ae486d651b
folding Persistance\PurgeLimiter into Data\Filesystem
2021-06-07 21:53:42 +02:00
55efc858b5
simplest implementation of kv support on gcs
2021-06-07 09:11:24 +02:00
7bdcc2ae15
conclude scaffolding of AbstractData key/value storage, missing implementation
2021-06-07 07:02:47 +02:00
1a7d0799c0
scaffolding interface for AbstractData key/value storage, folding Persistance\DataStore into Data\Filesystem
2021-06-07 06:53:15 +02:00
de8f40ac1a
kudos @StyleCI
2021-06-06 19:35:31 +02:00
c758eca0a4
removed automatic .ini configuration file migration, closes #808
2021-06-06 17:53:08 +02:00
2bc54caa07
fix never matched condition, kudos @ShiftLeftSecurity, found via #807
2021-06-05 10:33:01 +02:00
abb2b90e9b
make StyleCI happy
2021-06-05 05:52:13 +02:00
edb8e5e078
handle edge cases with file locking: file needs to exist before it can be locked, fixes #803
2021-06-05 05:48:17 +02:00
342270d6dd
added Google Cloud Storage support
2021-05-28 22:39:50 +02:00
b6460616ba
address Scrutinizer issues
2021-05-22 11:30:17 +02:00
91c8f9f23c
use namespaces
2021-05-22 11:02:54 +02:00
3dd01b1f70
testing IP exemption, handle corner cases found in testing
2021-05-22 10:59:47 +02:00
af5a14afc3
Optimized the canPass() functions
2021-05-19 09:01:45 +02:00
5812a6bb68
Optimized the canPass() functions
2021-05-19 08:47:35 +02:00
502bb5fa15
Put the ip-matching function in a private function
2021-05-06 12:18:44 +02:00
89bdc92451
Put the ip-matching function in a private function
2021-05-06 12:13:03 +02:00
63d6816c7c
Merge branch 'api-ip-exempt' of https://github.com/rodehoed/PrivateBin into api-ip-exempt
2021-05-05 08:43:32 +02:00
a806a6455e
QA
2021-05-04 11:20:24 +02:00
4296b43832
QA
2021-05-04 11:19:34 +02:00
c3ad4a4b4d
QA
2021-05-04 11:18:06 +02:00
805eb288d9
QA
2021-05-04 11:14:11 +02:00
b21efd8336
Code quality
2021-05-04 11:01:46 +02:00
7d82c82fd9
Make it possible to exempt ips from the rate-limiter
2021-05-04 10:29:25 +02:00
fcb6422663
re-adding CSP directive sandbox allow-forms, it is needed for the password input form to work on the JS side
2021-04-18 21:05:32 +02:00
3ca01024fd
feat: disallow form submission alltogether
...
Following the tests and HTTP Observatory, I think we can disable forms altogether.
Fixes https://github.com/PrivateBin/PrivateBin/issues/778
2021-04-18 14:16:39 +02:00
5809a7cfa7
feat: add form-action CSP restriction
...
This follows a suggestion from HTTP Observatory:
> Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs
Fixes #778
2021-04-18 14:14:46 +02:00
9b893f09d7
Merge branch 'master' into floc
2021-04-17 08:35:21 +02:00
7b7a32c0a7
apply StyleCI recommendation
2021-04-17 08:20:08 +02:00
fd7d05e862
Add base URL as default CSP restriction
...
This follows an [HTTP Observatory recommendation](https://observatory.mozilla.org/analyze/privatebin.net ):
> Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins.
Given we don't use that anywhere, this safe should be safe. (not tested practically though)
2021-04-16 22:04:28 +02:00
6f3bb25b09
disable Google FloC
2021-04-16 20:25:50 +02:00
1dc8b24665
transmit cookie only over HTTPS, fixes #472
2021-04-16 20:15:12 +02:00
9e6eb50ced
adding new security headers, fixes #765
2021-04-16 19:19:11 +02:00
175d14224e
set plurals for and credit Estonian translation
2021-04-16 18:27:12 +02:00
458ebcb321
incrementing version
2021-04-05 17:05:14 +02:00
da0896fe42
set plurals for and credit Catalan translation
2021-04-02 09:00:27 +02:00
5a9bcea3a9
set plurals for and credit Indonesian translation
2021-03-09 05:54:06 +01:00
b38ebc503e
plural rules and documenting newly added languages
2021-01-07 21:16:03 +01:00
bb6a44ce7a
remove double translation, avoid unsupported double quotes in INI file
2020-10-13 07:28:35 +02:00
eb32ea1419
Make it possible to change the info text
...
