StarMirror
/
PrivateBin
mirror of https://github.com/PrivateBin/PrivateBin
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

ZeroBin 0.17 

* added deletion link.
* small refactoring.
* improved regex checks.
* larger server alt on installation.
pull/17/head
Sebastien SAUVAGE 2013-11-01 01:15:14 +01:00 committed by Simon Rupf
parent 6c7de8aca8
commit 5b253cf77c
11 changed files with 217 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cfg/conf.ini
View File

@ -5,7 +5,7 @@
; @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
; @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
; @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
; @version 0.15
; @version 0.17
[main]
; enable or disable discussions

12
css/zerobin.css
View File

@ -1,6 +1,5 @@
/* ZeroBin 0.15 - http://sebsauvage.net/wiki/doku.php?id=php:zerobin */
/* ZeroBin 0.17 - http://sebsauvage.net/wiki/doku.php?id=php:zerobin */
/* Hé, t'as vu Idleman, j'ai fait un effort sur les CSS ! ;-) */
/* CSS Reset from YUI 3.4.1 (build 4118) - Copyright 2011 Yahoo! Inc. All rights reserved.
Licensed under the BSD License. - http://yuilibrary.com/license/ */
@ -100,8 +99,7 @@ h3 {
padding: 5px 10px;
}
#pastelink {
#pasteresult {
background-color: #1F2833;
color: #fff;
padding: 4px 12px;
@ -111,9 +109,11 @@ h3 {
box-shadow: inset 0 2px 2px #000;
}
#pastelink a { color: #fff; }
#pasteresult a { color: #fff; }
#pastelink button { margin-left: 11px }
#pasteresult button { margin-left: 11px }
#deletelink { float: right; }
#toolbar, #status { margin-bottom: 5px; }

2
index.php
View File

@ -7,7 +7,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
* @version 0.15
* @version 0.17
*/
// change this, if your php files and data is outside of your webservers document root

21
js/zerobin.js
View File

@ -6,7 +6,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
* @version 0.15
* @version 0.17
*/
// Immediately start random number generator collector.
@ -328,8 +328,13 @@ function send_data() {
if (data.status == 0) {
stateExistingPaste();
var url = scriptLocation() + "?" + data.id + '#' + randomkey;
var deleteUrl = scriptLocation() + "?pasteid=" + data.id + '&deletetoken=' + data.deletetoken;
showStatus('');
$('div#pastelink').html('Your paste is <a href="' + url + '">' + url + '</a>').removeClass('hidden');
$('div#pastelink').html('Your paste is <a href="' + url + '">' + url + '</a>');
$('div#deletelink').html('<a href="' + deleteUrl + '">Delete link</a>');
$('div#pasteresult').show();
setElementText($('div#cleartext'), $('textarea#message').val());
setElementText($('pre#prettyprint'), $('textarea#message').val());
urls2links($('div#cleartext'));
@ -357,7 +362,7 @@ function stateNewPaste() {
$('input#password').addClass('hidden'); //$('#password').removeClass('hidden');
$('div#opendisc').removeClass('hidden');
$('button#newbutton').removeClass('hidden');
$('div#pastelink').addClass('hidden');
$('div#pasteresult').addClass('hidden');
$('textarea#message').text('');
$('textarea#message').removeClass('hidden');
$('div#cleartext').addClass('hidden');
@ -385,7 +390,7 @@ function stateExistingPaste() {
$('input#password').addClass('hidden');
$('div#opendisc').addClass('hidden');
$('button#newbutton').removeClass('hidden');
$('div#pastelink').addClass('hidden');
$('div#pasteresult').addClass('hidden');
$('textarea#message').addClass('hidden');
$('div#cleartext').addClass('hidden');
$('div#prettymessage').removeClass('hidden');
@ -505,6 +510,14 @@ $(function() {
}
});
// Display status returned by php code if any (eg. Paste was properly deleted.)
if ($('div#status').text().length > 0) {
showStatus($('div#status').text(),false);
return;
}
$('div#status').html(' '); // Keep line height even if content empty.
// Display an existing paste
if ($('div#cipherdata').text().length > 1) {
// Missing decryption key in URL ?

