensed under this Public License. + + 3. To the extent possible, the Licensor waives any right to collect + royalties from You for the exercise of the Licensed Rights, whether + directly or through a collecting society under any voluntary or waivable + statutory or compulsory licensing scheme. In all other cases the Licensor + expressly reserves any right to collect such royalties. + +### Section 3 – License Conditions. + +Your exercise of the Licensed Rights is expressly made subject to the following +conditions. + +a. ___Attribution.___ + + 1. If You Share the Licensed Material (including in modified form), You must: + + A. retain the following if it is supplied by the Licensor with the + Licensed Material: + + i. identification of the creator(s) of the Licensed Material and any + others designated to receive attribution, in any reasonable + manner requested by the Licensor (including by pseudonym if + designated); + + ii. a copyright notice; + + iii. a notice that refers to this Public License; + + iv. a notice that refers to the disclaimer of warranties; + + v. a URI or hyperlink to the Licensed Material to the extent + reasonably practicable; + + B. indicate if You modified the Licensed Material and retain an + indication of any previous modifications; and + + C. indicate the Licensed Material is licensed under this Public License, + and include the text of, or the URI or hyperlink to, this Public + License. + + 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable + manner based on the medium, means, and context in which You Share the + Licensed Material. For example, it may be reasonable to satisfy the + conditions by providing a URI or hyperlink to a resource that includes + the required information. + + 3. If requested by the Licensor, You must remove any of the information + required by Section 3(a)(1)(A) to the extent reasonably practicable. + + 4. If You Share Adapted Material You produce, the Adapter's License You + apply must not prevent recipients of the Adapted Material from complying + with this Public License. + +### Section 4 – Sui Generis Database Rights. + +Where the Licensed Rights include Sui Generis Database Rights that apply to Your +use of the Licensed Material: + +a. for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, + reuse, reproduce, and Share all or a substantial portion of the contents of + the database; + +b. if You include all or a substantial portion of the database contents in a + database in which You have Sui Generis Database Rights, then the database in + which You have Sui Generis Database Rights (but not its individual contents) + is Adapted Material; and + +c. You must comply with the conditions in Section 3(a) if You Share all or a + substantial portion of the contents of the database. + +For the avoidance of doubt, this Section 4 supplements and does not replace Your +obligations under this Public License where the Licensed Rights include other +Copyright and Similar Rights. + +### Section 5 – Disclaimer of Warranties and Limitation of Liability. + +a. __Unless otherwise separately undertaken by the Licensor, to the extent + possible, the Licensor offers the Licensed Material as-is and as-available, + and makes no representations or warranties of any kind concerning the + Licensed Material, whether express, implied, statutory, or other. This + includes, without limitation, warranties of title, merchantability, fitness + for a particular purpose, non-infringement, absence of latent or other + defects, accuracy, or the presence or absence of errors, whether or not known + or discoverable. Where disclaimers of warranties are not allowed in full or + in part, this disclaimer may not apply to You.__ + +b. __To the extent possible, in no event will the Licensor be liable to You on + any legal theory (including, without limitation, negligence) or otherwise for + any direct, special, indirect, incidental, consequential, punitive, + exemplary, or other losses, costs, expenses, or damages arising out of this + Public License or use of the Licensed Material, even if the Licensor has been + advised of the possibility of such losses, costs, expenses, or damages. Where + a limitation of liability is not allowed in full or in part, this limitation + may not apply to You.__ + +c. The disclaimer of warranties and limitation of liability provided above shall + be interpreted in a manner that, to the extent possible, most closely + approximates an absolute disclaimer and waiver of all liability. + +### Section 6 – Term and Termination. + +a. This Public License applies for the term of the Copyright and Similar Rights + licensed here. However, if You fail to comply with this Public License, then + Your rights under this Public License terminate automatically. + +b. Where Your right to use the Licensed Material has terminated under Section + 6(a), it reinstates: + + 1. automatically as of the date the violation is cured, provided it is cured + within 30 days of Your discovery of the violation; or + + 2. upon express reinstatement by the Licensor. + + For the avoidance of doubt, this Section 6(b) does not affect any right the + Licensor may have to seek remedies for Your violations of this Public + License. + +c. For the avoidance of doubt, the Licensor may also offer the Licensed Material + under separate terms or conditions or stop distributing the Licensed Material + at any time; however, doing so will not terminate this Public License. + +d. Sections 1, 5, 6, 7, and 8 survive termination of this Public License. + +### Section 7 – Other Terms and Conditions. + +a. The Licensor shall not be bound by any additional or different terms or + conditions communicated by You unless expressly agreed. + +b. Any arrangements, understandings, or agreements regarding the Licensed + Material not stated herein are separate from and independent of the terms and + conditions of this Public License. + +### Section 8 – Interpretation. + +a. For the avoidance of doubt, this Public License does not, and shall not be + interpreted to, reduce, limit, restrict, or impose conditions on any use of + the