This makes it possible to change the last part of the info text and
replace it with something individual. E.g pointing to the cmdline
client.
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2020-10-11 17:04:08 +02:00
3668f1e3f4
attempt to accomodate Crowdin by providing a single source translation file that is not actually used or loaded by our code
2020-10-04 12:39:35 +02:00
4204e4b8b7
make StyleCI happy and change unit test to use a string
2020-07-03 21:00:42 +02:00
e61c44ef46
Make Opengraph really functional
...
Make Opengraph really functional
Change : #664 for #651
2020-07-01 19:47:12 +02:00
13c2f8d968
Make Opengraph really functional
...
3 URLs of images used on social networks are passed in absolute URL.
Note that I did not pass all the images in absolute URLs, but, it could be consistent to do so, but, if the images work, maybe a relative call is more efficient?
Remove the version of PrivateBin, at the end of each image. This apparently prevents the opengraph from working, and, so I deleted on all of the images, to remain consistent at this level. This will make fewer requests, and, anyway, the images are not intended to change with each version.
2020-06-30 22:42:12 +02:00
45a0535640
adding new flag to sandbox policy, introduced and required by Chrome 83 - fixes #634
2020-06-11 18:29:32 +02:00
5450a431cf
Merge branch 'Haocen-625-bugfixes'
2020-06-07 07:38:59 +02:00
7794915172
expose permission exceptions to the API
2020-05-31 16:33:25 +02:00
bb9a5772bc
Add resource: to script-src cspheader to allowed rendering of pdf in
...
Firefox
2020-05-30 05:37:35 -04:00
3f75c81a2f
fixed duplicated getKey()
2020-05-08 12:18:20 -07:00
effe6ad3e5
fixed spacing to please StyleCI
2020-05-08 11:37:21 -07:00
8fbdb69d8a
added check for null whitelist
2020-05-08 11:36:19 -07:00
d847e2fcf2
alignment
2020-05-07 16:46:31 -07:00
c152f85b50
removed $remoteip that the audit didn't like
2020-05-07 16:45:24 -07:00
819d25a74c
change to whitelist_paste_creation
2020-05-07 16:13:25 -07:00
ef9780707a
Update lib/Controller.php
...
Co-authored-by: rugk <rugk+git@posteo.de>
2020-05-07 15:54:13 -07:00
9ca041fa06
Update lib/Controller.php
...
Co-authored-by: rugk <rugk+git@posteo.de>
2020-05-07 15:53:56 -07:00
9327c9b58b
added whitelist check
2020-05-05 14:18:52 -07:00
5644001c53
added "whitelist" under [traffic]
2020-05-05 14:17:15 -07:00
9914c37683
incrementing version
2020-03-22 06:44:04 +01:00
afd82ac34d
Merge branch 'master' into php7.4-ci
2020-02-16 13:23:11 +01:00
adece1d784
incrementing version
2020-02-16 11:15:51 +01:00
5d54006c9e
update minimum required PHP version to 5.6 and replace slowEquals() with native hash_equals() function
2020-02-05 19:30:14 +01:00
1b206e8495
ensuring consistent use of php side encoding, testing all encoding cases, correctly report the language in the <html> tag
2020-02-01 09:15:14 +01:00
cc0920fc09
add HTML entity encoding to PHP translation logic, remove exception to allow <br/> tags in DOMpurify by eliminating the single case that made use of it
2020-02-01 08:46:59 +01:00
ed590ee557
incrementing version
2020-01-08 19:31:06 +01:00
0efe6f7a8e
simplify logic, fullfills the unit test
2019-12-25 08:11:25 +01:00
7d9ec9509b
Handle previously renamed CONFIG_PATH gracefully
2019-12-24 19:12:08 +00:00
d5d13fa831
Add logic to rename insecure CONFIG_PATH
2019-12-24 18:51:47 +00:00
b5c86e290f
squashme: fix code style issue
2019-12-20 10:42:59 +00:00
6b0468ebff
Add support for a CONFIG_PATH variable
2019-12-19 23:06:32 +00:00
8cf0c86ebb
simplify case statement, update documentation
2019-11-02 17:18:22 +01:00
65b7077756
Added plural rules for ukrainian
2019-10-18 12:31:40 +03:00
2d4edfe401
incrementing version number in preparation of release
2019-09-22 19:42:04 +02:00
d5aeba60ca
increase default size limit to 10 MiB, documenting change
2019-09-20 07:04:26 +02:00
5c0012cf51
adding database migration to increase data to MEDIUMBLOB on MySQL by default
2019-09-20 06:57:54 +02:00
7c61f59dcd
removing untranslated string for non-human entities, moving insecure notice to template, so it can remains translated
2019-09-19 19:14:48 +02:00
ab75b183fb
Fix click on new paste on clone paste editing view not removing custom
...
