Merge branch 'php8' of github.com:PrivateBin/PrivateBin into php8

.github/workflows/refresh-php8.yml

@@ -2,9 +2,9 @@ name: Refresh PHP 8 branch
 
 on:
   push:
-    branches: [ master ]    
+    branches: [ master ]
   schedule:
-      - cron: '42 2 * * *'  
+      - cron: '42 2 * * *'
   workflow_dispatch:
 
 jobs:
@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout php8 branch 
+      - name: Checkout php8 branch
         uses: actions/checkout@v2
         with:
           # directly checkout the php8 branch
@@ -28,7 +28,7 @@ jobs:
           git merge origin/master
 
       - name: Push new changes
-        uses: github-actions-x/commit@v2.8
+        uses: github-actions-x/commit@v2.9
         with:
           name: github-actions[bot]
           email: 41898282+github-actions[bot]@users.noreply.github.com

.github/workflows/snyk-scan.yml

@@ -24,6 +24,6 @@ jobs:
         with:
           args: --sarif-file-output=snyk.sarif
       - name: Upload result to GitHub Code Scanning
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: snyk.sarif

CHANGELOG.md

@@ -1,18 +1,26 @@
 # PrivateBin version history
 
-  * **1.4 (not yet released)**
-    * ADDED: Translations for Estonian and Lojban
+  * **1.4.1 (not yet released)**
+    * ADDED: Translations for Turkish
+    * CHANGED: Avoid `SUPER` privilege for setting the `sql_mode` for MariaDB/MySQL (#919)
+  * **1.4 (2022-04-09)**
+    * ADDED: Translations for Corsican, Estonian, Finnish and Lojban
     * ADDED: new HTTP headers improving security (#765)
     * ADDED: Download button for paste text (#774)
     * ADDED: Opt-out of federated learning of cohorts (FLoC) (#776)
     * ADDED: Configuration option to exempt IPs from the rate-limiter (#787)
     * ADDED: Google Cloud Storage backend support (#795)
     * ADDED: Oracle database support (#868)
+    * ADDED: Configuration option to limit paste creation and commenting to certain IPs (#883)
+    * ADDED: Set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header
+    * ADDED: Sanitize SVG preview, preventing script execution in instance context
     * CHANGED: Language selection cookie only transmitted over HTTPS (#472)
-    * CHANGED: Upgrading libraries to: base-x 4.0.0, bootstrap 3.4.1 (JS), DOMpurify 2.3.6, ip-lib 1.18.0, jQuery 3.6.0, random_compat 2.0.21 & Showdown 2.0.0
+    * CHANGED: Upgrading libraries to: base-x 4.0.0, bootstrap 3.4.1 (JS), DOMpurify 2.3.6, ip-lib 1.18.0, jQuery 3.6.0, random_compat 2.0.21, Showdown 2.0.3 & zlib 1.2.12
     * CHANGED: Removed automatic `.ini` configuration file migration (#808)
     * CHANGED: Removed configurable `dir` for `traffic` & `purge` limiters (#419)
     * CHANGED: Server salt, traffic and purge limiter now stored in the storage backend (#419)
+    * CHANGED: Drop support for attachment download in IE
+    * FIXED: Error when attachments are disabled, but paste with attachment gets displayed
   * **1.3.5 (2021-04-05)**
     * ADDED: Translations for Hebrew, Lithuanian, Indonesian and Catalan
     * ADDED: Make the project info configurable (#681)

CREDITS.md

@@ -2,18 +2,17 @@
 
 ## Active contributors
 
-Simon Rupf - current developer and maintainer  
-rugk - security review, doc improvment, JS refactoring & various other stuff  
-R4SAS - python client, compression, blob URI to support larger attachments
+* Simon Rupf - current developer and maintainer
+* rugk - security review, doc improvment, JS refactoring & various other stuff
+* R4SAS - python client, compression, blob URI to support larger attachments
 
 ## Past contributions
 
-Sébastien Sauvage - original idea and main developer
-
+* Sébastien Sauvage - original idea and main developer
 * Alexey Gladkov - syntax highlighting
 * Greg Knaddison - robots.txt
 * MrKooky - HTML5 markup, CSS cleanup
-* Simon Rupf - WebCrypto, unit tests, containers images, database backend, MVC, configuration, i18n
+* Simon Rupf - WebCrypto, unit tests, container images, database backend, MVC, configuration, i18n
 * Hexalyse - Password protection
 * Viktor Stanchev - File upload support
 * azlux - Tab character input support
@@ -55,3 +54,6 @@ Sébastien Sauvage - original idea and main developer
 * retiolus - Catalan
 * sarnane - Estonian
 * foxsouns - Lojban
+* Patriccollu di Santa Maria è Sichè - Corsican
+* Markus Mikkonen - Finnish
+* Emir Ensar Rahmanlar - Turkish

INSTALL.md

@@ -1,39 +1,47 @@
 # Installation
 
 **TL;DR:** Download the
-[latest release archive](https://github.com/PrivateBin/PrivateBin/releases/latest) (with the link labelled as „Source code (…)“)
-and extract it in your web hosts folder where you want to install your PrivateBin
-instance. We try to provide a mostly safe default configuration, but we urge you to
-check the [security section](#hardening-and-security) below and the [configuration
-options](#configuration) to adjust as you see fit.
+[latest release archive](https://github.com/PrivateBin/PrivateBin/releases/latest)
+(with the link labelled as "Source code (…)") and extract it in your web hosts
+folder where you want to install your PrivateBin instance. We try to provide a
+mostly safe default configuration, but we urge you to check the
+[security section](#hardening-and-security) below and the
+[configuration options](#configuration) to adjust as you see fit.
 
-**NOTE:** See [our FAQ](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-can-i-securely-clonedownload-your-project) for information how to securely download the PrivateBin release files.
+**NOTE:** See our [FAQ entry on securely downloading release files](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-can-i-securely-clonedownload-your-project)
+for more information.
 
-**NOTE:** There is a [ansible](https://ansible.com) role by @e1mo available to install and configure PrivateBin on your server. It's available on [ansible galaxy](https://galaxy.ansible.com/e1mo/privatebin) ([source code](https://git.sr.ht/~e1mo/ansible-role-privatebin)).
+**NOTE:** There is a [ansible](https://ansible.com) role by @e1mo available to
+install and configure PrivateBin on your server. It's available on
+[ansible galaxy](https://galaxy.ansible.com/e1mo/privatebin)
+([source code](https://git.sr.ht/~e1mo/ansible-role-privatebin)).
 
-### Minimal requirements
+### Minimal Requirements
 
 - PHP version 7.0 or above
-  - Or PHP version 5.6 AND _one_ of the following sources of cryptographically safe randomness:
-    - [Libsodium](https://download.libsodium.org/libsodium/content/installation/) and it's [PHP extension](https://paragonie.com/book/pecl-libsodium/read/00-intro.md#installing-libsodium)
-    - open_basedir access to `/dev/urandom`
-    - mcrypt extension (mcrypt needs to be able to access `/dev/urandom`. This means if `open_basedir` is set, it must include this file.)
+  - Or PHP version 5.6 AND _one_ of the following sources of cryptographically
+    safe randomness:
+    - [Libsodium](https://download.libsodium.org/libsodium/content/installation/)
+      and it's [PHP extension](https://paragonie.com/book/pecl-libsodium/read/00-intro.md#installing-libsodium)
+    - `open_basedir` access to `/dev/urandom`
+    - mcrypt extension AND `open_basedir` access to `/dev/urandom`
     - com_dotnet extension
 - GD extension
 - zlib extension
-- some disk space or (optionally) a database supported by [PDO](https://php.net/manual/book.pdo.php)
-- ability to create files and folders in the installation directory and the PATH defined in index.php
-- A web browser with JavaScript support
+- some disk space or a database supported by [PDO](https://php.net/manual/book.pdo.php)
+- ability to create files and folders in the installation directory and the PATH
+  defined in index.php
+- A web browser with JavaScript and (optional) WebAssembly support
 
-## Hardening and security
+## Hardening and Security
 
-### Changing the path
+### Changing the Path
 
-In the index.php you can define a different `PATH`. This is useful to secure your
-installation. You can move the configuration, data files, templates and PHP
+In the index.php you can define a different `PATH`. This is useful to secure
+your installation. You can move the configuration, data files, templates and PHP
 libraries (directories cfg, doc, data, lib, tpl, tst and vendor) outside of your
-document root. This new location must still be accessible to your webserver / PHP
-process (see also
+document root. This new location must still be accessible to your webserver and
+PHP process (see also
 [open_basedir setting](https://secure.php.net/manual/en/ini.core.php#ini.open-basedir)).
 
 > #### PATH Example
@@ -42,24 +50,25 @@ process (see also
 > http://example.com/paste/
 >
 > The full path of PrivateBin on your webserver is:
-> /home/example.com/htdocs/paste
+> /srv/example.com/htdocs/paste
 >
 > When setting the path like this:
 > define('PATH', '../../secret/privatebin/');
 >
-> PrivateBin will look for your includes / data here:
-> /home/example.com/secret/privatebin
+> PrivateBin will look for your includes and data here:
+> /srv/example.com/secret/privatebin
 
 ### Changing the config path only
 
 In situations where you want to keep the PrivateBin static files separate from the
 rest of your data, or you want to reuse the installation files on multiple vhosts,
-you may only want to change the `conf.php`. In this instance, you can set the
+you may only want to change the `conf.php`. In this case, you can set the
 `CONFIG_PATH` environment variable to the absolute path to the `conf.php` file.
 This can be done in your web server's virtual host config, the PHP config, or in
-the index.php if you choose to customize it.
+the index.php, if you choose to customize it.
 
-Note that your PHP process will need read access to the config wherever it may be.
+Note that your PHP process will need read access to the configuration file,
+wherever it may be.
 
 > #### CONFIG_PATH example
 > Setting the value in an Apache Vhost:
@@ -73,23 +82,27 @@ Note that your PHP process will need read access to the config wherever it may b
 
 ### Transport security
 
-When setting up PrivateBin, also set up HTTPS, if you haven't already. Without HTTPS
-PrivateBin is not secure, as the JavaScript files could be manipulated during transmission.
-For more information on this, see our [FAQ entry on HTTPS setup](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-should-i-setup-https).
+When setting up PrivateBin, also set up HTTPS, if you haven't already. Without
+HTTPS PrivateBin is not secure, as the JavaScript or WebAssembly files could be
+manipulated during transmission. For more information on this, see our
+[FAQ entry on HTTPS setup recommendations](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-should-i-setup-https).
 
 ### File-level permissions
 
-After completing the installation, you should make sure, other users on the system cannot read the config file or the `data/` directory, as – depending on your configuration – potential secret information are saved there.
+After completing the installation, you should make sure, that other users on the
+system cannot read the config file or the `data/` directory, as – depending on
+your configuration – potentially sensitive information may be stored in there.
 
-See [this FAQ item](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#what-are-the-recommended-file-and-folder-permissions-for-privatebin) for a detailed guide on how to "harden" the permissions of files and folders.
+See our [FAQ entry on permissions](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#what-are-the-recommended-file-and-folder-permissions-for-privatebin)
+for a detailed guide on how to "harden" access to files and folders.
 
 ## Configuration
 
 In the file `cfg/conf.php` you can configure PrivateBin. A `cfg/conf.sample.php`
-is provided containing all options and default values. You can copy it to
-`cfg/conf.php` and adapt it as needed. Alternatively you can copy it anywhere and
-set the `CONFIG_PATH` environment variable (see above notes). The config file is
-divided into multiple sections, which are enclosed in square brackets.
+is provided containing all options and their default values. You can copy it to
+`cfg/conf.php` and change it as needed. Alternatively you can copy it anywhere
+and set the `CONFIG_PATH` environment variable (see above notes). The config
+file is divided into multiple sections, which are enclosed in square brackets.
 
 In the `[main]` section you can enable or disable the discussion feature, set
 the limit of stored pastes and comments in bytes. The `[traffic]` section lets
@@ -107,28 +120,28 @@ A `robots.txt` file is provided in the root dir of PrivateBin. It disallows all
 robots from accessing your pastes. It is recommend to place it into the root of
 your web directory if you have installed PrivateBin in a subdirectory. Make sure
 to adjust it, so that the file paths match your installation. Of course also
-adjust the file if you already use a `robots.txt`.
+adjust the file, if you already use a `robots.txt`.
 
 A `.htaccess.disabled` file is provided in the root dir of PrivateBin. It blocks
 some known robots and link-scanning bots. If you use Apache, you can rename the
 file to `.htaccess` to enable this feature. If you use another webserver, you
 have to configure it manually to do the same.
 
-### When using Cloudflare
+### On using Cloudflare
 
-If you want to use PrivateBin behind Cloudflare, make sure you have disabled the Rocket
-loader and unchecked "Javascript" for Auto Minify, found in your domain settings,
-under "Speed". (More information
-[in this FAQ entry](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection))
+If you want to use PrivateBin behind Cloudflare, make sure you have disabled the
+Rocket loader and unchecked "Javascript" for Auto Minify, found in your domain
+settings, under "Speed". More information can be found in our
+[FAQ entry on Cloudflare related issues](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection).
 
-### Using a database instead of flat files
+### Using a Database Instead of Flat Files
 
 In the configuration file the `[model]` and `[model_options]` sections let you
 configure your favourite way of storing the pastes and discussions on your
 server.
 
 `Filesystem` is the default model, which stores everything in files in the
-data folder. This is the recommended setup for most sites.
+data folder. This is the recommended setup for most sites on single hosts.
 
 Under high load, in distributed setups or if you are not allowed to store files
 locally, you might want to switch to the `Database` model. This lets you
@@ -142,21 +155,26 @@ to use a prefix for
 The table prefix option is called `tbl`.
 
 > #### Note
-> The `Database` model has only been tested with SQLite, MySQL and PostgreSQL,
-> although it would not be recommended to use SQLite in a production environment.
-> If you gain any experience running PrivateBin on other RDBMS, please let us
-> know.
+> The `Database` model has only been tested with SQLite, MariaDB/MySQL and
+> PostgreSQL, although it would not be recommended to use SQLite in a production
+> environment. If you gain any experience running PrivateBin on other RDBMS,
+> please let us know.
 