Licensed Material that could lawfully be made without permission under + this Public License. + +b. To the extent possible, if any provision of this Public License is deemed + unenforceable, it shall be automatically reformed to the minimum extent + necessary to make it enforceable. If the provision cannot be reformed, it + shall be severed from this Public License without affecting the + enforceability of the remaining terms and conditions. + +c. No term or condition of this Public License will be waived and no failure to + comply consented to unless expressly agreed to by the Licensor. + +d. Nothing in this Public License constitutes or may be interpreted as a + limitation upon, or waiver of, any privileges and immunities that apply to + the Licensor or You, including from the legal processes of any jurisdiction + or authority. diff --git a/js/privatebin.js b/js/privatebin.js index abc2e47e..a56b946e 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -130,17 +130,6 @@ $(function() { } }, - /** - * Convert all applicable characters to HTML entities - * - * @param string str - * @return string encoded string - */ - htmlEntities: function(str) - { - return String(str).replace(/&/g, '&').replace(//g, '>').replace(/"/g, '"'); - }, - /** * Text range selection. * From: https://stackoverflow.com/questions/985272/jquery-selecting-text-in-an-element-akin-to-highlighting-with-your-mouse @@ -301,6 +290,34 @@ $(function() { } } return ''; + }, + + /** + * Convert all applicable characters to HTML entities. + * From: https://github.com/janl/mustache.js/blob/master/mustache.js#L60 + * + * @param string str + * @return string escaped HTML + */ + htmlEntities: function(str) { + return String(str).replace( + /[&<>"'`=\/]/g, function(s) { + return helper.entityMap[s]; + }); + }, + + /** + * character to HTML entity lookup table + */ + entityMap: { + '&': '&', + '<': '<', + '>': '>', + '"': '"', + "'": ''', + '/': '/', + '`': '`', + '=': '=' } }; @@ -635,7 +652,9 @@ $(function() { prettyPrint(); } this.prettyPrint.html( - prettyPrintOne(text, null, true) + prettyPrintOne( + helper.htmlEntities(text), null, true + ) ); } // fall through, as the rest is the same @@ -973,7 +992,6 @@ $(function() { this.showStatus(i18n._('Sending paste...'), true); var randomkey = sjcl.codec.base64.fromBits(sjcl.random.randomWords(8, 0), 0); - var cipherdata_attachment; var password = this.passwordInput.val(); if(files && files[0]) { diff --git a/lib/model/abstract.php b/lib/model/abstract.php index ba75a12b..5e0435d1 100644 --- a/lib/model/abstract.php +++ b/lib/model/abstract.php @@ -112,7 +112,7 @@ abstract class model_abstract * Get instance data. * * @access public - * @return stdObject + * @return stdClass */ abstract public function get(); diff --git a/lib/privatebin.php b/lib/privatebin.php index afe27f2f..eb6f9cbd 100644 --- a/lib/privatebin.php +++ b/lib/privatebin.php @@ -237,6 +237,12 @@ class privatebin ) ); + // Ensure attachment did not get lost due to webserver limits or Suhosin + if (strlen($attachmentname) > 0 && strlen($attachment) == 0) + { + return $this->_return_message(1, 'Attachment missing in data received by server. Please check your webserver or suhosin configuration for maximum POST parameter limitations.'); + } + // The user posts a comment. $pasteid = $this->_request->getParam('pasteid'); $parentid = $this->_request->getParam('parentid'); diff --git a/lib/privatebin/abstract.php b/lib/privatebin/abstract.php index 8102c12f..8a6223fc 100644 --- a/lib/privatebin/abstract.php +++ b/lib/privatebin/abstract.php @@ -86,7 +86,7 @@ abstract class privatebin_abstract * Test if a paste exists. * * @access public - * @param string $dataid + * @param string $pasteid * @return bool */ abstract public function exists($pasteid); @@ -116,7 +116,7 @@ abstract class privatebin_abstract * Test if a comment exists. * * @access public - * @param string $dataid + * @param string $pasteid * @param string $parentid * @param string $commentid * @return void @@ -158,7 +158,7 @@ abstract class privatebin_abstract * @access public * @param array $comments * @param int|string $postdate - * @return void + * @return int|string */ protected function getOpenSlot(&$comments, $postdate) { diff --git a/lib/privatebin/data.php b/lib/privatebin/data.php index 354fbbe2..e1d125a9 100644 --- a/lib/privatebin/data.php +++ b/lib/privatebin/data.php @@ -124,7 +124,7 @@ class privatebin_data extends privatebin_abstract * Test if a paste exists. * * @access public - * @param string $dataid + * @param string $pasteid * @return void */ public function exists($pasteid) @@ -197,7 +197,7 @@ class privatebin_data extends privatebin_abstract * Test if a comment exists. * * @access public - * @param string $dataid + * @param string $pasteid * @param string $parentid * @param string $commentid * @return void diff --git a/tst/privatebin.php b/tst/privatebin.php index 50862079..78774f46 100644 --- a/tst/privatebin.php +++ b/tst/privatebin.php @@ -455,6 +455,34 @@ class privatebinTest extends PHPUnit_Framework_TestCase ); } + /** + * In some webserver setups (found with Suhosin) overly long POST params are + * silently removed, check that this case is handled + * + * @runInSeparateProcess + */ + public function testCreateBrokenAttachmentUpload() + { + $this->reset(); + $options = parse_ini_file(CONF, true); + $options['traffic']['limit'] = 0; + $options['main']['fileupload'] = true; + helper::confBackup(); + helper::createIniFile(CONF, $options); + $_POST = helper::getPasteWithAttachment(); + unset($_POST['attachment']); + $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest'; + $_SERVER['REQUEST_METHOD'] = 'POST'; + $_SERVER['REMOTE_ADDR'] = '::1'; + $this->assertFalse($this->_model->exists(helper::getPasteId()), 'paste does not exists before posting data'); + ob_start(); + new privatebin; + $content = ob_get_contents(); + $response = json_decode($content, true); + $this->assertEquals(1, $response['status'], 'outputs error status'); + $this->assertFalse($this->_model->exists(helper::getPasteId()), 'paste exists after posting data'); + } + /** * @runInSeparateProcess */