From ebc2d649c412afc0d82b1c3ad6a7990189d11289 Mon Sep 17 00:00:00 2001
From: rugk <rugk+git@posteo.de>
Date: Mon, 13 Jan 2020 19:56:15 +0100
Subject: [PATCH] [TEST] Try to disallow vulnerable cases

---
 js/privatebin.js  |  3 +++
 test.diff         | 40 ++++++++++++++++++++++++++++++++++++++++
 tpl/bootstrap.php |  2 +-
 tpl/page.php      |  2 +-
 4 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 test.diff

diff --git a/js/privatebin.js b/js/privatebin.js
index c83d8ffb..5c0aeccb 100644
--- a/js/privatebin.js
+++ b/js/privatebin.js
@@ -620,6 +620,9 @@ jQuery.PrivateBin = (function($, RawDeflate) {
 
             // messageID may contain links, but only the first parameter, as that is from a trusted source (code or translation JSON files)
             let containsLinks = args[0].indexOf('<a') !== -1;
+            if (containsLinks && args.length > 0) {
+                throw new Error('security violation detected: do not concatenate links and untrusted data!');
+            }
 
             // format string
             let output = Helper.sprintf.apply(this, args);
diff --git a/test.diff b/test.diff
new file mode 100644
index 00000000..97e384f2
--- /dev/null
+++ b/test.diff
@@ -0,0 +1,40 @@
+diff --git a/js/privatebin.js b/js/privatebin.js
+index c83d8ff..5c0aecc 100644
+--- a/js/privatebin.js
++++ b/js/privatebin.js
+@@ -620,6 +620,9 @@ jQuery.PrivateBin = (function($, RawDeflate) {
+ 
+             // messageID may contain links, but only the first parameter, as that is from a trusted source (code or translation JSON files)
+             let containsLinks = args[0].indexOf('<a') !== -1;
++            if (containsLinks && args.length > 0) {
++                throw new Error('security violation detected: do not concatenate links and untrusted data!');
++            }
+ 
+             // format string
+             let output = Helper.sprintf.apply(this, args);
+diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
+index 59c730e..0e949da 100644
+--- a/tpl/bootstrap.php
++++ b/tpl/bootstrap.php
+@@ -72,7 +72,7 @@ endif;
+ ?>
+ 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
+ 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
+-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-/d5+ju4pY94Jnb3o2poZNQRxKxJqgmbV4SojFKq/4Gzyz7ft99ptmhwho7pvSVggoh0xlOR3d8EV+sEr3gDxTA==" crossorigin="anonymous"></script>
++		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-NQ2iciSmIAeXCmdpJm5BGKvyGjkvN0Ob82mmbxSpgBpJpLypKZEQksbkIti+dyQ3XVjXIGyi9yiLxEgvpzG3hw==" crossorigin="anonymous"></script>
+ 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
+ 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
+ 		<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
+diff --git a/tpl/page.php b/tpl/page.php
+index 0f8df18..ff2d5f5 100644
+--- a/tpl/page.php
++++ b/tpl/page.php
+@@ -50,7 +50,7 @@ endif;
+ ?>
+ 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
+ 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
+-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-/d5+ju4pY94Jnb3o2poZNQRxKxJqgmbV4SojFKq/4Gzyz7ft99ptmhwho7pvSVggoh0xlOR3d8EV+sEr3gDxTA==" crossorigin="anonymous"></script>
++		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-NQ2iciSmIAeXCmdpJm5BGKvyGjkvN0Ob82mmbxSpgBpJpLypKZEQksbkIti+dyQ3XVjXIGyi9yiLxEgvpzG3hw==" crossorigin="anonymous"></script>
+ 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
+ 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
+ 		<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 59c730e2..0e949da6 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -72,7 +72,7 @@ endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-/d5+ju4pY94Jnb3o2poZNQRxKxJqgmbV4SojFKq/4Gzyz7ft99ptmhwho7pvSVggoh0xlOR3d8EV+sEr3gDxTA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-NQ2iciSmIAeXCmdpJm5BGKvyGjkvN0Ob82mmbxSpgBpJpLypKZEQksbkIti+dyQ3XVjXIGyi9yiLxEgvpzG3hw==" crossorigin="anonymous"></script>
 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
 		<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />
diff --git a/tpl/page.php b/tpl/page.php
index 0f8df184..ff2d5f50 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -50,7 +50,7 @@ endif;
 ?>
 		<script type="text/javascript" data-cfasync="false" src="js/purify-2.0.7.js" integrity="sha512-XjNEK1xwh7SJ/7FouwV4VZcGW9cMySL3SwNpXgrURLBcXXQYtZdqhGoNdEwx9vwLvFjUGDQVNgpOrTsXlSTiQg==" crossorigin="anonymous"></script>
 		<script type="text/javascript" data-cfasync="false" src="js/legacy.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-LYos+qXHIRqFf5ZPNphvtTB0cgzHUizu2wwcOwcwz/VIpRv9lpcBgPYz4uq6jx0INwCAj6Fbnl5HoKiLufS2jg==" crossorigin="anonymous"></script>
-		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-/d5+ju4pY94Jnb3o2poZNQRxKxJqgmbV4SojFKq/4Gzyz7ft99ptmhwho7pvSVggoh0xlOR3d8EV+sEr3gDxTA==" crossorigin="anonymous"></script>
+		<script type="text/javascript" data-cfasync="false" src="js/privatebin.js?<?php echo rawurlencode($VERSION); ?>" integrity="sha512-NQ2iciSmIAeXCmdpJm5BGKvyGjkvN0Ob82mmbxSpgBpJpLypKZEQksbkIti+dyQ3XVjXIGyi9yiLxEgvpzG3hw==" crossorigin="anonymous"></script>
 		<link rel="apple-touch-icon" href="img/apple-touch-icon.png?<?php echo rawurlencode($VERSION); ?>" sizes="180x180" />
 		<link rel="icon" type="image/png" href="img/favicon-32x32.png?<?php echo rawurlencode($VERSION); ?>" sizes="32x32" />
 		<link rel="icon" type="image/png" href="img/favicon-16x16.png?<?php echo rawurlencode($VERSION); ?>" sizes="16x16" />