-The following GRANTs (privileges) are required for the PrivateBin user in **MySQL**. In normal operation:
+The following GRANTs (privileges) are required for the PrivateBin user in
+**MariaDB/MySQL**. In normal operation:
 - INSERT, SELECT, DELETE on the paste and comment tables
 - SELECT on the config table
 
-If you want PrivateBin to handle table creation (when you create the first paste) and updates (after you update PrivateBin to a new release), you need to give the user these additional privileges:
+If you want PrivateBin to handle table creation (when you create the first paste)
+and updates (after you update PrivateBin to a new release), you need to give the
+user these additional privileges:
 - CREATE, INDEX and ALTER on the database
 - INSERT and UPDATE on the config table
 
-For reference or if you want to create the table schema for yourself to avoid having to give PrivateBin too many permissions (replace
-`prefix_` with your own table prefix and create the table schema with your favourite MySQL console):
+For reference or if you want to create the table schema for yourself to avoid
+having to give PrivateBin too many permissions (replace `prefix_` with your own
+table prefix and create the table schema with your favourite MariaDB/MySQL
+client):
 
 ```sql
 CREATE TABLE prefix_paste (
@@ -187,7 +205,7 @@ CREATE INDEX parent ON prefix_comment(pasteid);
 CREATE TABLE prefix_config (
     id CHAR(16) NOT NULL, value TEXT, PRIMARY KEY (id)
 );
-INSERT INTO prefix_config VALUES('VERSION', '1.3.5');
+INSERT INTO prefix_config VALUES('VERSION', '1.4.0');
 ```
 
 In **PostgreSQL**, the `data`, `attachment`, `nickname` and `vizhash` columns
@@ -199,11 +217,11 @@ to be `CLOB` and not `BLOB` or `MEDIUMBLOB`, the `id` column in the `config`
 table needs to be `VARCHAR2(16)` and the `meta` column in the `paste` table
 and the `value` column in the `config` table need to be `VARCHAR2(4000)`.
 
-### Using Google Cloud Storage
+#### Using Google Cloud Storage
 If you want to deploy PrivateBin in a serverless manner in the Google Cloud, you
 can choose the `GoogleCloudStorage` as backend. To use this backend, you create
 a GCS bucket and specify the name as the model option `bucket`. Alternatively,
-you can set the name through the environment variable PASTEBIN_GCS_BUCKET.
+you can set the name through the environment variable `PRIVATEBIN_GCS_BUCKET`.
 
 The default prefix for pastes stored in the bucket is `pastes`. To change the
 prefix, specify the option `prefix`.

Makefile

@@ -1,7 +1,7 @@
 .PHONY: all coverage coverage-js coverage-php doc doc-js doc-php increment sign test test-js test-php help
 
-CURRENT_VERSION = 1.3.5
-VERSION ?= 1.3.6
+CURRENT_VERSION = 1.4.0
+VERSION ?= 1.4.1
 VERSION_FILES = index.php cfg/ *.md css/ i18n/ img/ js/package.json js/privatebin.js lib/ Makefile tpl/ tst/
 REGEX_CURRENT_VERSION := $(shell echo $(CURRENT_VERSION) | sed "s/\./\\\./g")
 REGEX_VERSION := $(shell echo $(VERSION) | sed "s/\./\\\./g")
@@ -33,12 +33,13 @@ increment: ## Increment and commit new version number, set target version using
 	do \
 		sed -i "s/$(REGEX_CURRENT_VERSION)/$(REGEX_VERSION)/g" $$F; \
 	done
-	git add $(VERSION_FILES)
+	cd tst && phpunit --no-coverage && cd ..
+	git add $(VERSION_FILES) tpl/
 	git commit -m "incrementing version"
 
 sign: ## Sign a release.
 	git tag $(VERSION)
-	git push --tags
+	git push origin $(VERSION)
 	signrelease.sh
 
 test: test-js test-php ## Run all unit tests.

README.md

@@ -1,25 +1,27 @@
 # [![PrivateBin](https://cdn.rawgit.com/PrivateBin/assets/master/images/preview/logoSmall.png)](https://privatebin.info/)
 
-*Current version: 1.3.5*
+*Current version: 1.4.0*
 
-**PrivateBin** is a minimalist, open source online [pastebin](https://en.wikipedia.org/wiki/Pastebin)
+**PrivateBin** is a minimalist, open source online
+[pastebin](https://en.wikipedia.org/wiki/Pastebin)
 where the server has zero knowledge of pasted data.
 
-Data is encrypted and decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
+Data is encrypted and decrypted in the browser using 256bit AES in
+[Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode).
 
 This is a fork of ZeroBin, originally developed by
-[Sébastien Sauvage](https://github.com/sebsauvage/ZeroBin). ZeroBin was refactored
-to allow easier and cleaner extensions. PrivateBin has many more features than the
-original ZeroBin. It is, however, still fully compatible to the original ZeroBin 0.19
+[Sébastien Sauvage](https://github.com/sebsauvage/ZeroBin). PrivateBin was
+refactored to allow easier and cleaner extensions and has many additional
+features. It is, however, still fully compatible to the original ZeroBin 0.19
 data storage scheme. Therefore, such installations can be upgraded to PrivateBin
 without losing any data.
 
 ## What PrivateBin provides
 
 + As a server administrator you don't have to worry if your users post content
-  that is considered illegal in your country. You have no knowledge of any
-  of the pastes content. If requested or enforced, you can delete any paste from
-  your system.
+  that is considered illegal in your country. You have plausible deniability of
+  any of the pastes content. If requested or enforced, you can delete any paste
+  from your system.
 
 + Pastebin-like system to store text documents, code samples, etc.
 
@@ -31,13 +33,13 @@ without losing any data.
 
 ## What it doesn't provide
 
-- As a user you have to trust the server administrator not to inject any malicious
-  javascript code.
-  For basic security, the PrivateBin installation *has to provide HTTPS*!
-  Otherwise you would also have to trust your internet provider, and any country
-  the traffic passes through.
-  Additionally the instance should be secured by
-  [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). It can use traditional certificate authorities and/or use
+- As a user you have to trust the server administrator not to inject any
+  malicious code. For security, a PrivateBin installation *has to be used over*
+  *HTTPS*! Otherwise you would also have to trust your internet provider, and
+  any jurisdiction the traffic passes through. Additionally the instance should
+  be secured by
+  [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security). It can
+  use traditional certificate authorities and/or use a
   [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions)
   protected
   [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities)
@@ -45,18 +47,17 @@ without losing any data.
 
 - The "key" used to encrypt the paste is part of the URL. If you publicly post
   the URL of a paste that is not password-protected, anyone can read it.
-  Use a password if you want your paste to be private. In this case, make sure to
-  use a strong password and only share it privately and end-to-end-encrypted.
+  Use a password if you want your paste to remain private. In that case, make
+  sure to use a strong password and share it privately and end-to-end-encrypted.
 
-- A server admin might be forced to hand over access logs to the authorities.
+- A server admin can be forced to hand over access logs to the authorities.
   PrivateBin encrypts your text and the discussion contents, but who accessed a
   paste (first) might still be disclosed via access logs.
 
 - In case of a server breach your data is secure as it is only stored encrypted
-  on the server. However, the server could be misused or the server admin could
-  be legally forced into sending malicious JavaScript to all web users, which
-  grabs the decryption key and sends it to the server when a user accesses a
-  PrivateBin.  
+  on the server. However, the server could be absused or the server admin could
+  be legally forced into sending malicious code to their users, which logs
+  the decryption key and sends it to a server when a user accesses a paste.
   Therefore, do not access any PrivateBin instance if you think it has been
   compromised. As long as no user accesses this instance with a previously
   generated URL, the content can't be decrypted.
@@ -77,8 +78,8 @@ file](https://github.com/PrivateBin/PrivateBin/wiki/Configuration):
 * Syntax highlighting for source code using prettify.js, including 4 prettify
   themes
 
-* File upload support, images get displayed (disabled by default, possibility
-  to adjust size limit)
+* File upload support, image, media and PDF preview (disabled by default, size
+  limit adjustable)
 
 * Templates: By default there are bootstrap CSS, darkstrap and "classic ZeroBin"
   to choose from and it is easy to adapt these to your own websites layout or
@@ -89,7 +90,7 @@ file](https://github.com/PrivateBin/PrivateBin/wiki/Configuration):
 
 * Language selection (disabled by default, as it uses a session cookie)
 
-* QR code generation of URL, to easily transfer pastes over to a mobile device
+* QR code for paste URLs, to easily transfer them over to mobile devices
 
 ## Further resources
 

SECURITY.md

@@ -4,8 +4,8 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 1.3.5   | :heavy_check_mark: |
-| < 1.3.5 | :x:                |
+| 1.4.0   | :heavy_check_mark: |
+| < 1.4.0 | :x:                |
 
 ## Reporting a Vulnerability
 

cfg/conf.sample.php

@@ -87,7 +87,7 @@ languageselection = false
 ;   async functions and display an error if not and for Chrome to enable
 ;   webassembly support (used for zlib compression). You can remove it if Chrome
 ;   doesn't need to be supported and old browsers don't need to be warned.
-; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
+; cspheader = "default-src 'none'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"
 
 ; stay compatible with PrivateBin Alpha 0.19, less secure
 ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
@@ -135,9 +135,17 @@ markdown = "Markdown"
 ; Set this to 0 to disable rate limiting.
 limit = 10
 
-; Set ips (v4|v6) which should be exempted for the rate-limit. CIDR also supported. Needed to be comma separated.
-; Unset for enabling and invalid values will be ignored
-; eg: exemptedIp = '1.2.3.4,10.10.10/24'
+; (optional) Set IPs addresses (v4 or v6) or subnets (CIDR) which are exempted
+; from the rate-limit. Invalid IPs will be ignored. If multiple values are to
+; be exempted, the list needs to be comma separated. Leave unset to disable
+; exemptions.
+; exempted = "1.2.3.4,10.10.10/24"
+
+; (optional) If you want only some source IP addresses (v4 or v6) or subnets
+; (CIDR) to be allowed to create pastes, set these here. Invalid IPs will be
+; ignored. If multiple values are to be exempted, the list needs to be comma
+; separated. Leave unset to allow anyone to create pastes.
+; creators = "1.2.3.4,10.10.10/24"
 
 ; (optional) if your website runs behind a reverse proxy or load balancer,
 ; set the HTTP header containing the visitors IP address, i.e. X_FORWARDED_FOR

css/bootstrap/privatebin.css

@@ -6,7 +6,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 body {

css/noscript.css

@@ -6,7 +6,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 /* When there is no script at all other */

css/privatebin.css

@@ -6,7 +6,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 /*  CSS Reset from YUI 3.4.1 (build 4118) - Copyright 2011 Yahoo! Inc. All rights reserved.

i18n/ar.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/bg.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/ca.json

@@ -79,34 +79,34 @@
     "Never": "Mai",
     "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service.": "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service.",
     "This document will expire in %d seconds.": [
-        "This document will expire in %d second. (singular)",
-        "This document will expire in %d seconds. (1st plural)",
-        "This document will expire in %d seconds. (2nd plural)",
-        "This document will expire in %d seconds. (3rd plural)"
+        "Aquest document caducarà d'aquí %d segon.",
+        "Aquest document caducarà d'aquí %d segons.",
+        "Aquest document caducarà d'aquí %d segons.",
+        "Aquest document caducarà d'aquí %d segons."
     ],
     "This document will expire in %d minutes.": [
-        "This document will expire in %d minute. (singular)",
-        "This document will expire in %d minutes. (1st plural)",
-        "This document will expire in %d minutes. (2nd plural)",
-        "This document will expire in %d minutes. (3rd plural)"
+        "Aquest document caducarà d'aquí %d minut.",
+        "Aquest document caducarà d'aquí %d minuts.",
+        "Aquest document caducarà d'aquí %d minuts.",
+        "Aquest document caducarà d'aquí %d minuts."
     ],
     "This document will expire in %d hours.": [
-        "This document will expire in %d hour. (singular)",
-        "This document will expire in %d hours. (1st plural)",
-        "This document will expire in %d hours. (2nd plural)",
-        "This document will expire in %d hours. (3rd plural)"
+        "Aquest document caducarà d'aquí %d hora.",
+        "Aquest document caducarà d'aquí %d hores.",
+        "Aquest document caducarà d'aquí %d hores.",
+        "Aquest document caducarà d'aquí %d hores."
     ],
     "This document will expire in %d days.": [
-        "This document will expire in %d day. (singular)",
-        "This document will expire in %d days. (1st plural)",
-        "This document will expire in %d days. (2nd plural)",
-        "This document will expire in %d days. (3rd plural)"
+        "Aquest document caducarà d'aquí %d dia.",
+        "Aquest document caducarà d'aquí %d dies.",
+        "Aquest document caducarà d'aquí %d dies.",
+        "Aquest document caducarà d'aquí %d dies."
     ],
     "This document will expire in %d months.": [
-        "This document will expire in %d month. (singular)",
-        "This document will expire in %d months. (1st plural)",
-        "This document will expire in %d months. (2nd plural)",
-        "This document will expire in %d months. (3rd plural)"
+        "Aquest document caducarà d'aquí %d mes.",
+        "Aquest document caducarà d'aquí %d mesos.",
+        "Aquest document caducarà d'aquí %d mesos.",
+        "Aquest document caducarà d'aquí %d mesos."
     ],
     "Please enter the password for this paste:": "Si us plau, introdueix la contrasenya per aquest paste:",
     "Could not decrypt data (Wrong key?)": "No s'han pogut desxifrar les dades (Clau incorrecte?)",
@@ -124,7 +124,7 @@
     "Could not refresh display: %s": "Could not refresh display: %s",
     "unknown status": "estat desconegut",
     "server error or not responding": "server error or not responding",
-    "Could not post comment: %s": "Could not post comment: %s",
+    "Could not post comment: %s": "No s'ha pogut publicar el comentari: %s",
     "Sending paste…": "Enviant paste…",
     "Your paste is <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Hit [Ctrl]+[c] to copy)</span>": "Your paste is <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Hit [Ctrl]+[c] to copy)</span>",
     "Delete data": "Esborrar les dades",
@@ -146,7 +146,7 @@
     "Download attachment": "Baixar els adjunts",
     "Cloned: '%s'": "Cloned: '%s'",
     "The cloned file '%s' was attached to this paste.": "The cloned file '%s' was attached to this paste.",
-    "Attach a file": "Attach a file",
+    "Attach a file": "Adjuntar un fitxer",
     "alternatively drag & drop a file or paste an image from the clipboard": "alternatively drag & drop a file or paste an image from the clipboard",
     "File too large, to display a preview. Please download the attachment.": "File too large, to display a preview. Please download the attachment.",
     "Remove attachment": "Remove attachment",
@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/co.json