71
lib/serversalt.php Normal file
View File

@ -0,0 +1,71 @@
<?php
/**
* ZeroBin
*
* a zero-knowledge paste bin
*
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
* @version 0.17
*/
/**
* serversalt
*
* This is a random string which is unique to each ZeroBin installation.
* It is automatically created if not present.
*
* Salt is used:
* - to generate unique VizHash in discussions (which are not reproductible across ZeroBin servers)
* - to generate unique deletion token (which are not re-usable across ZeroBin servers)
*/
class serversalt extends persistence
{
/**
* @access private
* @static
* @var string
*/
private static $_salt = '';
/**
* generate a large random hexadecimal salt
*
* @access public
* @static
* @return string
*/
public static function generate()
{
$randomSalt = '';
for($i=0; $i<16; ++$i) {
$randomSalt .= base_convert(mt_rand(), 10, 16);
}
self::$_salt = $randomSalt;
return self::$_salt;
}
/**
* get server salt
*
* @access public
* @static
* @return string
*/
public static function get()
{
if (strlen(self::$_salt)) return self::$_salt;
$file = 'salt.php';
if (!self::_exists($file)) {
self::_store(
$file,
'<?php /* |'. self::generate() . '| */ ?>'
);
}
$items = explode('|', file_get_contents(self::getPath($file)));
self::$_salt = $items[1];
return $items[1];
}
}

49
lib/trafficlimiter.php
View File

@ -7,15 +7,15 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
* @version 0.15
* @version 0.17
*/
/**
* traffic_limiter
* trafficlimiter
*
* Handles traffic limiting, so no user does more than one call per 10 seconds.
*/
class trafficlimiter
class trafficlimiter extends persistence
{
/**
* @access private
@ -24,13 +24,6 @@ class trafficlimiter
*/
private static $_limit = 10;
/**
* @access private
* @static
* @var string
*/
private static $_path = 'data';
/**
* set the time limit in seconds
*
@ -44,19 +37,6 @@ class trafficlimiter
self::$_limit = $limit;
}
/**
* set the path
*
* @access public
* @static
* @param string $path
* @return void
*/
public static function setPath($path)
{
self::$_path = $path;
}
/**
* traffic limiter
*
@ -72,29 +52,18 @@ class trafficlimiter
// disable limits if set to less then 1
if (self::$_limit < 1) return true;
// Create storage directory if it does not exist.
if (!is_dir(self::$_path)) mkdir(self::$_path, 0705);
// Create .htaccess file if it does not exist.
if (!is_file(self::$_path . '/.htaccess'))
$file = 'traffic_limiter.php';
if (!self::_exists($file))
{
file_put_contents(
self::$_path . '/.htaccess',
'Allow from none' . PHP_EOL .
'Deny from all'. PHP_EOL
);
}
$file = self::$_path . '/traffic_limiter.php';
if (!is_file($file))
{
file_put_contents(
self::_store(
$file,
'<?php' . PHP_EOL .
'$GLOBALS[\'traffic_limiter\'] = array();' . PHP_EOL
);
chmod($file, 0705);
}
require $file;
$path = self::getPath($file);
require $path;
$now = time();
$tl = $GLOBALS['traffic_limiter'];
@ -114,7 +83,7 @@ class trafficlimiter
$tl[$ip] = time();
$result = true;
}
file_put_contents(
self::_store(
$file,
'<?php' . PHP_EOL .
'$GLOBALS[\'traffic_limiter\'] = ' .

45
lib/vizhash16x16.php
View File

@ -1,16 +1,27 @@
<?php
// VizHash_GD 0.0.4 beta ZeroBin 0.15
// Visual Hash implementation in php4+GD, stripped down and modified version for ZeroBin
// See: http://sebsauvage.net/wiki/doku.php?id=php:vizhash_gd
// This is free software under the zlib/libpng licence
// http://www.opensource.org/licenses/zlib-license.php
/* Example:
$vz = new vizhash16x16();
$data = $vz->generate('hello');
header('Content-type: image/png');
echo $data;
exit;
*/
/**
* VizHash_GD
*
* Visual Hash implementation in php4+GD,
* stripped down and modified version for ZeroBin
*
* @link http://sebsauvage.net/wiki/doku.php?id=php:vizhash_gd
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
* @version 0.0.4 beta ZeroBin 0.17
*/
/**
* vizhash16x16
*
* Example:
* $vz = new vizhash16x16();
* $data = $vz->generate('hello');
* header('Content-type: image/png');
* echo $data;
* exit;
*/
class vizhash16x16
{
private $VALUES;
@ -22,15 +33,7 @@ class vizhash16x16
{
$this->width=16;
$this->height=16;
// Read salt from file (and create it if does not exist).
// The salt will make vizhash avatar unique on each ZeroBin installation
// to prevent IP checking.
$saltfile = PATH . 'data/salt.php';
if (!is_file($saltfile))
file_put_contents($saltfile,'<?php /* |'.$this->randomSalt().'| */ ?>');
$items=explode('|',file_get_contents($saltfile));
$this->salt = $items[1];
$this->salt = serversalt::get();
}
// Generate a 16x16 png corresponding to $text.