attachment
Fix cloning paste with attachment
Update CSP in sample and default configuration
Ensure clone paste also clone format
Fix clone button hiding logic when paste is burn after read
Remove attachment name when new paste clicked on
Enable file operation only when editing
2019-08-25 02:16:58 -04:00
b0d1a3949e
add bulgarian to the supported languages
2019-07-11 16:50:32 +02:00
07018e5876
incrementing version number in preparation of release
2019-07-08 18:35:34 +02:00
11375a4f59
moved referrer policy from CSP & meta to proper HTTP header to avoid browser console error message about unknown CSP header and to ensure it always applies before HTML is parsed, fixes #196
2019-06-27 20:31:10 +02:00
c2e060d464
made compression configurable, fixes #38
2019-06-23 19:45:40 +02:00
848d3563f4
making StyleCI & Scrutinizer happy
2019-06-23 16:10:05 +02:00
8dc9db90c9
added translation for Czech, provided by @info-path, fixes #424
2019-06-23 12:06:36 +02:00
42c2003220
made notice configurable, fixing a few CSS glitches
2019-06-17 21:40:37 +02:00
4d6897f063
increasing minimum PHP version to 5.5 as this is required by the yzalis/identicon library upgrade to version 1.2.0
2019-06-16 10:50:52 +02:00
362045c664
re-add data-URLs to CSP for img-src, as these are used for the comment icons
2019-06-16 07:06:58 +02:00
f915af1a5a
adjust CSP header to allow blob URLs
2019-06-15 09:36:09 +02:00
a459c4692c
correcting API use, avoid history glitch
2019-06-01 23:49:40 +02:00
398fabd664
Chrome requires unsafe-eval for it to parse and evaluate WASM modules
2019-05-20 18:29:37 +02:00
12a9b2ff8e
address Scrutinizer issues with the use of getParams method
2019-05-19 10:13:47 +02:00
1baa1c2b0a
fixing API doc issue found by Scrutinizer
2019-05-19 10:05:04 +02:00
800a0df8e3
apply StyleCI patch
2019-05-19 10:01:41 +02:00
909ff2daa7
handle scrutinizer issues (mostly changes in API documentation)
2019-05-19 09:42:55 +02:00
09162a3c57
fix display of v2 pastes in JS, fixing parsing of comments in PHP, avoid exposing expiration date (we provide time_to_live, would allow calculation of creation date of paste)
2019-05-15 07:44:03 +02:00
cc1c55129f
switching to full JSON API without POST array use, ensure all JSON operations are done with error detection
2019-05-13 22:31:52 +02:00
be1e7babc0
removing dead code and improving code coverage
2019-05-11 22:18:35 +02:00
a622c8f484
fix logic, avoid 5.5
2019-05-10 23:27:45 +02:00
c3719435a3
and fixing PHP 5.5
2019-05-10 23:09:35 +02:00
02f3cc739f
documentation on fnv1a64 is lacking, but tests show it was only introduced with PHP 5.6
2019-05-10 22:46:39 +02:00
9b6b25dac0
revert scalar type hints to retain support for PHP < 7.0
2019-05-10 22:35:18 +02:00
76007b6ee9
fixing class compatibility (why is this no longer enforced in PHP > 7.1?)