@@ -0,0 +1,190 @@
+{
+    "PrivateBin": "PrivateBin",
+    "%s is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted %sin the browser%s using 256 bits AES.": "%s hè un serviziu in linea di tipu « pastebin » (ghjestiunariu d’appiccicu di pezzi di testu è di codice di fonte) minimalistu è à fonte aperta induve u servitore ùn hà micca cunnuscenza di i dati mandati. I dati sò cifrati è dicifrati %sin u navigatore%s cù una cifratura AES di 256 bit.",
+    "More information on the <a href=\"https://privatebin.info/\">project page</a>.": "Più d’infurmazione annant’à a <a href=\"https://privatebin.info/\">pagina di u prughjettu</a>.",
+    "Because ignorance is bliss": "Perchè l’ignurenza hè una campa",
+    "en": "co",
+    "Paste does not exist, has expired or has been deleted.": "L’appiccicu ùn esiste micca, hè scadutu o hè statu squassatu.",
+    "%s requires php %s or above to work. Sorry.": "Per disgrazzia, %s richiede php %s o più recente per funziunà.",
+    "%s requires configuration section [%s] to be present in configuration file.": "%s richiede a presenza di a sezzione di cunfigurazione [%s] in a schedariu di cunfigurazione.",
+    "Please wait %d seconds between each post.": [
+        "Aspettate %d seconda trà dui publicazioni.",
+        "Aspettate %d seconde trà dui publicazioni.",
+        "Aspettate %d seconde trà dui publicazioni.",
+        "Aspettate %d seconde trà dui publicazioni."
+    ],
+    "Paste is limited to %s of encrypted data.": "L’appiccicu hè limitatu à %s di dati cifrati.",
+    "Invalid data.": "Dati inaccetevule.",
+    "You are unlucky. Try again.": "Pruvate torna, Serete più furtunati.",
+    "Error saving comment. Sorry.": "Per disgrazzia, ci hè un sbagliu à l’arregistramentu di u cummentu.",
+    "Error saving paste. Sorry.": "Per disgrazzia, ci hè un sbagliu à l’arregistramentu di l’appiccicu.",
+    "Invalid paste ID.": "N° di l’appiccicu inaccettevule.",
+    "Paste is not of burn-after-reading type.": "L’appiccicu ùn hè micca di tipu « Squassà dopu a lettura ».",
+    "Wrong deletion token. Paste was not deleted.": "Gettone di squassatura incurrettu. L’appiccicu ùn hè micca statu squassatu.",
+    "Paste was properly deleted.": "L’appiccicu hè statu squassatu currettamente.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.": "JavaScript hè richiestu per fà funziunà %s. Scusate per stu penseru.",
+    "%s requires a modern browser to work.": "%s richiede un navigatore mudernu per funziunà.",
+    "New": "Novu",
+    "Send": "Mandà",
+    "Clone": "Duppione",
+    "Raw text": "Testu grossu",
+    "Expires": "Scadenza",
+    "Burn after reading": "Squassà dopu a lettura",
+    "Open discussion": "Apre una chjachjarata",
+    "Password (recommended)": "Parolla d’intesa (ricumandata)",
+    "Discussion": "Chjachjarata",
+    "Toggle navigation": "Invertisce a navigazione",
+    "%d seconds": [
+        "%d seconda",
+        "%d seconde",
+        "%d seconde",
+        "%d seconde"
+    ],
+    "%d minutes": [
+        "%d minutu",
+        "%d minuti",
+        "%d minuti",
+        "%d minuti"
+    ],
+    "%d hours": [
+        "%d ora",
+        "%d ore",
+        "%d ore",
+        "%d ore"
+    ],
+    "%d days": [
+        "%d ghjornu",
+        "%d ghjorni",
+        "%d ghjorni",
+        "%d ghjorni"
+    ],
+    "%d weeks": [
+        "%d settimana",
+        "%d settimane",
+        "%d settimane",
+        "%d settimane"
+    ],
+    "%d months": [
+        "%d mese",
+        "%d mesi",
+        "%d mesi",
+        "%d mesi"
+    ],
+    "%d years": [
+        "%d annu",
+        "%d anni",
+        "%d anni",
+        "%d anni"
+    ],
+    "Never": "Mai",
+    "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service.": "Nota : Què hè un serviziu di prova ; i dati ponu esse squassati à ogni mumentu. Parechji catorni anu da esse tombi s’è vò impiegate troppu stu serviziu.",
+    "This document will expire in %d seconds.": [
+        "Stu ducumentu serà scadutu in %d seconda.",
+        "Stu ducumentu serà scadutu in %d seconde.",
+        "Stu ducumentu serà scadutu in %d seconde.",
+        "Stu ducumentu serà scadutu in %d seconde."
+    ],
+    "This document will expire in %d minutes.": [
+        "Stu ducumentu serà scadutu in %d minutu.",
+        "Stu ducumentu serà scadutu in %d minuti.",
+        "Stu ducumentu serà scadutu in %d minuti.",
+        "Stu ducumentu serà scadutu in %d minuti."
+    ],
+    "This document will expire in %d hours.": [
+        "Stu ducumentu serà scadutu in %d ora.",
+        "Stu ducumentu serà scadutu in %d ore.",
+        "Stu ducumentu serà scadutu in %d ore.",
+        "Stu ducumentu serà scadutu in %d ore."
+    ],
+    "This document will expire in %d days.": [
+        "Stu ducumentu serà scadutu in %d ghjornu.",
+        "Stu ducumentu serà scadutu in %d ghjorni.",
+        "Stu ducumentu serà scadutu in %d ghjorni.",
+        "Stu ducumentu serà scadutu in %d ghjorni."
+    ],
+    "This document will expire in %d months.": [
+        "Stu ducumentu serà scadutu in %d mese.",
+        "Stu ducumentu serà scadutu in %d mesi.",
+        "Stu ducumentu serà scadutu in %d mesi.",
+        "Stu ducumentu serà scadutu in %d mesi."
+    ],
+    "Please enter the password for this paste:": "Stampittate a parolla d’intesa per st’appiccicu :",
+    "Could not decrypt data (Wrong key?)": "Ùn si pò micca dicifrà i dati ; seria incurretta a chjave ?",
+    "Could not delete the paste, it was not stored in burn after reading mode.": "Ùn si pò micca squassà l’appiccicu, ùn hè micca statu in u modu « Squassà dopu a lettura ».",
+    "FOR YOUR EYES ONLY. Don't close this window, this message can't be displayed again.": "SOLU CÙ L’OCHJI. Ùn chjudite micca sta finestra, stu messaghju un puderà più esse affissatu torna.",
+    "Could not decrypt comment; Wrong key?": "Ùn si pò micca dicifrà u cummentu. Seria incurretta a chjave ?",
+    "Reply": "Risponde",
+    "Anonymous": "Anonimu",
+    "Avatar generated from IP address": "Avatar ingeneratu da l’indirizzu IP",
+    "Add comment": "Aghjunghje un cummentu",
+    "Optional nickname…": "Cugnome ozzionale…",
+    "Post comment": "Impustà u cummentu",
+    "Sending comment…": "Inviu di u cummentu…",
+    "Comment posted.": "Cummentu inviatu.",
+    "Could not refresh display: %s": "Ùn si pò micca attualizà l’affissera : %s",
+    "unknown status": "statu scunnisciutu",
+    "server error or not responding": "sbagliu di u servitore o u servitore ùn risponde micca",
+    "Could not post comment: %s": "Ùn si pò micca impustà u cummentu : %s",
+    "Sending paste…": "Inviu di l’appiccicu…",
+    "Your paste is <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Hit [Ctrl]+[c] to copy)</span>": "U vostru appiccicu si trova à l’indirizzu<a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Appughjate [Ctrl]+[c] per cupià u liame)</span>",
+    "Delete data": "Squassà i dati",
+    "Could not create paste: %s": "Ùn si pò micca creà l’appiccicu : %s",
+    "Cannot decrypt paste: Decryption key missing in URL (Did you use a redirector or an URL shortener which strips part of the URL?)": "Ùn si pò micca dicifrà l’appiccicu : A chjave di dicifratura hè assente in l’indirizzu. Averiate impiegatu un orientadore d’indirizzu o un riduttore chì ammuzzeghja una parte di l’indirizzu ?",
+    "B": "o",
+    "KiB": "Ko",
+    "MiB": "Mo",
+    "GiB": "Go",
+    "TiB": "To",
+    "PiB": "Po",
+    "EiB": "Eo",
+    "ZiB": "Zo",
+    "YiB": "Yo",
+    "Format": "Furmatu",
+    "Plain Text": "Testu in chjaru",
+    "Source Code": "Codice di fonte",
+    "Markdown": "Markdown",
+    "Download attachment": "Scaricà a pezza aghjunta",
+    "Cloned: '%s'": "Duppiatu : « %s »",
+    "The cloned file '%s' was attached to this paste.": "U schedariu duppiatu  « %s » hè statu aghjuntu à st’appiccicu.",
+    "Attach a file": "Aghjunghje un schedariu",
+    "alternatively drag & drop a file or paste an image from the clipboard": "in alternanza, sguillà è depone un schedariu o incullà una fiura da u preme’papei",
+    "File too large, to display a preview. Please download the attachment.": "Schedariu troppu maiò per affissà una fighjulata. Scaricate a pezza aghjunta.",
+    "Remove attachment": "Caccià a pezza aghjunta",
+    "Your browser does not support uploading encrypted files. Please use a newer browser.": "U vostru navigatore ùn accetta micca l’inviu di i schedarii cifrati. Impiegate un navigatore più recente.",
+    "Invalid attachment.": "A pezza aghjunta hè inaccettevule.",
+    "Options": "Ozzioni",
+    "Shorten URL": "Ammuzzà l’indirizzu",
+    "Editor": "Editore",
+    "Preview": "Fighjulata",
+    "%s requires the PATH to end in a \"%s\". Please update the PATH in your index.php.": "%s richiede chì a variabile PATH si compii cù « %s ». Mudificate a variabile PATH in u vostru index.php.",
+    "Decrypt": "Dicifrà",
+    "Enter password": "Stampittate a parolla d’intesa",
+    "Loading…": "Caricamentu…",
+    "Decrypting paste…": "Dicifratura di l’appiccicu…",
+    "Preparing new paste…": "Approntu di u novu appiccicu…",
+    "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.": "S’è stu messaghju ùn smarisce micca, lighjite <a href=\"%s\">sta FAQ per ottene infurmazioni annant’à a risuluzione di i prublemi</a>.",
+    "+++ no paste text +++": "+++ nisunu testu incullatu +++",
+    "Could not get paste data: %s": "Ùn si pò micca ottene i dati di l’appiccicu : %s",
+    "QR code": "Codice QR",
+    "This website is using an insecure HTTP connection! Please use it only for testing.": "Stu situ web impiegheghja una cunnessione HTTP non sicura ! impiegatelu solu per una prova.",
+    "For more information <a href=\"%s\">see this FAQ entry</a>.": "Per sapene di più, <a href=\"%s\">lighjite sta rubrica di a FAQ</a>.",
+    "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.": "U vostru navigatore pò richiede una cunnessione HTTPS per permette l’usu di l’API WebCrypto. Pruvate di <a href=\"%s\">passà à HTTPS</a>.",
+    "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.": "U vostru navigatore ùn accetta micca WebAssembly, impiegatu per a cumpressione zlib. Pudete creà ducumenti micca cumpressi, ma ùn pudete micca leghje quelli chì sò cumpressi.",
+    "waiting on user to provide a password": "in attesa di l’utilizatore per furnisce una parolla d’intesa",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.": "Ùn si pò micca dicifrà i dati. Avete stampittatu una parolla d’intesa incurretta ? Pruvate torna cù u buttone insù.",
+    "Retry": "Pruvà torna",
+    "Showing raw text…": "Affissera di u testu grossu…",
+    "Notice:": "Avertimentu :",
+    "This link will expire after %s.": "Stu liame hà da scade dopu à %s.",
+    "This link can only be accessed once, do not use back or refresh button in your browser.": "Stu liame pò esse accessu solu una volta, ùn impiegate micca i buttoni Precedente o Attualizà di u vostru navigatore.",
+    "Link:": "Liame :",
+    "Recipient may become aware of your timezone, convert time to UTC?": "U destinatariu pò cunnnosce u vostru fusu orariu. Vulete cunvertisce l’ora in u furmatu UTC ?",
+    "Use Current Timezone": "Impiegà u fusu orariu attuale",
+    "Convert To UTC": "Cunvertisce in UTC",
+    "Close": "Chjode",
+    "Encrypted note on PrivateBin": "Nota cifrata nant’à PrivateBin",
+    "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visitate stu liame per vede a nota. Date l’indirizzu à qualunque li permette d’accede à a nota dinù.",
+    "URL shortener may expose your decrypt key in URL.": "Un ammuzzatore d’indirizzu pò palisà a vostra chjave di dicifratura in l’indirizzu.",
+    "Save paste": "Arregistrà l’appiccicu",
+    "Your IP is not authorized to create pastes.": "U vostru indirizzu IP ùn hè micca auturizatu à creà l’appiccichi."
+}

i18n/cs.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Šifrovaná poznámka ve službě PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Navštivte tento odkaz pro zobrazení poznámky. Přeposláním URL umožníte také jiným lidem přístup.",
     "URL shortener may expose your decrypt key in URL.": "Zkracovač URL může odhalit váš dešifrovací klíč v URL.",
-    "Save paste": "Uložit příspěvek"
+    "Save paste": "Uložit příspěvek",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/de.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Verschlüsselte Notiz auf PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Besuche diesen Link um das Dokument zu sehen. Wird die URL an eine andere Person gegeben, so kann diese Person ebenfalls auf dieses Dokument zugreifen.",
     "URL shortener may expose your decrypt key in URL.": "Der URL-Verkürzer kann den Schlüssel in der URL enthüllen.",
-    "Save paste": "Text speichern"
+    "Save paste": "Text speichern",
+    "Your IP is not authorized to create pastes.": "Deine IP ist nicht berechtigt, Texte zu erstellen."
 }

i18n/el.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/en.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/es.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Nota cifrada en PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visite este enlace para ver la nota. Dar la URL a cualquier persona también les permite acceder a la nota.",
     "URL shortener may expose your decrypt key in URL.": "El acortador de URL puede exponer su clave de descifrado en el URL.",
-    "Save paste": "Guardar \"paste\""
+    "Save paste": "Guardar \"paste\"",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/et.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Krüpteeritud kiri PrivateBin-is",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Kirja nägemiseks külasta seda linki. Teistele URL-i andmine lubab ka neil ligi pääseda kirjale.",
     "URL shortener may expose your decrypt key in URL.": "URL-i lühendaja võib paljastada sinu dekrüpteerimisvõtme URL-is.",
-    "Save paste": "Salvesta kleebe"
+    "Save paste": "Salvesta kleebe",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/fi.json