95
lib/zerobin.php
View File

@ -7,7 +7,7 @@
* @link http://sebsauvage.net/wiki/doku.php?id=php:zerobin
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
* @version 0.15
* @version 0.17
*/
/**
@ -20,7 +20,7 @@ class zerobin
/*
* @const string version
*/
const VERSION = 'Alpha 0.15';
const VERSION = 'Alpha 0.17';
/**
* @access private
@ -42,6 +42,12 @@ class zerobin
*/
private $_error = '';
/**
* @access private
* @var string
*/
private $_status = '';
/**
* @access private
* @var zerobin_data
@ -60,7 +66,7 @@ class zerobin
if (version_compare(PHP_VERSION, '5.2.6') < 0)
die('ZeroBin requires php 5.2.6 or above to work. Sorry.');
// In case stupid admin has left magic_quotes enabled in php.ini.
// in case stupid admin has left magic_quotes enabled in php.ini
if (get_magic_quotes_gpc())
{
$_POST = array_map('filter::stripslashes_deep', $_POST);
@ -68,21 +74,26 @@ class zerobin
$_COOKIE = array_map('filter::stripslashes_deep', $_COOKIE);
}
// Load config from ini file.
// load config from ini file
$this->_init();
// Create new paste or comment.
// create new paste or comment
if (!empty($_POST['data']))
{
$this->_create();
$this->_create($_POST['data']);
}
// Display an existing paste.
// delete an existing paste
elseif (!empty($_GET['deletetoken']) && !empty($_GET['pasteid']))
{
$this->_delete($_GET['pasteid'], $_GET['deletetoken']);
}
// display an existing paste
elseif (!empty($_SERVER['QUERY_STRING']))
{
$this->_read();
$this->_read($_SERVER['QUERY_STRING']);
}
// Display ZeroBin frontend
// display ZeroBin frontend
$this->_view();
}
@ -126,7 +137,7 @@ class zerobin
}
/**
* Store new paste or comment.
* Store new paste or comment
*
* POST contains:
* data (mandatory) = json encoded SJCL encrypted text (containing keys: iv,salt,ct)
@ -139,9 +150,10 @@ class zerobin
* pasteid (optional) = in discussion, which paste this comment belongs to.
*
* @access private
* @param string $data
* @return void
*/
private function _create()
private function _create($data)
{
header('Content-type: application/json');
$error = false;
@ -159,7 +171,6 @@ class zerobin
);
// Make sure content is not too big.
$data = $_POST['data'];
if (
strlen($data) > $this->_conf['main']['sizelimit']
) $this->_return_message(
@ -252,8 +263,8 @@ class zerobin
$pasteid = $_POST['pasteid'];
$parentid = $_POST['parentid'];
if (
!preg_match('/[a-f\d]{16}/', $pasteid) ||
!preg_match('/[a-f\d]{16}/', $parentid)
!preg_match('/\A[a-f\d]{16}\z/', $pasteid) ||
!preg_match('/\A[a-f\d]{16}\z/', $parentid)
) $this->_return_message(1, 'Invalid data.');
// Comments do not expire (it's the paste that expires)
@ -297,23 +308,60 @@ class zerobin
$this->_model()->create($dataid, $storage) === false
) $this->_return_message(1, 'Error saving paste. Sorry.');
// Generate the "delete" token.
// The token is the hmac of the pasteid signed with the server salt.
// The paste can be delete by calling http://myserver.com/zerobin/?pasteid=<pasteid>&deletetoken=<deletetoken>
$deletetoken = hash_hmac('sha1', $dataid , serversalt::get());
// 0 = no error
$this->_return_message(0, $dataid);
$this->_return_message(0, $dataid, array('deletetoken' => $deletetoken));
}
$this->_return_message(1, 'Server error.');
}
/**
* Delete an existing paste
*
* @access private
* @param string $dataid
* @param string $deletetoken
* @return void
*/
private function _delete($dataid, $deletetoken)
{
// Is this a valid paste identifier?
if (preg_match('\A[a-f\d]{16}\z', $dataid))
{
// Check that paste exists.
if (!$this->_model()->exists($dataid))
{
$this->_error = 'Paste does not exist, has expired or has been deleted.';
return;
}
}
// Make sure token is valid.
if ($deletetoken != hash_hmac('sha1', $dataid , serversalt::get()))
{
$this->_error = 'Wrong deletion token. Paste was not deleted.';
return;
}
// Paste exists and deletion token is valid: Delete the paste.
$this->_model()->delete($dataid);
$this->_status = 'Paste was properly deleted.';
}
/**
* Read an existing paste or comment.
* Read an existing paste or comment
*
* @access private
* @param string $dataid
* @return void
*/
private function _read()
private function _read($dataid)
{
$dataid = $_SERVER['QUERY_STRING'];
// Is this a valid paste identifier?
if (preg_match('\A[a-f\d]{16}\z', $dataid))
{
@ -331,7 +379,7 @@ class zerobin
{
// Delete the paste
$this->_model()->delete($dataid);
$this->_error = 'Paste does not exist or has expired.';
$this->_error = 'Paste does not exist, has expired or has been deleted.';
}
// If no error, return the paste.
else
@ -398,7 +446,8 @@ class zerobin
$page = new RainTPL;
// we escape it here because ENT_NOQUOTES can't be used in RainTPL templates
$page->assign('CIPHERDATA', htmlspecialchars($this->_data, ENT_NOQUOTES));
$page->assign('ERRORMESSAGE', $this->_error);
$page->assign('ERROR', $this->_error);
$page->assign('STATUS', $this->_status);
$page->assign('VERSION', self::VERSION);
$page->assign('BURNAFTERREADINGSELECTED', $this->_conf['main']['burnafterreadingselected']);
$page->assign('OPENDISCUSSION', $this->_conf['main']['opendiscussion']);
@ -414,9 +463,10 @@ class zerobin
* @access private
* @param bool $status
* @param string $message
* @param array $other
* @return void
*/
private function _return_message($status, $message)
private function _return_message($status, $message, $other = array())
{
$result = array('status' => $status);
if ($status)
@ -427,6 +477,7 @@ class zerobin
{
$result['id'] = $message;
}
$result += $other;
exit(json_encode($result));
}
}