2019-05-10 22:21:03 +02:00
f58cbefd1e
revert scalar type hints to retain support for PHP < 7.0
2019-05-10 22:13:11 +02:00
fb0c9c595e
remove further type hints for compatibility
2019-05-10 22:04:47 +02:00
bd4dee0f3e
fixing copy/paste errors
2019-05-10 21:52:14 +02:00
1e44902340
apply StyleCI patch
2019-05-10 21:45:34 +02:00
632d70412a
revert scalar type hints to retain support for PHP < 7.0
2019-05-10 21:35:36 +02:00
700f8a0ea7
made all php unit tests pass again
2019-05-10 07:55:39 +02:00
59569bf9fc
working on JsonApi tests
2019-05-08 22:11:21 +02:00
76dc01b959
finishing changes in models, removing last md5 test cases, tightening up allowed POST data
2019-05-06 22:15:21 +02:00
06b90ff48e
sticking to arrays to reduce conversions, inversion of control to simplify logic
2019-05-05 21:03:58 +02:00
b7a03cfdb9
enforcing parameter types, avoiding unnecessary metadata in version 2 pastes
2019-05-05 18:22:57 +02:00
6e15903f1e
make DatabaseTest work pass again, support reading & writing version 1 & 2 pastes & comments
2019-05-05 14:36:47 +02:00
bbdcb3fb0f
remove duplicate code
2019-05-05 08:53:40 +02:00
3338bd792e
implement version 2 format validation, changing ID checksum algorithm, resolves #49
2019-05-03 23:03:57 +02:00
e418b083e8
Merge branch 'master' into webcrypto
2019-01-22 20:11:42 +01:00
34c64acb75
Apply StyleCi recommendation
2019-01-22 00:14:31 +01:00
7cb942aca3
Make PHP paste ID function more robust
2019-01-21 23:19:41 +01:00
541fff199a
Put PHP paste request into own function
2019-01-21 23:06:25 +01:00
79a858f176
extracting only the 16 hex characters of the query string as paste ID, addressing #396
2019-01-20 12:20:37 +01:00
cde96d8f24
fixing bug in jsonld processing with certain URL paths
2018-12-17 19:42:26 +01:00
9ce41022cf
correcting namespaces
2018-11-19 13:09:34 +01:00
b5ebc4a3d7
incrementing version
2018-08-11 19:29:58 +02:00
a5e8eeaaf9
StyleCI: Obey the alphabet #342
2018-07-29 16:15:52 +02:00
4a35428499
cleanup of PurgeLimiter #342
2018-07-29 16:05:57 +02:00
3470dcd9a8
more compact ServerSalt #342
2018-07-29 15:50:36 +02:00
5db3412b69
cleanup of TrafficLimiter #342
2018-07-29 15:43:28 +02:00
f9c8441edb
renaming controller #342
2018-07-29 15:17:35 +02:00
720897b902
correct CSP to allow password prompt
2018-07-21 06:45:09 +00:00
cfe60db8fd
increment version number
2018-07-01 13:11:32 +02:00
6225a8ef16
updating translators in credits
2018-06-11 20:29:47 +02:00
9a0318517b
correct PHPdoc, fixes #264
2018-05-27 15:18:25 +02:00
d6f203dc4c
Removed option to hide clone button on expiring pastes, since this requires reading the paste for rendering the template, which leaks information on the pastes state
2018-05-27 15:05:31 +02:00
05c1776ada
ensure ALL read errors are only exposed in the JSON API to avoid information leakage (i.e. beviour for deleted vs expired pastes), updated test cases & removed duplicate test
2018-05-27 14:36:30 +02:00
caf87cc6f1
Merge branch 'master' into burnafterreading-fix, regression in expired paste error
2018-04-30 20:01:38 +02:00
2c82279292
Merge branch 'attachment-handling' of https://github.com/thororm/PrivateBin into thororm-attachment-handling
...
apart from resolving conflicts:
- added missing docs
- inlined functions that were used in only one location
- updated unit test to support all previews
- fixed a regression that displayed the preview even when there was no preview and too early
2018-04-29 11:57:03 +02:00
9c132cd839
Disallow form-action in CSP to limit outgoing connections
...