@@ -15,11 +15,11 @@
     ],
     "Paste is limited to %s of encrypted data.": "Paste on rajoitettu kokoon %s salattua dataa.",
     "Invalid data.": "Virheellinen data.",
-    "You are unlucky. Try again.": "Olet epäonnekas. Yritä uudelleen",
+    "You are unlucky. Try again.": "Olet epäonnekas. Yritä uudelleen.",
     "Error saving comment. Sorry.": "Virhe kommenttia tallentaessa. Anteeksi.",
     "Error saving paste. Sorry.": "Virhe pastea tallentaessa. Anteeksi.",
     "Invalid paste ID.": "Virheellinen paste ID.",
-    "Paste is not of burn-after-reading type.": "Paste ei ole polta-lukemisen-jälkeen-tyyppiä",
+    "Paste is not of burn-after-reading type.": "Paste ei ole polta-lukemisen-jälkeen-tyyppiä.",
     "Wrong deletion token. Paste was not deleted.": "Virheellinen poistotunniste. Pastea ei poistettu.",
     "Paste was properly deleted.": "Paste poistettiin kunnolla.",
     "JavaScript is required for %s to work. Sorry for the inconvenience.": "JavaScriptiä tarvitaan jotta %s toimisi. Anteeksi haitasta.",
@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Salattu viesti PrivateBinissä",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Käy tässä linkissä nähdäksesi viestin. URL:n antaminen kenellekään antaa heidänkin päästä katsomeen viestiä. ",
     "URL shortener may expose your decrypt key in URL.": "URL-lyhentäjä voi paljastaa purkuavaimesi URL:ssä.",
-    "Save paste": "Tallenna paste"
+    "Save paste": "Tallenna paste",
+    "Your IP is not authorized to create pastes.": "IP:llesi ei ole annettu oikeutta luoda pasteja."
 }

i18n/fr.json

@@ -2,7 +2,7 @@
     "PrivateBin": "PrivateBin",
     "%s is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted %sin the browser%s using 256 bits AES.": "%s est un 'pastebin' (ou gestionnaire d'extraits de texte et de code source) minimaliste et open source, dans lequel le serveur n'a aucune connaissance des données envoyées. Les données sont chiffrées/déchiffrées %sdans le navigateur%s par un chiffrement AES 256 bits.",
     "More information on the <a href=\"https://privatebin.info/\">project page</a>.": "Plus d'informations sur <a href=\"https://privatebin.info/\">la page du projet</a>.",
-    "Because ignorance is bliss": "Parce que l'ignorance c'est le bonheur",
+    "Because ignorance is bliss": "Vivons heureux, vivons cachés",
     "en": "fr",
     "Paste does not exist, has expired or has been deleted.": "Le paste n'existe pas, a expiré, ou a été supprimé.",
     "%s requires php %s or above to work. Sorry.": "Désolé, %s nécessite php %s ou supérieur pour fonctionner.",
@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Message chiffré sur PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visiter ce lien pour voir la note. Donner l'URL à une autre personne lui permet également d'accéder à la note.",
     "URL shortener may expose your decrypt key in URL.": "Raccourcir l'URL peut exposer votre clé de déchiffrement dans l'URL.",
-    "Save paste": "Sauver le paste"
+    "Save paste": "Sauver le paste",
+    "Your IP is not authorized to create pastes.": "Votre adresse IP n'est pas autorisée à créer des pastes."
 }

i18n/he.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "הערה מוצפנת ב־PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "נא לבקר בקישור כדי לצפות בהערה. מסירת הקישור לאנשים כלשהם תאפשר גם להם לגשת להערה.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/hi.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/hu.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Titkosított jegyzet a PrivateBinen",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Látogasd meg ezt a hivatkozást a bejegyzés megtekintéséhez. Ha mások számára is megadod ezt a linket, azzal hozzáférnek ők is.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/id.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Catatan ter-ekrip di PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Kunjungi tautan ini untuk melihat catatan. Memberikan alamat URL pada siapapun juga, akan mengizinkan mereka untuk mengakses catatan, so pasti gitu loh Kaka.",
     "URL shortener may expose your decrypt key in URL.": "Pemendek URL mungkin akan menampakkan kunci dekrip Anda dalam URL.",
-    "Save paste": "Simpan paste"
+    "Save paste": "Simpan paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/it.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Nota crittografata su PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visita questo collegamento per vedere la nota. Dare l'URL a chiunque consente anche a loro di accedere alla nota.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener può esporre la tua chiave decrittografata nell'URL.",
-    "Save paste": "Salva il messagio"
+    "Save paste": "Salva il messagio",
+    "Your IP is not authorized to create pastes.": "Il tuo IP non è autorizzato a creare dei messaggi."
 }

i18n/ja.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/jbo.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": ".i lo lo notci ku mifra cu zvati sivlolnitvanku'a",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "rejgau fukpi"
+    "Save paste": "rejgau fukpi",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/ku.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/la.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/lt.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Šifruoti užrašai ties PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Norėdami matyti užrašus, aplankykite šį tinklalapį. Pasidalinus šiuo URL adresu su kitais žmonėmis, jiems taip pat bus leidžiama prieiga prie šių užrašų.",
     "URL shortener may expose your decrypt key in URL.": "URL trumpinimo įrankis gali atskleisti URL adrese jūsų iššifravimo raktą.",
-    "Save paste": "Įrašyti įdėjimą"
+    "Save paste": "Įrašyti įdėjimą",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/nl.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/no.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Kryptert notat på PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Besøk denne lenken for å se notatet. Hvis lenken deles med andre, vil de også kunne se notatet.",
     "URL shortener may expose your decrypt key in URL.": "URL forkorter kan avsløre dekrypteringsnøkkelen.",
-    "Save paste": "Lagre utklipp"
+    "Save paste": "Lagre utklipp",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/oc.json

@@ -37,76 +37,76 @@
     "%d seconds": [
         "%d segonda",
         "%d segondas",
-        "%d seconds (2nd plural)",
-        "%d seconds (3rd plural)"
+        "%d segondas",
+        "%d segondas"
     ],
     "%d minutes": [
         "%d minuta",
         "%d minutas",
-        "%d minutes (2nd plural)",
-        "%d minutes (3rd plural)"
+        "%d minutas",
+        "%d minutas"
     ],
     "%d hours": [
         "%d ora",
         "%d oras",
-        "%d hours (2nd plural)",
-        "%d hours (3rd plural)"
+        "%d oras",
+        "%d oras"
     ],
     "%d days": [
         "%d jorn",
         "%d jorns",
-        "%d days (2nd plural)",
-        "%d days (3rd plural)"
+        "%d jorns",
+        "%d jorns"
     ],
     "%d weeks": [
         "%d setmana",
         "%d setmanas",
-        "%d weeks (2nd plural)",
-        "%d weeks (3rd plural)"
+        "%d setmanas",
+        "%d setmanas"
     ],
     "%d months": [
         "%d mes",
         "%d meses",
-        "%d months (2nd plural)",
-        "%d months (3rd plural)"
+        "%d meses",
+        "%d meses"
     ],
     "%d years": [
         "%d an",
         "%d ans",
-        "%d years (2nd plural)",
-        "%d years (3rd plural)"
+        "%d ans",
+        "%d ans"
     ],
     "Never": "Jamai",
     "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service.": "Nota : Aquò es un servici d’espròva : las donadas pòdon èsser suprimidas a cada moment. De catons moriràn s’abusatz d’aqueste servici.",
     "This document will expire in %d seconds.": [
-        "Ce document expirera dans %d seconde.",
-        "Aqueste document expirarà dins %d segondas.",
-        "Aqueste document expirarà dins %d segondas.",
-        "Aqueste document expirarà dins %d segondas."
+        "Aqueste document expirarà d’aquí %d segonda.",
+        "Aqueste document expirarà d’aquí %d segondas.",
+        "Aqueste document expirarà d’aquí %d segondas.",
+        "Aqueste document expirarà d’aquí %d segondas."
     ],
     "This document will expire in %d minutes.": [
-        "Ce document expirera dans %d minute.",
-        "Aqueste document expirarà dins %d minutas.",
-        "Aqueste document expirarà dins %d minutas.",
-        "Aqueste document expirarà dins %d minutas."
+        "Aqueste document expirarà d’aquí %d minuta.",
+        "Aqueste document expirarà d’aquí %d minutas.",
+        "Aqueste document expirarà d’aquí %d minutas.",
+        "Aqueste document expirarà d’aquí %d minutas."
     ],
     "This document will expire in %d hours.": [
-        "Ce document expirera dans %d heure.",
-        "Aqueste document expirarà dins %d oras.",
-        "Aqueste document expirarà dins %d oras.",
-        "Aqueste document expirarà dins %d oras."
+        "Aqueste document expirarà d’aquí %d ora.",
+        "Aqueste document expirarà d’aquí %d oras.",
+        "Aqueste document expirarà d’aquí %d oras.",
+        "Aqueste document expirarà d’aquí %d oras."
     ],
     "This document will expire in %d days.": [
-        "Ce document expirera dans %d jour.",
-        "Aqueste document expirarà dins %d jorns.",
-        "Aqueste document expirarà dins %d jorns.",
-        "Aqueste document expirarà dins %d jorns."
+        "Aqueste document expirarà d’aquí %d jorn.",
+        "Aqueste document expirarà d’aquí %d jorns.",
+        "Aqueste document expirarà d’aquí %d jorns.",
+        "Aqueste document expirarà d’aquí %d jorns."
     ],
     "This document will expire in %d months.": [
-        "Ce document expirera dans %d mois.",
-        "Aqueste document expirarà dins %d meses.",
-        "Aqueste document expirarà dins %d meses.",
-        "Aqueste document expirarà dins %d meses."
+        "Aqueste document expirarà d’aquí %d mes.",
+        "Aqueste document expirarà d’aquí %d meses.",
+        "Aqueste document expirarà d’aquí %d meses.",
+        "Aqueste document expirarà d’aquí %d meses."
     ],
     "Please enter the password for this paste:": "Picatz lo senhal per aqueste tèxte :",
     "Could not decrypt data (Wrong key?)": "Impossible de deschifrar las donadas (marrida clau ?)",
@@ -156,7 +156,7 @@
     "Shorten URL": "Acorchir l’URL",
     "Editor": "Editar",
     "Preview": "Previsualizar",
-    "%s requires the PATH to end in a \"%s\". Please update the PATH in your index.php.": "%s demanda que lo PATH termine en \"%s\". Mercés de metre a jorn lo PATH dins vòstre index.php.",
+    "%s requires the PATH to end in a \"%s\". Please update the PATH in your index.php.": "%s demanda que lo PATH termine en « %s ». Mercés de metre a jorn lo PATH dins vòstre index.php.",
     "Decrypt": "Deschifrar",
     "Enter password": "Picatz lo senhal",
     "Loading…": "Cargament…",
@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Nòtas chifradas sus PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visitatz aqueste ligam per veire la nòta. Fornir lo ligam a qualqu’un mai li permet tanben d’accedir a la nòta.",
     "URL shortener may expose your decrypt key in URL.": "Los espleches d’acorchiment d’URL pòdon expausar la clau de deschiframent dins l’URL.",
-    "Save paste": "Enregistrar lo tèxt"
+    "Save paste": "Enregistrar lo tèxt",
+    "Your IP is not authorized to create pastes.": "Vòstra adreça IP a pas l’autorizacion de crear de tèxtes."
 }

i18n/pl.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/pt.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Nota criptografada no PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visite esse link para ver a nota. Dar a URL para qualquer um permite que eles também acessem a nota.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/ru.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Зашифрованная запись на PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Посетите эту ссылку чтобы просмотреть запись. Передача ссылки кому либо позволит им получить доступ к записи тоже.",
     "URL shortener may expose your decrypt key in URL.": "Сервис сокращения ссылок может получить ваш ключ расшифровки из ссылки.",
-    "Save paste": "Сохранить запись"
+    "Save paste": "Сохранить запись",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/sl.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/sv.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/tr.json