15
tpl/page.html
View File

@ -43,14 +43,14 @@
</header>
<section>
<article>
<div id="status"> </div>
<div id="errormessage" class="hidden">{$ERRORMESSAGE|htmlspecialchars}</div>
<div id="status">{$STATUS|htmlspecialchars}</div>
<div id="errormessage" class="hidden">{$ERROR|htmlspecialchars}</div>
<div id="toolbar">
<button id="newbutton" onclick="window.location.href=scriptLocation();return false;" class="hidden"><img src="img/icon_new.png#" width="11" height="15" alt="" />New</button>
<button id="sendbutton" onclick="send_data();return false;" class="hidden"><img src="img/icon_send.png#" width="18" height="15" alt="" />Send</button>
<button id="clonebutton" onclick="clonePaste();return false;" class="hidden"><img src="img/icon_clone.png#" width="15" height="17" alt="" />Clone</button>
<div id="expiration" class="hidden">Expire:
<select id="pasteExpiration" name="pasteExpiration">
<div id="expiration" class="hidden">Expire:
<select id="pasteExpiration" name="pasteExpiration">
<option value="burn"{if="$BURNAFTERREADINGSELECTED"} selected="selected"{/if}>Burn after reading</option>{loop="EXPIRE"}
<option value="{$key}"{if="!$BURNAFTERREADINGSELECTED && $key == $EXPIREDEFAULT"} selected="selected"{/if}>{$value}</option>{/loop}
</select>
@ -70,7 +70,10 @@
<label for="opendiscussion">Open discussion</label>
</div>
</div>
<div id="pastelink" class="hidden"></div>
<div id="pasteresult" style="display:none;">
<div id="deletelink"></div>
<div id="pastelink"></div>
</div>
<div id="prettymessage" class="hidden">
<pre id="prettyprint" class="prettyprint linenums:1"></pre>
</div>
@ -85,5 +88,5 @@
</div>
</section>
<div id="cipherdata" class="hidden">{$CIPHERDATA}</div>
</body>
</body>
</html>

5
tst/RainTPL.php
View File

@ -5,6 +5,8 @@ class RainTPLTest extends PHPUnit_Framework_TestCase
private static $error = 'foo bar';
private static $status = '!*#@?$+';
private static $expire = array(
'5min' => '5 minutes',
'1hour' => '1 hour',
@ -26,7 +28,8 @@ class RainTPLTest extends PHPUnit_Framework_TestCase
$page = new RainTPL;
// We escape it here because ENT_NOQUOTES can't be used in RainTPL templates.
$page->assign('CIPHERDATA', htmlspecialchars(self::$data, ENT_NOQUOTES));
$page->assign('ERRORMESSAGE', self::$error);
$page->assign('ERROR', self::$error);
$page->assign('STATUS', self::$status);
$page->assign('VERSION', self::$version);
$page->assign('BURNAFTERREADINGSELECTED', false);
$page->assign('OPENDISCUSSION', false);

4
tst/trafficlimiter.php
View File

@ -6,14 +6,14 @@ class trafficlimiterTest extends PHPUnit_Framework_TestCase
public function setUp()
{
/* Setup Routine */
$this->_path = sys_get_temp_dir() . DIRECTORY_SEPARATOR . 'trafficlimit' . DIRECTORY_SEPARATOR;
$this->_path = sys_get_temp_dir() . DIRECTORY_SEPARATOR . 'trafficlimit';
trafficlimiter::setPath($this->_path);
}
public function tearDown()
{
/* Tear Down Routine */
helper::rmdir($this->_path);
helper::rmdir($this->_path . DIRECTORY_SEPARATOR);
}
public function testTrafficGetsLimited()