See https://github.com/PrivateBin/PrivateBin/issues/272
2018-01-06 18:06:06 +01:00
3bca559826
moving access to into Request class
2018-01-06 10:27:58 +01:00
414ab0eb71
Add config and basic page template support
...
* load JS file asyncronously (just HTML5 async attribut)
* add basic support for page template, where it generates the code inside
of a simple div at the top
* added option to turn off QR code support
2017-12-25 14:59:15 +01:00
86ecdb1155
fixing post increment
2017-11-13 22:15:14 +01:00
502e96c129
StyleCI recommendations
2017-10-08 19:23:33 +02:00
a5d5f6066a
refactoring as recommended by Scrutinizer
2017-10-08 19:16:09 +02:00
9f26894b2e
PHP < 5.6 compatibility and StyleCI recommendations
2017-10-08 17:10:51 +02:00
4f06feef81
implemented JSON file conversion on purge and storage in PHP files for data leak protection
2017-10-08 16:59:31 +02:00
4ded4b7f8c
adding correct HTTP error to response, as per @rugk's recommentation
2017-10-08 16:43:46 +02:00
dbfb1e83ba
removing dead code
2017-10-08 16:43:10 +02:00
62f0b95377
making StyleCI happy
2017-10-08 16:42:43 +02:00
6e8eafe129
implemented INI cenversion functionality
2017-10-08 16:42:11 +02:00
6fa2bfe30e
updated documentation, incremented version
2017-10-08 16:40:51 +02:00
f037967820
changes the file extension to php and adds a small one-liner to stop PHP from presenting the file to any website visitor
...
Signed-off-by: El RIDO <elrido@gmx.net>
2017-10-08 16:25:48 +02:00
23f5dfbff8
Merge remote-tracking branch 'remotes/thororm/master' into attachment-handling
...
# Conflicts:
# tpl/bootstrap.php
# tpl/page.php
2017-05-13 19:48:25 +02:00
283873d89a
Fix stupid copy&paste error
2017-04-13 10:52:48 +02:00
9b6748c54d
Adjust requested changes
2017-04-13 10:46:09 +02:00
f54036976a
added instantburnafterreading option to address #174
2017-04-11 17:23:26 +02:00
183ebe518b
Force JSON request for getting paste data
2017-04-11 16:34:13 +02:00
096f07f86e
Merge branch 'master' into attachment-handling
...
# Conflicts:
# js/privatebin.js
# tpl/bootstrap.php
# tpl/page.php
2017-04-02 13:30:52 +02:00
bbcc3e167b
implementing recommendations of scrutinizer
2017-03-25 00:58:59 +01:00
9b2af0abf5
fixing documentation
2017-03-24 23:54:37 +01:00
18315e7de0
removing unused class
2017-03-24 23:45:10 +01:00
f7853cf439
removing duplicate code, cleanup of temporary test files
2017-03-24 23:42:11 +01:00
ce92bfa934
updated .htaccess format, refactored .htaccess creation logic and improving code coverage, fixes #194
2017-03-24 21:30:08 +01:00
88b02d866e
fixes #186 for good
2017-03-24 19:20:34 +01:00
be0919893d
updating shipped .htaccess files for Apache 2.4 as per https://httpd.apache.org/docs/2.4/upgrading.html#access - Thanks @EchoDev, fixes #194
2017-03-11 08:56:14 +01:00
823adb78ef
bumping required PHP to 5.4, removing unneccessary code, resolves #186
2017-03-05 11:22:24 +01:00
23b09d601d
credited Tulio for the portuguese translation, updated SRI hashes
2017-03-05 11:02:18 +01:00
db307c3a77
updated test cases and delete logic to properly implement documented API, thanks @r4sas #188
2017-02-22 21:42:14 +01:00
4cb0ce5114
Removed self from cspheader
...
Refactored some variable names
2017-02-13 20:37:57 +01:00
faf596aeb7
Added preview for
...
- Video (HTML5)
- Audio (HTML5)
- PDF (Browser capabilities)
attachment.
Added drag & drop functionality
Added attachment preview to preview before submitting
2017-02-12 15:35:37 +01:00
e9b10f9e2d
Add CSP sandbox
...
Fixes https://github.com/PrivateBin/PrivateBin/issues/168
Alos needed to run some Composer stuff, no idea why my diff was different.