@@ -1,135 +1,135 @@
 {
     "PrivateBin": "PrivateBin",
-    "%s is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted %sin the browser%s using 256 bits AES.": "%s is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted %sin the browser%s using 256 bits AES.",
+    "%s is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted %sin the browser%s using 256 bits AES.": "%s sunucunun burada paylaştığınız veriyi görmediği, minimal, açık kaynak bir pastebindir. Veriler tarayıcıda 256 bit AES kullanılarak şifrelenir/çözülür.",
     "More information on the <a href=\"https://privatebin.info/\">project page</a>.": "Daha fazla bilgi için <a href=\"https://privatebin.info/\">proje sayfası</a>'na göz atabilirsiniz.",
     "Because ignorance is bliss": "Çünkü, cehalet mutluluktur",
     "en": "tr",
     "Paste does not exist, has expired or has been deleted.": "Paste does not exist, has expired or has been deleted.",
-    "%s requires php %s or above to work. Sorry.": "%s requires php %s or above to work. Sorry.",
-    "%s requires configuration section [%s] to be present in configuration file.": "%s requires configuration section [%s] to be present in configuration file.",
+    "%s requires php %s or above to work. Sorry.": "%s PHP %s veya daha üstünü gerektirir.",
+    "%s requires configuration section [%s] to be present in configuration file.": "%s konfigürasyon bölümünün [%s] bulunmasını gerektir.",
     "Please wait %d seconds between each post.": [
-        "Please wait %d second between each post. (singular)",
-        "Please wait %d seconds between each post. (1st plural)",
-        "Please wait %d seconds between each post. (2nd plural)",
-        "Please wait %d seconds between each post. (3rd plural)"
+        "Lütfen paylaşımlar arasında %d saniye bekleyiniz.",
+        "Lütfen paylaşımlar arasında %d saniye bekleyiniz.",
+        "Lütfen paylaşımlar arasında %d saniye bekleyiniz.",
+        "Lütfen paylaşımlar arasında %d saniye bekleyiniz."
     ],
-    "Paste is limited to %s of encrypted data.": "Paste is limited to %s of encrypted data.",
+    "Paste is limited to %s of encrypted data.": "Yazılar %s şifreli veriyle sınırlıdır.",
     "Invalid data.": "Geçersiz veri.",
     "You are unlucky. Try again.": "Lütfen tekrar deneyiniz.",
-    "Error saving comment. Sorry.": "Error saving comment. Sorry.",
-    "Error saving paste. Sorry.": "Error saving paste. Sorry.",
-    "Invalid paste ID.": "Invalid paste ID.",
-    "Paste is not of burn-after-reading type.": "Paste is not of burn-after-reading type.",
-    "Wrong deletion token. Paste was not deleted.": "Wrong deletion token. Paste was not deleted.",
-    "Paste was properly deleted.": "Paste was properly deleted.",
-    "JavaScript is required for %s to work. Sorry for the inconvenience.": "JavaScript is required for %s to work. Sorry for the inconvenience.",
-    "%s requires a modern browser to work.": "%s requires a modern browser to work.",
+    "Error saving comment. Sorry.": "Yorum kaydedilemedi.",
+    "Error saving paste. Sorry.": "Yazı kaydedilemedi. Üzgünüz.",
+    "Invalid paste ID.": "Geçersiz yazı ID'si.",
+    "Paste is not of burn-after-reading type.": "Yazı okunduğunda silinmeyecek şekilde ayarlanmış.",
+    "Wrong deletion token. Paste was not deleted.": "Yanlış silme anahtarı. Yazı silinemedi.",
+    "Paste was properly deleted.": "Yazı başarıyla silindi.",
+    "JavaScript is required for %s to work. Sorry for the inconvenience.": "JavaScript %s 'in çalışması için gereklidir. Rahatsızlıktan dolayı özür dileriz.",
+    "%s requires a modern browser to work.": "%s çalışmak için çağdaş bir tarayıcı gerektirir.",
     "New": "Yeni",
     "Send": "Gönder",
     "Clone": "Kopyala",
-    "Raw text": "Raw text",
+    "Raw text": "Açık yazı",
     "Expires": "Süre Sonu",
-    "Burn after reading": "Burn after reading",
+    "Burn after reading": "Okuduktan sonra sil",
     "Open discussion": "Açık Tartışmalar",
-    "Password (recommended)": "Password (recommended)",
+    "Password (recommended)": "Şifre (önerilir)",
     "Discussion": "Tartışma",
     "Toggle navigation": "Gezinmeyi değiştir",
     "%d seconds": [
-        "%d second (singular)",
-        "%d seconds (1st plural)",
-        "%d seconds (2nd plural)",
-        "%d seconds (3rd plural)"
+        "%d saniye",
+        "%d saniye",
+        "%d saniye",
+        "%d saniye"
     ],
     "%d minutes": [
-        "%d minute (singular)",
-        "%d minutes (1st plural)",
-        "%d minutes (2nd plural)",
-        "%d minutes (3rd plural)"
+        "%d dakika",
+        "%d dakika",
+        "%d dakika",
+        "%d dakika"
     ],
     "%d hours": [
-        "%d hour (singular)",
-        "%d hours (1st plural)",
-        "%d hours (2nd plural)",
-        "%d hours (3rd plural)"
+        "%d saat",
+        "%d saat",
+        "%d saat",
+        "%d saat"
     ],
     "%d days": [
-        "%d day (singular)",
-        "%d days (1st plural)",
-        "%d days (2nd plural)",
-        "%d days (3rd plural)"
+        "%d gün",
+        "%d gün",
+        "%d gün",
+        "%d gün"
     ],
     "%d weeks": [
-        "%d hafta (tekil)",
-        "%d haftalar (çoğul)",
-        "%d weeks (2nd plural)",
-        "%d weeks (3rd plural)"
+        "%d hafta",
+        "%d hafta",
+        "%d hafta",
+        "%d hafta"
     ],
     "%d months": [
-        "%d month (singular)",
-        "%d months (1st plural)",
-        "%d months (2nd plural)",
-        "%d months (3rd plural)"
+        "%d ay",
+        "%d ay",
+        "%d ay",
+        "%d ay"
     ],
     "%d years": [
-        "%d year (singular)",
-        "%d years (1st plural)",
-        "%d years (2nd plural)",
-        "%d years (3rd plural)"
+        "%d yıl",
+        "%d yıl",
+        "%d yıl",
+        "%d yıl"
     ],
-    "Never": "Never",
+    "Never": "Asla",
     "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service.": "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service.",
     "This document will expire in %d seconds.": [
-        "This document will expire in %d second. (singular)",
-        "This document will expire in %d seconds. (1st plural)",
-        "This document will expire in %d seconds. (2nd plural)",
-        "This document will expire in %d seconds. (3rd plural)"
+        "Bu belge %s saniyede silinecektir.",
+        "Bu belge %s saniyede silinecektir.",
+        "Bu belge %s saniyede silinecektir.",
+        "Bu belge %s saniyede silinecektir."
     ],
     "This document will expire in %d minutes.": [
-        "This document will expire in %d minute. (singular)",
-        "This document will expire in %d minutes. (1st plural)",
-        "This document will expire in %d minutes. (2nd plural)",
-        "This document will expire in %d minutes. (3rd plural)"
+        "Bu belge %s dakikada silinecektir.",
+        "Bu belge %s dakikada silinecektir.",
+        "Bu belge %s dakikada silinecektir.",
+        "Bu belge %s dakikada silinecektir."
     ],
     "This document will expire in %d hours.": [
-        "This document will expire in %d hour. (singular)",
-        "This document will expire in %d hours. (1st plural)",
-        "This document will expire in %d hours. (2nd plural)",
-        "This document will expire in %d hours. (3rd plural)"
+        "Bu belge %s saatte silinecektir.",
+        "Bu belge %s saatte silinecektir.",
+        "Bu belge %s saatte silinecektir.",
+        "Bu belge %s saatte silinecektir.."
     ],
     "This document will expire in %d days.": [
-        "This document will expire in %d day. (singular)",
-        "This document will expire in %d days. (1st plural)",
-        "This document will expire in %d days. (2nd plural)",
-        "This document will expire in %d days. (3rd plural)"
+        "Bu belge %s günde silinecektir.",
+        "Bu belge %s günde silinecektir.",
+        "Bu belge %s günde silinecektir.",
+        "Bu belge %s günde silinecektir.(3rd plural)"
     ],
     "This document will expire in %d months.": [
-        "This document will expire in %d month. (singular)",
-        "This document will expire in %d months. (1st plural)",
-        "This document will expire in %d months. (2nd plural)",
-        "This document will expire in %d months. (3rd plural)"
+        "Bu belge %s ayda silinecektir.",
+        "Bu belge %s ayda silinecektir",
+        "Bu belge %s ayda silinecektir",
+        "Bu belge %s ayda silinecektir"
     ],
-    "Please enter the password for this paste:": "Please enter the password for this paste:",
-    "Could not decrypt data (Wrong key?)": "Could not decrypt data (Wrong key?)",
-    "Could not delete the paste, it was not stored in burn after reading mode.": "Could not delete the paste, it was not stored in burn after reading mode.",
-    "FOR YOUR EYES ONLY. Don't close this window, this message can't be displayed again.": "FOR YOUR EYES ONLY. Don't close this window, this message can't be displayed again.",
-    "Could not decrypt comment; Wrong key?": "Could not decrypt comment; Wrong key?",
+    "Please enter the password for this paste:": "Lütfen bu yazı için şifrenizi girin:",
+    "Could not decrypt data (Wrong key?)": "Şifre çözülemedi (Yanlış anahtar mı kullandınız?)",
+    "Could not delete the paste, it was not stored in burn after reading mode.": "Yazı silinemedi, okunduktan sonra silinmek için ayarlanmadı.",
+    "FOR YOUR EYES ONLY. Don't close this window, this message can't be displayed again.": "BU DOSYAYI SADECE SİZ GÖRÜNTÜLEYEBİLİRSİNİZ. Bu pencereyi kapatmayın, yazıyı tekrar görüntüleyemeyeceksiniz.",
+    "Could not decrypt comment; Wrong key?": "Dosya şifresi çözülemedi, doğru anahtarı girdiğinizden emin misiniz?",
     "Reply": "Cevapla",
     "Anonymous": "Anonim",
-    "Avatar generated from IP address": "Avatar generated from IP address",
+    "Avatar generated from IP address": "IP adresinden oluşturulmuş avatar",
     "Add comment": "Yorum ekle",
-    "Optional nickname…": "Optional nickname…",
+    "Optional nickname…": "İsteğe bağlı takma isim...",
     "Post comment": "Yorumu gönder",
-    "Sending comment…": "Sending comment…",
+    "Sending comment…": "Yorum gönderiliyor...",
     "Comment posted.": "Yorum gönderildi.",
-    "Could not refresh display: %s": "Could not refresh display: %s",
-    "unknown status": "unknown status",
-    "server error or not responding": "server error or not responding",
-    "Could not post comment: %s": "Could not post comment: %s",
-    "Sending paste…": "Sending paste…",
-    "Your paste is <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Hit [Ctrl]+[c] to copy)</span>": "Your paste is <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Hit [Ctrl]+[c] to copy)</span>",
+    "Could not refresh display: %s": "Görüntü yenilenemedi: %s",
+    "unknown status": "bilinmeyen durum",
+    "server error or not responding": "sunucu hatası veya yanıt vermiyor",
+    "Could not post comment: %s": "Yorum paylaşılamadı: %s",
+    "Sending paste…": "Yazı gönderiliyor…",
+    "Your paste is <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Hit [Ctrl]+[c] to copy)</span>": "Yazınız: <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">([Ctrl]+[c] tuşlarına basarak kopyalayın.)</span>",
     "Delete data": "Veriyi sil",
-    "Could not create paste: %s": "Could not create paste: %s",
-    "Cannot decrypt paste: Decryption key missing in URL (Did you use a redirector or an URL shortener which strips part of the URL?)": "Cannot decrypt paste: Decryption key missing in URL (Did you use a redirector or an URL shortener which strips part of the URL?)",
+    "Could not create paste: %s": "Yazı oluşturulamadı: %s",
+    "Cannot decrypt paste: Decryption key missing in URL (Did you use a redirector or an URL shortener which strips part of the URL?)": "Yazı şifresi çözülemedi, çözme anahtarı URL'de bulunamadı. (Buraya bir yönlendirici veya URL kısaltıcı kullanarak gelmiş olabilirsiniz.)",
     "B": "B",
     "KiB": "KiB",
     "MiB": "MiB",
@@ -140,50 +140,51 @@
     "ZiB": "ZiB",
     "YiB": "YiB",
     "Format": "Format",
-    "Plain Text": "Plain Text",
-    "Source Code": "Source Code",
+    "Plain Text": "Düz Yazı",
+    "Source Code": "Kaynak Kodu",
     "Markdown": "Markdown",
-    "Download attachment": "Download attachment",
-    "Cloned: '%s'": "Cloned: '%s'",
-    "The cloned file '%s' was attached to this paste.": "The cloned file '%s' was attached to this paste.",
-    "Attach a file": "Attach a file",
-    "alternatively drag & drop a file or paste an image from the clipboard": "alternatively drag & drop a file or paste an image from the clipboard",
-    "File too large, to display a preview. Please download the attachment.": "File too large, to display a preview. Please download the attachment.",
-    "Remove attachment": "Remove attachment",
-    "Your browser does not support uploading encrypted files. Please use a newer browser.": "Your browser does not support uploading encrypted files. Please use a newer browser.",
-    "Invalid attachment.": "Invalid attachment.",
-    "Options": "Options",
-    "Shorten URL": "Shorten URL",
-    "Editor": "Editor",
+    "Download attachment": "Eki indir",
+    "Cloned: '%s'": "Klonlandı: '%s'",
+    "The cloned file '%s' was attached to this paste.": "Klonlanmış dosya '%s' bu yazıya eklendi.",
+    "Attach a file": "Dosya ekle",
+    "alternatively drag & drop a file or paste an image from the clipboard": "alternatif olarak dosyasyı yapıştırabilir veya sürükleyip bırakabilirsin.z",
+    "File too large, to display a preview. Please download the attachment.": "Dosya önizleme için çok büyük. Lütfen eki indirin.",
+    "Remove attachment": "Eki sil",
+    "Your browser does not support uploading encrypted files. Please use a newer browser.": "Tarayıcınız şifreli dosyaları desteklemiyor.",
+    "Invalid attachment.": "Geçersiz ek.",
+    "Options": "Seçenekler",
+    "Shorten URL": "URL kısaltma",
+    "Editor": "Düzenleyici",
     "Preview": "Ön izleme",
     "%s requires the PATH to end in a \"%s\". Please update the PATH in your index.php.": "%s requires the PATH to end in a \"%s\". Please update the PATH in your index.php.",
-    "Decrypt": "Decrypt",
+    "Decrypt": "Şifreyi çöz",
     "Enter password": "Şifreyi girin",
     "Loading…": "Yükleniyor…",
-    "Decrypting paste…": "Decrypting paste…",
-    "Preparing new paste…": "Preparing new paste…",
+    "Decrypting paste…": "Yazı şifresi çözülüyor...",
+    "Preparing new paste…": "Yeni yazı hazırlanıyor...",
     "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.": "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.",
     "+++ no paste text +++": "+++ no paste text +++",
-    "Could not get paste data: %s": "Could not get paste data: %s",
+    "Could not get paste data: %s": "Yazı verisi alınamıyor: %s",
     "QR code": "QR kodu",
     "This website is using an insecure HTTP connection! Please use it only for testing.": "This website is using an insecure HTTP connection! Please use it only for testing.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.": "For more information <a href=\"%s\">see this FAQ entry</a>.",
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.": "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.",
     "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.": "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.",
     "waiting on user to provide a password": "waiting on user to provide a password",
-    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.": "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.": "Dosya şifresi çözülemedi, doğru şifreyi kullandığınıza emin misiniz? Üstteki buton ile tekrar deneyin.",
     "Retry": "Yeniden Dene",
-    "Showing raw text…": "Showing raw text…",
+    "Showing raw text…": "Açık yazı gösteriliyor...",
     "Notice:": "Bildirim:",
-    "This link will expire after %s.": "This link will expire after %s.",
-    "This link can only be accessed once, do not use back or refresh button in your browser.": "This link can only be accessed once, do not use back or refresh button in your browser.",
+    "This link will expire after %s.": "Bu bağlantı şu kadar zaman sonra etkisiz kalacaktır: %s.",
+    "This link can only be accessed once, do not use back or refresh button in your browser.": "Bu bağlantı sadece bir kere erişilebilir, lütfen sayfayı yenilemeyiniz.",
     "Link:": "Bağlantı:",
-    "Recipient may become aware of your timezone, convert time to UTC?": "Recipient may become aware of your timezone, convert time to UTC?",
-    "Use Current Timezone": "Use Current Timezone",
-    "Convert To UTC": "Convert To UTC",
+    "Recipient may become aware of your timezone, convert time to UTC?": "Alıcı zaman dilmini öğrenebilir, zaman dilimini UTC'ye çevirmek ister misin?",
+    "Use Current Timezone": "Şuanki zaman dilimini kullan",
+    "Convert To UTC": "UTC zaman dilimine çevir",
     "Close": "Kapat",
-    "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
-    "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
-    "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Encrypted note on PrivateBin": "PrivateBin üzerinde şifrelenmiş not",
+    "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Notu görmek için bu bağlantıyı ziyaret et. Bağlantıya sahip olan birisi notu görebilir.",
+    "URL shortener may expose your decrypt key in URL.": "URL kısaltıcı şifreleme anahtarınızı URL içerisinde gösterebilir.",
+    "Save paste": "Yazıyı kaydet",
+    "Your IP is not authorized to create pastes.": "IP adresinizin yazı oluşturmaya yetkisi yoktur."
 }

i18n/uk.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "Encrypted note on PrivateBin",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.",
     "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "Save paste": "Save paste"
+    "Save paste": "Save paste",
+    "Your IP is not authorized to create pastes.": "Your IP is not authorized to create pastes."
 }

i18n/zh.json

@@ -185,5 +185,6 @@
     "Encrypted note on PrivateBin": "PrivateBin 上的加密笔记",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "访问此链接来查看该笔记。将此 URL 发送给任何人即可允许其访问该笔记。",
     "URL shortener may expose your decrypt key in URL.": "短链接服务可能会暴露您在 URL 中的解密密钥。",
-    "Save paste": "保存内容"
+    "Save paste": "保存内容",
+    "Your IP is not authorized to create pastes.": "您的 IP 无权创建粘贴。"
 }

index.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 // change this, if your php files and data is outside of your webservers document root

js/common.js

@@ -12,11 +12,11 @@ global.WebCrypto = require('@peculiar/webcrypto').Crypto;
 // application libraries to test
 global.$ = global.jQuery = require('./jquery-3.6.0');
 global.RawDeflate = require('./rawinflate-0.3').RawDeflate;
-global.zlib = require('./zlib-1.2.11').zlib;
+global.zlib = require('./zlib-1.2.12').zlib;
 require('./prettify');
 global.prettyPrint = window.PR.prettyPrint;
 global.prettyPrintOne = window.PR.prettyPrintOne;
-global.showdown = require('./showdown-2.0.0');
+global.showdown = require('./showdown-2.0.3');
 global.DOMPurify = require('./purify-2.3.6');
 global.baseX = require('./base-x-4.0.0').baseX;
 global.Legacy = require('./legacy').Legacy;

js/package.json

@@ -1,6 +1,6 @@
 {
   "name": "privatebin",
-  "version": "1.3.5",
+  "version": "1.4.0",
   "description": "PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bit AES in Galois Counter mode (GCM).",
   "main": "privatebin.js",
   "directories": {

js/privatebin.js

@@ -6,7 +6,7 @@
  * @see       {@link https://github.com/PrivateBin/PrivateBin}
  * @copyright 2012 Sébastien SAUVAGE ({@link http://sebsauvage.net})
  * @license   {@link https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License}
- * @version   1.3.5
+ * @version   1.4.0
  * @name      PrivateBin
  * @namespace
  */
@@ -52,6 +52,31 @@ jQuery.PrivateBin = (function($, RawDeflate) {
      */
     let z;
 
+    /**
+     * DOMpurify settings for HTML content
+     *
+     * @private
+     */
+     const purifyHtmlConfig = {
+        ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|magnet):)/i,
+        SAFE_FOR_JQUERY: true,
+        USE_PROFILES: {
+            html: true
+        }
+    };
+
+    /**
+     * DOMpurify settings for SVG content
+     *
+     * @private
+     */
+     const purifySvgConfig = {
+        USE_PROFILES: {
+            svg: true,
+            svgFilters: true
+        }
+    };
+
     /**
      * CryptoData class
      *
@@ -409,7 +434,8 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                     element.html().replace(
                         /(((https?|ftp):\/\/[\w?!=&.\/-;#@~%+*-]+(?![\w\s?!&.\/;#~%"=-]>))|((magnet):[\w?=&.\/-;#@~%+*-]+))/ig,
                         '<a href="$1" rel="nofollow noopener noreferrer">$1</a>'
-                    )
+                    ),
+                    purifyHtmlConfig
                 )
             );
         };
@@ -601,7 +627,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          * @prop   {string[]}
          * @readonly
          */
-        const supportedLanguages = ['bg', 'ca', 'cs', 'de', 'es', 'et', 'fr', 'he', 'hu', 'id', 'it', 'jbo', 'lt', 'no', 'nl', 'pl', 'pt', 'oc', 'ru', 'sl', 'uk', 'zh'];
+        const supportedLanguages = ['bg', 'ca', 'co', 'cs', 'de', 'es', 'et', 'fi', 'fr', 'he', 'hu', 'id', 'it', 'jbo', 'lt', 'no', 'nl', 'pl', 'pt', 'oc', 'ru', 'sl', 'tr', 'uk', 'zh'];
 
         /**
          * built in language
@@ -767,7 +793,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
         /**
          * per language functions to use to determine the plural form
          *
-         * @see    {@link https://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html}
+         * @see    {@link https://docs.translatehouse.org/projects/localization-guide/en/latest/l10n/pluralforms.html}
          * @name   I18n.getPluralForm
          * @function
          * @param  {int} n
@@ -778,8 +804,10 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             {
                 case 'cs':
                     return n === 1 ? 0 : (n >= 2 && n <=4 ? 1 : 2);
+                case 'co':
                 case 'fr':
                 case 'oc':
+                case 'tr':
                 case 'zh':
                     return n > 1 ? 1 : 0;
                 case 'he':
@@ -796,7 +824,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                     return n % 10 === 1 && n % 100 !== 11 ? 0 : (n % 10 >= 2 && n % 10 <= 4 && (n % 100 < 10 || n % 100 >= 20) ? 1 : 2);
                 case 'sl':
                     return n % 100 === 1 ? 1 : (n % 100 === 2 ? 2 : (n % 100 === 3 || n % 100 === 4 ? 3 : 0));
-                // bg, ca, de, en, es, et, hu, it, nl, no, pt
+                // bg, ca, de, en, es, et, fi, hu, it, nl, no, pt
                 default:
                     return n !== 1 ? 1 : 0;
             }
@@ -2535,7 +2563,8 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                 // let showdown convert the HTML and sanitize HTML *afterwards*!
                 $plainText.html(
                     DOMPurify.sanitize(
-                        converter.makeHtml(text)
+                        converter.makeHtml(text),
+                        purifyHtmlConfig
                     )
                 );
                 // add table classes from bootstrap css
@@ -2751,6 +2780,34 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             $dropzone;
 
         /**
+         * get blob URL from string data and mime type
+         *
+         * @name   AttachmentViewer.getBlobUrl
+         * @private
+         * @function
+         * @param {string} data - raw data of attachment
+         * @param {string} data - mime type of attachment
+         * @return {string} objectURL
+         */
+         function getBlobUrl(data, mimeType)
+         {
+            // Transform into a Blob
+            const buf = new Uint8Array(data.length);
+            for (let i = 0; i < data.length; ++i) {
+                buf[i] = data.charCodeAt(i);
+            }
+            const blob = new window.Blob(
+                [buf],
+                {
+                    type: mimeType
+                }
+            );
+
+            // Get blob URL
+            return window.URL.createObjectURL(blob);
+         }
+
+         /**
          * sets the attachment but does not yet show it
          *
          * @name   AttachmentViewer.setAttachment
@@ -2760,44 +2817,42 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          */
         me.setAttachment = function(attachmentData, fileName)
         {
-            // data URI format: data:[<mediaType>][;base64],<data>
+            // skip, if attachments got disabled
+            if (!$attachmentLink || !$attachmentPreview) return;
+
+            // data URI format: data:[<mimeType>][;base64],<data>
 
             // position in data URI string of where data begins
             const base64Start = attachmentData.indexOf(',') + 1;
-            // position in data URI string of where mediaType ends
-            const mediaTypeEnd = attachmentData.indexOf(';');
+            // position in data URI string of where mimeType ends
+            const mimeTypeEnd = attachmentData.indexOf(';');
 
-            // extract mediaType
-            const mediaType = attachmentData.substring(5, mediaTypeEnd);
+            // extract mimeType
+            const mimeType = attachmentData.substring(5, mimeTypeEnd);
             // extract data and convert to binary
             const rawData = attachmentData.substring(base64Start);
             const decodedData = rawData.length > 0 ? atob(rawData) : '';
 
-            // Transform into a Blob
-            const buf = new Uint8Array(decodedData.length);
-            for (let i = 0; i < decodedData.length; ++i) {
-                buf[i] = decodedData.charCodeAt(i);
-            }
-            const blob = new window.Blob([ buf ], { type: mediaType });
-
-            // Get Blob URL
-            const blobUrl = window.URL.createObjectURL(blob);
-
-            // IE does not support setting a data URI on an a element
-            // Using msSaveBlob to download
-            if (window.Blob && navigator.msSaveBlob) {
-                $attachmentLink.off('click').on('click', function () {
-                    navigator.msSaveBlob(blob, fileName);
-                });
-            } else {
-                $attachmentLink.attr('href', blobUrl);
-            }
+            let blobUrl = getBlobUrl(decodedData, mimeType);
+            $attachmentLink.attr('href', blobUrl);
 
             if (typeof fileName !== 'undefined') {
                 $attachmentLink.attr('download', fileName);
             }
 
-            me.handleBlobAttachmentPreview($attachmentPreview, blobUrl, mediaType);
+            // sanitize SVG preview
+            // prevents executing embedded scripts when CSP is not set and user
+            // right-clicks/long-taps and opens the SVG in a new tab - prevented
+            // in the preview by use of an img tag, which disables scripts, too
+            if (mimeType.match(/^image\/.*svg/i)) {
+                const sanitizedData = DOMPurify.sanitize(
+                    decodedData,
+                    purifySvgConfig
+                );
+                blobUrl = getBlobUrl(sanitizedData, mimeType);
+            }
+
+            me.handleBlobAttachmentPreview($attachmentPreview, blobUrl, mimeType);
         };
 
         /**
@@ -2808,6 +2863,9 @@ jQuery.PrivateBin = (function($, RawDeflate) {
          */
         me.showAttachment = function()
         {
+            // skip, if attachments got disabled
+            if (!$attachment || !$attachmentPreview) return;
+
             $attachment.removeClass('hidden');
 
             if (attachmentHasPreview) {
@@ -3015,13 +3073,13 @@ jQuery.PrivateBin = (function($, RawDeflate) {
         me.handleBlobAttachmentPreview = function ($targetElement, blobUrl, mimeType) {
             if (blobUrl) {
                 attachmentHasPreview = true;
-                if (mimeType.match(/image\//i)) {
+                if (mimeType.match(/^image\//i)) {
                     $targetElement.html(
                         $(document.createElement('img'))
                             .attr('src', blobUrl)
                             .attr('class', 'img-thumbnail')
                     );
-                } else if (mimeType.match(/video\//i)) {
+                } else if (mimeType.match(/^video\//i)) {
                     $targetElement.html(
                         $(document.createElement('video'))
                             .attr('controls', 'true')
@@ -3032,7 +3090,7 @@ jQuery.PrivateBin = (function($, RawDeflate) {
                             .attr('type', mimeType)
                             .attr('src', blobUrl))
                     );
-                } else if (mimeType.match(/audio\//i)) {
+                } else if (mimeType.match(/^audio\//i)) {
                     $targetElement.html(
                         $(document.createElement('audio'))
                             .attr('controls', 'true')
@@ -3664,7 +3722,14 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             for (let i = 0; i < $head.length; ++i) {
                 newDoc.write($head[i].outerHTML);
             }
-            newDoc.write('</head><body><pre>' + DOMPurify.sanitize(Helper.htmlEntities(paste)) + '</pre></body></html>');
+            newDoc.write(
+                '</head><body><pre>' +
+                DOMPurify.sanitize(
+                    Helper.htmlEntities(paste),
+                    purifyHtmlConfig
+                ) +
+                '</pre></body></html>'
+            );
             newDoc.close();
         }
 