2017-02-01 18:34:13 +01:00
a7de0e095b
added supported language, updated credits and changelog
2017-01-10 20:37:14 +01:00
67f6c4eb61
turned bootstrap template variants into logic
2017-01-08 10:02:07 +01:00
f79c00378b
Choosing correct Occitan plural formula, added unit tests for Occitan and Chinese, corrected casing of languages in unit test
2017-01-08 07:56:56 +01:00
a5d91298ff
add an option to change the site name, solves #154
2017-01-01 16:33:11 +01:00
4a036aea80
updated SRI hashes, added missing formula for slowene plurals and unit test for it, updated credits and changelog
2017-01-01 14:35:39 +01:00
1426d4e371
tagging 1.1 release and updating documentation
2016-12-26 12:13:50 +01:00
f6b8ee3e20
add missing check for non-expiring pastes, fixes #149
2016-12-25 12:15:29 +01:00
ecd8a51137
writing a unit test for #145 lead to the discovery of two errors in the polish translations: error in formula and missing number placeholders in the translation strings
2016-12-25 11:37:45 +01:00
bbcc53f08e
StyleCI fix
2016-12-16 12:25:10 +03:00
ccba2f029f
added ru plural formula
2016-12-16 12:15:37 +03:00
da10a761c4
Fix more typos
2016-12-12 18:50:00 +01:00
61ee0ef7d3
Fix typos
2016-12-12 18:49:08 +01:00
658d5ae84d
Fix style-ci errors
2016-12-12 18:43:23 +01:00
1f46823942
applying patch based on StyleCI ruleset
2016-10-29 10:24:08 +02:00
8cfcf1c9f5
Adding HTTP headers to address certain XSS attacks, resolves #91
2016-09-18 11:29:37 +02:00
1a159c973f
Prevent referrer to be send
...
Uses both CSP and Referrer-Policy
Fixes #96
2016-09-03 18:12:24 +02:00
b7184b92a3
Fix csp config unit tests
2016-08-27 14:47:21 +02:00
b11866a63b
Allow manifest loading via CSP (2)
2016-08-27 00:02:50 +02:00
a13266a784
ensure the server salt path is initialized, instead of relying on the default
2016-08-25 15:02:38 +02:00
e925833090
bumping version number to 1.0
2016-08-25 09:53:31 +02:00
6aba39488f
adding check for PATH ending in DIRECTORY_SEPARATOR, fixes #86
2016-08-22 09:46:26 +02:00
f72e260ee7
adding subresource integrity hashes for all javascript includes, resolves #6
2016-08-16 11:11:03 +02:00
75cb771e4b
Merge branch 'master' into prng, resolve merge conflicts
2016-08-15 18:15:57 +02:00
72aac25f68
added configuration for PHP Coding Standards Fixer, including its fixes, resolving #47
2016-08-15 16:45:47 +02:00
8038fde29d
Revert #44
...
Scrutinizer-ci confirmed the detection of this was a false-positive, so we can remove this workaround.
They added it to their internal issue tracker.
2016-08-12 18:30:14 +02:00
0a628e83c1
Merge pull request #59 from PrivateBin/52-identicons
...
Implementation of Identicons library
2016-08-12 12:22:20 +02:00
ca66653d0c
applying: php-cs-fixer fix lib/ --level=psr2
2016-08-11 15:05:43 +02:00
6cb7454d07
Added tests for JSON errors, should help us figure out the cause of the problem in #11
2016-08-11 14:41:52 +02:00
bea9a577a6
Use better random number generator #29
2016-08-10 23:15:06 +02:00
c237337cd2
some minor whitespace improvements detected by scrutinizer
2016-08-10 18:22:28 +02:00
3988b860b0
implemented Identicon library as new default for comment icons, made Vizhash an optional alternative, refactored Vizhash and removed string lenghtening
2016-08-10 17:41:46 +02:00
1ef28d7a5c
minor fixes, typos
2016-08-10 15:03:06 +02:00
El RIDO
Mark van Holsteijn
rodehoed
Rodehoed
LinQhost Managed hosting
rodehoed
rugk
Andreas Schneider
ZerooCool
Haocen Xu
Steven Andrés
Lucas Savva
Andriy Zhuk
rugk
thororm
atnaguzin
R4SAS