@@ -5393,11 +5458,6 @@ jQuery.PrivateBin = (function($, RawDeflate) {
             // first load translations
             I18n.loadTranslations();
 
-            DOMPurify.setConfig({
-                ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|magnet):)/i,
-                SAFE_FOR_JQUERY: true
-            });
-
             // Add a hook to make all links open a new window
             DOMPurify.addHook('afterSanitizeAttributes', function(node) {
                 // set all elements owning target to target=_blank

js/zlib-1.2.12.js

@@ -26,9 +26,9 @@
 
         let buff;
         if (typeof fetch === 'undefined') {
-            buff = fs.readFileSync('zlib-1.2.11.wasm');
+            buff = fs.readFileSync('zlib-1.2.12.wasm');
         } else {
-            const resp = await fetch('js/zlib-1.2.11.wasm');
+            const resp = await fetch('js/zlib-1.2.12.wasm');
             buff = await resp.arrayBuffer();
         }
         const module = await WebAssembly.compile(buff);

lib/Configuration.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin;
@@ -54,7 +54,7 @@ class Configuration
             'urlshortener'             => '',
             'qrcode'                   => true,
             'icon'                     => 'identicon',
-            'cspheader'                => 'default-src \'none\'; base-uri \'self\'; form-action \'none\'; manifest-src \'self\'; connect-src * blob:; script-src \'self\' \'unsafe-eval\' resource:; style-src \'self\'; font-src \'self\'; frame-ancestors \'none\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
+            'cspheader'                => 'default-src \'none\'; base-uri \'self\'; form-action \'none\'; manifest-src \'self\'; connect-src * blob:; script-src \'self\' \'unsafe-eval\'; style-src \'self\'; font-src \'self\'; frame-ancestors \'none\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
             'zerobincompatibility'     => false,
             'httpwarning'              => true,
             'compression'              => 'zlib',
@@ -78,9 +78,10 @@ class Configuration
             'markdown'           => 'Markdown',
         ),
         'traffic' => array(
-            'limit'      => 10,
-            'header'     => null,
-            'exemptedIp' => null,
+            'limit'     => 10,
+            'header'    => '',
+            'exempted'  => '',
+            'creators'  => '',
         ),
         'purge' => array(
             'limit'     => 300,

lib/Controller.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin;
@@ -28,7 +28,7 @@ class Controller
      *
      * @const string
      */
-    const VERSION = '1.3.5';
+    const VERSION = '1.4.0';
 
     /**
      * minimal required PHP version
@@ -199,13 +199,10 @@ class Controller
         ServerSalt::setStore($this->_model->getStore());
         TrafficLimiter::setConfiguration($this->_conf);
         TrafficLimiter::setStore($this->_model->getStore());
-        if (!TrafficLimiter::canPass()) {
-            $this->_return_message(
-                1, I18n::_(
-                    'Please wait %d seconds between each post.',
-                    $this->_conf->getKey('limit', 'traffic')
-                )
-            );
+        try {
+            TrafficLimiter::canPass();
+        } catch (Exception $e) {
+            $this->_return_message(1, $e->getMessage());
             return;
         }
 
@@ -345,7 +342,7 @@ class Controller
         header('Cross-Origin-Resource-Policy: same-origin');
         header('Cross-Origin-Embedder-Policy: require-corp');
         header('Cross-Origin-Opener-Policy: same-origin');
-        header('Permissions-Policy: interest-cohort=()');
+        header('Permissions-Policy: browsing-topics=()');
         header('Referrer-Policy: no-referrer');
         header('X-Content-Type-Options: nosniff');
         header('X-Frame-Options: deny');
@@ -367,6 +364,16 @@ class Controller
             setcookie('lang', $languageselection, 0, '', '', true);
         }
 
+        // strip policies that are unsupported in meta tag
+        $metacspheader = str_replace(
+            array(
+                'frame-ancestors \'none\'; ',
+                '; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
+            ),
+            '',
+            $this->_conf->getKey('cspheader')
+        );
+
         $page = new View;
         $page->assign('NAME', $this->_conf->getKey('name'));
         $page->assign('BASEPATH', I18n::_($this->_conf->getKey('basepath')));
@@ -395,6 +402,7 @@ class Controller
         $page->assign('HTTPWARNING', $this->_conf->getKey('httpwarning'));
         $page->assign('HTTPSLINK', 'https://' . $this->_request->getHost() . $this->_request->getRequestUri());
         $page->assign('COMPRESSION', $this->_conf->getKey('compression'));
+        $page->assign('CSPHEADER', $metacspheader);
         $page->draw($this->_conf->getKey('template'));
     }
 

lib/Data/AbstractData.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin\Data;

lib/Data/Database.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin\Data;
@@ -100,7 +100,7 @@ class Database extends AbstractData
             // MySQL uses backticks to quote identifiers by default,
             // tell it to expect ANSI SQL double quotes
             if (self::$_type === 'mysql' && defined('PDO::MYSQL_ATTR_INIT_COMMAND')) {
-                $options['opt'][PDO::MYSQL_ATTR_INIT_COMMAND] = "SET sql_mode='ANSI_QUOTES'";
+                $options['opt'][PDO::MYSQL_ATTR_INIT_COMMAND] = "SET SESSION sql_mode='ANSI_QUOTES'";
             }
             $tableQuery = self::_getTableQuery(self::$_type);
             self::$_db  = new PDO(

lib/Data/Filesystem.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin\Data;

lib/Filter.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin;

lib/FormatV2.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin;

lib/I18n.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin;
@@ -305,7 +305,7 @@ class I18n
     /**
      * determines the plural form to use based on current language and given number
      *
-     * From: https://localization-guide.readthedocs.org/en/latest/l10n/pluralforms.html
+     * From: https://docs.translatehouse.org/projects/localization-guide/en/latest/l10n/pluralforms.html
      *
      * @access protected
      * @static
@@ -317,8 +317,10 @@ class I18n
         switch (self::$_language) {
             case 'cs':
                 return $n == 1 ? 0 : ($n >= 2 && $n <= 4 ? 1 : 2);
+            case 'co':
             case 'fr':
             case 'oc':
+            case 'tr':
             case 'zh':
                 return $n > 1 ? 1 : 0;
             case 'he':
@@ -335,7 +337,7 @@ class I18n
                 return $n % 10 == 1 && $n % 100 != 11 ? 0 : ($n % 10 >= 2 && $n % 10 <= 4 && ($n % 100 < 10 || $n % 100 >= 20) ? 1 : 2);
             case 'sl':
                 return $n % 100 == 1 ? 1 : ($n % 100 == 2 ? 2 : ($n % 100 == 3 || $n % 100 == 4 ? 3 : 0));
-            // bg, ca, de, en, es, et, hu, it, nl, no, pt
+            // bg, ca, de, en, es, et, fi, hu, it, nl, no, pt
             default:
                 return $n != 1 ? 1 : 0;
         }

lib/Json.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin;

lib/Model.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin;

lib/Model/AbstractModel.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin\Model;

lib/Model/Comment.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin\Model;

lib/Model/Paste.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin\Model;

lib/Persistence/AbstractPersistence.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin\Persistence;

lib/Persistence/PurgeLimiter.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin\Persistence;

lib/Persistence/ServerSalt.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin\Persistence;

lib/Persistence/TrafficLimiter.php

@@ -8,13 +8,16 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin\Persistence;
 
+use Exception;
 use IPLib\Factory;
+use IPLib\ParseStringFlag;
 use PrivateBin\Configuration;
+use PrivateBin\I18n;
 
 /**
  * TrafficLimiter
@@ -24,22 +27,22 @@ use PrivateBin\Configuration;
 class TrafficLimiter extends AbstractPersistence
 {
     /**
-     * time limit in seconds, defaults to 10s
-     *
-     * @access private
-     * @static
-     * @var    int
-     */
-    private static $_limit = 10;
-
-    /**
-     * listed ips are exempted from limits, defaults to null
+     * listed IPs are the only ones allowed to create, defaults to null
      *
      * @access private
      * @static
      * @var    string|null
      */
-    private static $_exemptedIp = null;
+    private static $_creators = null;
+
+    /**
+     * listed IPs are exempted from limits, defaults to null
+     *
+     * @access private
+     * @static
+     * @var    string|null
+     */
+    private static $_exempted = null;
 
     /**
      * key to fetch IP address
@@ -51,28 +54,13 @@ class TrafficLimiter extends AbstractPersistence
     private static $_ipKey = 'REMOTE_ADDR';
 
     /**
-     * set the time limit in seconds
+     * time limit in seconds, defaults to 10s
      *
-     * @access public
+     * @access private
      * @static
-     * @param  int $limit
+     * @var    int
      */
-    public static function setLimit($limit)
-    {
-        self::$_limit = $limit;
-    }
-
-    /**
-     * set a list of ip(ranges) as string
-     *
-     * @access public
-     * @static
-     * @param string $exemptedIps
-     */
-    public static function setExemptedIp($exemptedIp)
-    {
-        self::$_exemptedIp = $exemptedIp;
-    }
+    private static $_limit = 10;
 
     /**
      * set configuration options of the traffic limiter
@@ -83,10 +71,11 @@ class TrafficLimiter extends AbstractPersistence
      */
     public static function setConfiguration(Configuration $conf)
     {
+        self::setCreators($conf->getKey('creators', 'traffic'));
+        self::setExempted($conf->getKey('exempted', 'traffic'));
         self::setLimit($conf->getKey('limit', 'traffic'));
-        self::setExemptedIp($conf->getKey('exemptedIp', 'traffic'));
 
-        if (($option = $conf->getKey('header', 'traffic')) !== null) {
+        if (($option = $conf->getKey('header', 'traffic')) !== '') {
             $httpHeader = 'HTTP_' . $option;
             if (array_key_exists($httpHeader, $_SERVER) && !empty($_SERVER[$httpHeader])) {
                 self::$_ipKey = $httpHeader;
@@ -94,6 +83,42 @@ class TrafficLimiter extends AbstractPersistence
         }
     }
 
+    /**
+     * set a list of creator IP(-ranges) as string
+     *
+     * @access public
+     * @static
+     * @param string $creators
+     */
+    public static function setCreators($creators)
+    {
+        self::$_creators = $creators;
+    }
+
+    /**
+     * set a list of exempted IP(-ranges) as string
+     *
+     * @access public
+     * @static
+     * @param string $exempted
+     */
+    public static function setExempted($exempted)
+    {
+        self::$_exempted = $exempted;
+    }
+
+    /**
+     * set the time limit in seconds
+     *
+     * @access public
+     * @static
+     * @param  int $limit
+     */
+    public static function setLimit($limit)
+    {
+        self::$_limit = $limit;
+    }
+
     /**
      * get a HMAC of the current visitors IP address
      *
@@ -108,7 +133,7 @@ class TrafficLimiter extends AbstractPersistence
     }
 
     /**
-     * Validate $_ipKey against configured ipranges. If matched we will ignore the ip
+     * validate $_ipKey against configured ipranges. If matched we will ignore the ip
      *
      * @access private
      * @static
@@ -120,8 +145,11 @@ class TrafficLimiter extends AbstractPersistence
         if (is_string($ipRange)) {
             $ipRange = trim($ipRange);
         }
-        $address = Factory::addressFromString($_SERVER[self::$_ipKey]);
-        $range   = Factory::rangeFromString($ipRange);
+        $address = Factory::parseAddressString($_SERVER[self::$_ipKey]);
+        $range   = Factory::parseRangeString(
+            $ipRange,
+            ParseStringFlag::IPV4_MAYBE_NON_DECIMAL | ParseStringFlag::IPV4SUBNET_MAYBE_COMPACT | ParseStringFlag::IPV4ADDRESS_MAYBE_NON_QUAD_DOTTED
+        );
 
         // address could not be parsed, we might not be in IP space and try a string comparison instead
         if (is_null($address)) {
@@ -136,24 +164,35 @@ class TrafficLimiter extends AbstractPersistence
     }
 
     /**
-     * traffic limiter
-     *
-     * Make sure the IP address makes at most 1 request every 10 seconds.
+     * make sure the IP address is allowed to perfom a request
      *
      * @access public
      * @static
-     * @return bool
+     * @throws Exception
+     * @return true
      */
     public static function canPass()
     {
+        // if creators are defined, the traffic limiter will only allow creation
+        // for these, with no limits, and skip any other rules
+        if (!empty(self::$_creators)) {
+            $creatorIps = explode(',', self::$_creators);
+            foreach ($creatorIps as $ipRange) {
+                if (self::matchIp($ipRange) === true) {
+                    return true;
+                }
+            }
+            throw new Exception(I18n::_('Your IP is not authorized to create pastes.'));
+        }
+
         // disable limits if set to less then 1
         if (self::$_limit < 1) {
             return true;
         }
 
-        // Check if $_ipKey is exempted from ratelimiting
-        if (!is_null(self::$_exemptedIp)) {
-            $exIp_array = explode(',', self::$_exemptedIp);
+        // check if $_ipKey is exempted from ratelimiting
+        if (!empty(self::$_exempted)) {
+            $exIp_array = explode(',', self::$_exempted);
             foreach ($exIp_array as $ipRange) {
                 if (self::matchIp($ipRange) === true) {
                     return true;
@@ -161,7 +200,7 @@ class TrafficLimiter extends AbstractPersistence
             }
         }
 
-        // this hash is used as an array key, hence a shorter algo is used
+        // used as array key, which are limited in length, hence using algo with shorter range
         $hash = self::getHash('sha256');
         $now  = time();
         $tl   = (int) self::$_store->getValue('traffic_limiter', $hash);
@@ -175,6 +214,12 @@ class TrafficLimiter extends AbstractPersistence
         if (!self::$_store->setValue((string) $tl, 'traffic_limiter', $hash)) {
             error_log('failed to store the traffic limiter, it probably contains outdated information');
         }
-        return $result;
+        if ($result) {
+            return true;
+        }
+        throw new Exception(I18n::_(
+            'Please wait %d seconds between each post.',
+            self::$_limit
+        ));
     }
 }

lib/Request.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin;

lib/View.php

@@ -7,7 +7,7 @@
  * @link      https://github.com/PrivateBin/PrivateBin
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   1.3.5
+ * @version   1.4.0
  */
 
 namespace PrivateBin;

lib/Vizhash16x16.php

@@ -8,7 +8,7 @@
  * @link      http://sebsauvage.net/wiki/doku.php?id=php:vizhash_gd
  * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
  * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
- * @version   0.0.5 beta PrivateBin 1.3.5
+ * @version   0.0.5 beta PrivateBin 1.4.0
  */
 
 namespace PrivateBin;

tpl/bootstrap.php

@@ -7,6 +7,7 @@ $isPage = substr($template, -5) === '-page';
 <html lang="<?php echo I18n::_('en'); ?>">
 	<head>
 		<meta charset="utf-8" />
+		<meta http-equiv="Content-Security-Policy" content="<?php echo I18n::encode($CSPHEADER); ?>">
 		<meta http-equiv="X-UA-Compatible" content="IE=edge">
 		<meta name="viewport" content="width=device-width, initial-scale=1">
 		<meta name="robots" content="noindex" />
@@ -54,7 +55,7 @@ if ($ZEROBINCOMPATIBILITY) :
 <?php
 endif;
 ?>
-		<script type="text/javascript" data-cfasync="false" src="js/zlib-1.2.11.js" integrity="sha512-Yey/0yoaVmSbqMEyyff3DIu8kCPwpHvHf7tY1AuZ1lrX9NPCMg87PwzngMi+VNbe4ilCApmePeuKT869RTcyCQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/zlib-1.2.12.js" integrity="sha512-Ewve1dyEW/Vf97OY91/aWqMx9NaaUK5d8Z6JB1RR5gFXtMhse/Ya7D/5CE/UrQTwOWqmkvn97JjP4YDUrmq/yA==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/base-x-4.0.0.js" integrity="sha512-nNPg5IGCwwrveZ8cA/yMGr5HiRS5Ps2H+s0J/mKTPjCPWUgFGGw7M5nqdnPD3VsRwCVysUh3Y8OWjeSKGkEQJQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/rawinflate-0.3.js" integrity="sha512-g8uelGgJW9A/Z1tB6Izxab++oj5kdD7B4qC7DHwZkB6DGMXKyzx7v5mvap2HXueI2IIn08YlRYM56jwWdm2ucQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/bootstrap-3.4.1.js" integrity="sha512-oBTprMeNEKCnqfuqKd6sbvFzmFQtlXS3e0C/RGFV0hD6QzhHV+ODfaQbAlmY6/q0ubbwlAM/nCJjkrgA3waLzg==" crossorigin="anonymous"></script>
@@ -66,13 +67,13 @@ if ($SYNTAXHIGHLIGHTING) :
 endif;
 if ($MARKDOWN) :
 ?>
-		<script type="text/javascript" data-cfasync="false" src="js/showdown-2.0.0.js" integrity="sha512-UB9jpMTOJLSnVzePuqlSGT34G70wEGqtIWabMeAh+Drnj4/uQ8rFkFn1zkN9vkWp/7nA51U2LmP23H5MJvBXsw==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/showdown-2.0.3.js" integrity="sha512-vcfjvW3UKHD/4vlQx804cqWK88jFmjsWRsZ8/u5YEcyHB1IituxrXDU7TvdqsFVsMnxpE/UIEo25/SYW+puWHw==" crossorigin="anonymous"></script>
 <?php
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.3.6.js" integrity="sha512-N1GGPjbqLbwK821ZN7C925WuTwU4aDxz2CEEOXQ6/s6m6MBwVj8fh5fugiE2hzsm0xud3q7jpjZQ4ILnpMREYQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-PTOcxIWIPWCnb5vC4fmQDMqYGerwsu3AndVyPxn9NlQffIWYMPf/p28Z9SIygXsmcYjmTRmUiW5y7df63mNTfg==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-CbXFfxyGfdXnwMumt2sMdPs/Pxnk3Ahkpw8JulqRIGYZPq7O/hM0YT/xjHG9IcaigdKC0aL42uzlxoBXLI11gw==" crossorigin="anonymous"></script>
 		<!-- icon -->
 		<link rel="apple-touch-icon" href="<?php echo I18n::encode($BASEPATH); ?>img/apple-touch-icon.png" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png" sizes="32x32" />

tpl/page.php

@@ -4,6 +4,7 @@ use PrivateBin\I18n;
 <html lang="<?php echo I18n::_('en'); ?>">
 	<head>
 		<meta charset="utf-8" />
+		<meta http-equiv="Content-Security-Policy" content="<?php echo I18n::encode($CSPHEADER); ?>">
 		<meta name="robots" content="noindex" />
 		<meta name="google" content="notranslate">
 		<title><?php echo I18n::_($NAME); ?></title>
@@ -33,7 +34,7 @@ if ($ZEROBINCOMPATIBILITY):
 <?php
 endif;
 ?>
-		<script type="text/javascript" data-cfasync="false" src="js/zlib-1.2.11.js" integrity="sha512-Yey/0yoaVmSbqMEyyff3DIu8kCPwpHvHf7tY1AuZ1lrX9NPCMg87PwzngMi+VNbe4ilCApmePeuKT869RTcyCQ==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/zlib-1.2.12.js" integrity="sha512-Ewve1dyEW/Vf97OY91/aWqMx9NaaUK5d8Z6JB1RR5gFXtMhse/Ya7D/5CE/UrQTwOWqmkvn97JjP4YDUrmq/yA==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/base-x-4.0.0.js" integrity="sha512-nNPg5IGCwwrveZ8cA/yMGr5HiRS5Ps2H+s0J/mKTPjCPWUgFGGw7M5nqdnPD3VsRwCVysUh3Y8OWjeSKGkEQJQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/rawinflate-0.3.js" integrity="sha512-g8uelGgJW9A/Z1tB6Izxab++oj5kdD7B4qC7DHwZkB6DGMXKyzx7v5mvap2HXueI2IIn08YlRYM56jwWdm2ucQ==" crossorigin="anonymous"></script>
 <?php
@@ -44,13 +45,13 @@ if ($SYNTAXHIGHLIGHTING):
 endif;
 if ($MARKDOWN):
 ?>
-		<script type="text/javascript" data-cfasync="false" src="js/showdown-2.0.0.js" integrity="sha512-UB9jpMTOJLSnVzePuqlSGT34G70wEGqtIWabMeAh+Drnj4/uQ8rFkFn1zkN9vkWp/7nA51U2LmP23H5MJvBXsw==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/showdown-2.0.3.js" integrity="sha512-vcfjvW3UKHD/4vlQx804cqWK88jFmjsWRsZ8/u5YEcyHB1IituxrXDU7TvdqsFVsMnxpE/UIEo25/SYW+puWHw==" crossorigin="anonymous"></script>
 <?php
 endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.3.6.js" integrity="sha512-N1GGPjbqLbwK821ZN7C925WuTwU4aDxz2CEEOXQ6/s6m6MBwVj8fh5fugiE2hzsm0xud3q7jpjZQ4ILnpMREYQ==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-PTOcxIWIPWCnb5vC4fmQDMqYGerwsu3AndVyPxn9NlQffIWYMPf/p28Z9SIygXsmcYjmTRmUiW5y7df63mNTfg==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-CbXFfxyGfdXnwMumt2sMdPs/Pxnk3Ahkpw8JulqRIGYZPq7O/hM0YT/xjHG9IcaigdKC0aL42uzlxoBXLI11gw==" crossorigin="anonymous"></script>
 		<!-- icon -->
 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />

tst/Persistence/TrafficLimiterTest.php

@@ -39,27 +39,74 @@ class TrafficLimiterTest extends TestCase
         $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
         $this->assertTrue(TrafficLimiter::canPass(), 'first request may pass');
         sleep(1);
-        $this->assertFalse(TrafficLimiter::canPass(), 'second request is to fast, may not pass');
+        try {
+            $this->assertFalse(TrafficLimiter::canPass(), 'expected an exception');
+        } catch (Exception $e) {
+            $this->assertEquals($e->getMessage(), 'Please wait 4 seconds between each post.', 'second request is to fast, may not pass');
+        }
         sleep(4);
         $this->assertTrue(TrafficLimiter::canPass(), 'third request waited long enough and may pass');
         $_SERVER['REMOTE_ADDR'] = '2001:1620:2057:dead:beef::cafe:babe';
         $this->assertTrue(TrafficLimiter::canPass(), 'fourth request has different ip and may pass');
         $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
-        $this->assertFalse(TrafficLimiter::canPass(), 'fifth request is to fast, may not pass');
+        try {
+            $this->assertFalse(TrafficLimiter::canPass(), 'expected an exception');
+        } catch (Exception $e) {
+            $this->assertEquals($e->getMessage(), 'Please wait 4 seconds between each post.', 'fifth request is to fast, may not pass');
+        }
+    }
 
-        // exempted IPs configuration
-        TrafficLimiter::setExemptedIp('1.2.3.4,10.10.10.0/24,2001:1620:2057::/48');
-        $this->assertFalse(TrafficLimiter::canPass(), 'still too fast and not exempted');
+    public function testTrafficLimitExempted()
+    {
+        TrafficLimiter::setExempted('1.2.3.4,10.10.10/24,2001:1620:2057::/48');
+        $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
+        $this->assertTrue(TrafficLimiter::canPass(), 'first request may pass');
+        try {
+            $this->assertFalse(TrafficLimiter::canPass(), 'expected an exception');
+        } catch (Exception $e) {
+            $this->assertEquals($e->getMessage(), 'Please wait 4 seconds between each post.', 'not exempted');
+        }
         $_SERVER['REMOTE_ADDR'] = '10.10.10.10';
         $this->assertTrue(TrafficLimiter::canPass(), 'IPv4 in exempted range');
         $this->assertTrue(TrafficLimiter::canPass(), 'request is to fast, but IPv4 in exempted range');
         $_SERVER['REMOTE_ADDR'] = '2001:1620:2057:dead:beef::cafe:babe';
         $this->assertTrue(TrafficLimiter::canPass(), 'IPv6 in exempted range');
         $this->assertTrue(TrafficLimiter::canPass(), 'request is to fast, but IPv6 in exempted range');
-        TrafficLimiter::setExemptedIp('127.*,foobar');
-        $this->assertFalse(TrafficLimiter::canPass(), 'request is to fast, invalid range');
+        TrafficLimiter::setExempted('127.*,foobar');
+        $this->assertTrue(TrafficLimiter::canPass(), 'first cached request may pass');
+        try {
+            $this->assertFalse(TrafficLimiter::canPass(), 'expected an exception');
+        } catch (Exception $e) {
+            $this->assertEquals($e->getMessage(), 'Please wait 4 seconds between each post.', 'request is too fast, invalid range');
+        }
         $_SERVER['REMOTE_ADDR'] = 'foobar';
         $this->assertTrue(TrafficLimiter::canPass(), 'non-IP address');
-        $this->assertTrue(TrafficLimiter::canPass(), 'request is to fast, but non-IP address matches exempted range');
+        $this->assertTrue(TrafficLimiter::canPass(), 'request is too fast, but non-IP address matches exempted range');
+    }
+
+    public function testTrafficLimitCreators()
+    {
+        TrafficLimiter::setCreators('1.2.3.4,10.10.10/24,2001:1620:2057::/48');
+        $_SERVER['REMOTE_ADDR'] = '127.0.0.1';
+        try {
+            $this->assertFalse(TrafficLimiter::canPass(), 'expected an exception');
+        } catch (Exception $e) {
+            $this->assertEquals($e->getMessage(), 'Your IP is not authorized to create pastes.', 'not a creator');
+        }
+        $_SERVER['REMOTE_ADDR'] = '10.10.10.10';
+        $this->assertTrue(TrafficLimiter::canPass(), 'IPv4 in creator range');
+        $this->assertTrue(TrafficLimiter::canPass(), 'request is too fast, but IPv4 in creator range');
+        $_SERVER['REMOTE_ADDR'] = '2001:1620:2057:dead:beef::cafe:babe';
+        $this->assertTrue(TrafficLimiter::canPass(), 'IPv6 in creator range');
+        $this->assertTrue(TrafficLimiter::canPass(), 'request is too fast, but IPv6 in creator range');
+        TrafficLimiter::setCreators('127.*,foobar');
+        try {
+            $this->assertFalse(TrafficLimiter::canPass(), 'expected an exception');
+        } catch (Exception $e) {
+            $this->assertEquals($e->getMessage(), 'Your IP is not authorized to create pastes.', 'request is to fast, not a creator');
+        }
+        $_SERVER['REMOTE_ADDR'] = 'foobar';
+        $this->assertTrue(TrafficLimiter::canPass(), 'non-IP address');
+        $this->assertTrue(TrafficLimiter::canPass(), 'request is to fast, but non-IP address matches creator');
     }
 }

tst/ViewTest.php

@@ -61,6 +61,7 @@ class ViewTest extends TestCase
         $page->assign('HTTPWARNING', true);
         $page->assign('HTTPSLINK', 'https://example.com/');
         $page->assign('COMPRESSION', 'zlib');
+        $page->assign('CSPHEADER', 'default-src \'none\'');
 
         $dir = dir(PATH . 'tpl');
         while (false !== ($file = $dir->read())) {