Commit graph

4680 commits

Author SHA1 Message Date
El RIDO
886d4419d7
Merge pull request #1881 from PrivateBin/dompurify-3.4.12
update DOMpurify to 3.4.12
2026-07-16 18:03:42 +02:00
El RIDO
2f17c5f1d6
chore(deps): update DOMpurify to 3.4.12 2026-07-15 06:54:26 +02:00
El RIDO
360f2adeca
Merge pull request #1879 from PrivateBin/dependabot/github_actions/actions/setup-node-7
chore(deps): bump actions/setup-node from 6 to 7
2026-07-14 21:09:21 +02:00
El RIDO
b6f4278e07
Merge pull request #1878 from TowyTowy/fix/yourls-shorturl-null-fallback
fix: handle YOURLS 200 response without shorturl gracefully
2026-07-14 21:07:16 +02:00
dependabot[bot]
4a50fed678
chore(deps): bump actions/setup-node from 6 to 7
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6 to 7.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-14 11:52:20 +00:00
TowyTowy
bb8b77d714 Use a string statusCode in the YourlsProxy test
YOURLS returns the status code as a string (see #1844); mirror that in
the regression test so it stays correct if the comparison ever changes.
2026-07-14 08:51:35 +02:00
TowyTowy
a0c0d154ee fix: handle YOURLS 200 response without shorturl gracefully
When YOURLS replies with statusCode 200 but no "shorturl" field,
YourlsProxy::_extractShortUrl() returned int 0 for its ?string return
type. Under the file's declare(strict_types=1) this raises an uncaught
TypeError, aborting paste creation instead of surfacing the intended
"Error parsing proxy response" message. Fall back to null (matching
ShlinkProxy) so the existing graceful error path is taken.

Co-Authored-By: Claude <noreply@anthropic.com>
2026-07-12 23:02:26 +02:00
El RIDO
8504c3157c
Merge pull request #1876 from PrivateBin/dependabot/npm_and_yarn/js/ws-8.21.0
chore(deps): bump ws from 8.20.1 to 8.21.0 in /js
2026-07-11 12:25:07 +02:00
El RIDO
c03cd8f278
chore: prepare for next release 2026-07-11 11:47:08 +02:00
dependabot[bot]
f71fd1be95
chore(deps): bump ws from 8.20.1 to 8.21.0 in /js
Bumps [ws](https://github.com/websockets/ws) from 8.20.1 to 8.21.0.
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](https://github.com/websockets/ws/compare/8.20.1...8.21.0)

---
updated-dependencies:
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-07-11 08:25:54 +00:00
El RIDO
3035d6e5d3
incrementing version 2026-07-11 10:19:40 +02:00
El RIDO
75f056dcda
Merge commit from fork
insert only base path in JSON API responses
2026-07-11 10:12:52 +02:00
El RIDO
bd63b434c9
Merge remote-tracking branch 'upstream/master' into advisory-fix-1 2026-07-11 10:11:29 +02:00
El RIDO
e0dd4c025c
Merge commit from fork
fix: prevent browsers from rendering unsafe attachments like HTML in a new tab
2026-07-11 10:04:56 +02:00
El RIDO
a364596586
Merge branch 'master' into newtab-sanitize 2026-07-11 10:04:14 +02:00
El RIDO
8238a1492a
Merge pull request #1873 from PrivateBin/docs/security
docs: favour GitHub security form over mail
2026-07-01 07:45:04 +02:00
rugk
fcebc6e114
docs: favour GitHub security form over mail
IMHO, the GitHub process nowadays provides a sleek workflow and is better than sending mails back-and-forth.

It's okay for me to leave that way open (especially if reporters really want to report high sensitive stuff and e.g. PGP-encrypt them), but I guess we should slightly suggest/favor the GitHub form for ease of maintenance.

@elrido what do you think?
2026-06-30 09:40:48 +02:00
El RIDO
9a75c15437
Merge pull request #1871 from PrivateBin/dependabot/github_actions/actions/cache-6
chore(deps): bump actions/cache from 5 to 6
2026-06-24 17:53:13 +02:00
dependabot[bot]
f67d507fae
chore(deps): bump actions/cache from 5 to 6
Bumps [actions/cache](https://github.com/actions/cache) from 5 to 6.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v5...v6)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-24 11:52:25 +00:00
El RIDO
f904eaf020
Merge pull request #1855 from PrivateBin/os-copy-hotkey
feat: Show OS-specific copy hotkey hint
2026-06-21 11:48:43 +02:00
El RIDO
caca8655ed
Merge pull request #1867 from PrivateBin/dependabot/github_actions/actions/checkout-7
chore(deps): bump actions/checkout from 6 to 7
2026-06-21 11:31:31 +02:00
Ribas160
233e3e2399
Merge remote-tracking branch 'upstream/master' into os-copy-hotkey
# Conflicts:
#	i18n/zh.json
#	lib/Configuration.php
2026-06-19 20:03:38 +03:00
Ribas160
2219039a0a
feat: add i18n keys for Cmd and Ctrl keyboard labels 2026-06-19 19:58:29 +03:00
dependabot[bot]
13350e71a1
chore(deps): bump actions/checkout from 6 to 7
Bumps [actions/checkout](https://github.com/actions/checkout) from 6 to 7.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-19 11:52:19 +00:00
El RIDO
164c839c39
insert only base path in JSON API responses, without GET parameters 2026-06-15 23:12:52 +02:00
El RIDO
e3041700cf
add test to catch URL path extraction not removing query 2026-06-15 23:06:35 +02:00
rugk
f8c90415ba
docs: add Changelog entry for PR 2026-06-14 17:52:06 +02:00
rugk
13cbb2069e style: fix line ending at JS file 2026-06-14 16:25:16 +02:00
rugk
7f1f40853e fix: prevent browsers from rendering unsafe attachments like HTML in a new tab
We do not want to santitize them with DOMPurify, as an attached file should
be returned exactly as it has been attached by the creator. And sharing HTML files
is IMHO a legitimate use case.

However, opening these in a new tab can result in (JS) code execution.
Yet again, opening a "bigger" preview for some file types like images or videos
is also a valid use case, which also should not be broken. That's why this is not done
in alll cases, but some mime type filtering still exists.

I also looked into whether a blocklist (for HTML and SVG) would make sense, but really
you cannot possibly define an exhausive list of "unsafe" mime types: https://security.stackexchange.com/a/167853/91425

That's why I use a quite strict allowlist approach here.
I skimmed https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/MIME_types/Common_types
for what could be common use cases/mime types, people _may_ actually want to get
rendered and this is the result.

Thus I am quite confident this patch does not introduce such a big "breaking change"
(in UI behaviour), but people best do not notice it.
2026-06-13 22:01:35 +02:00
El RIDO
597a6f0d12
Merge pull request #1861 from PrivateBin/dependabot/npm_and_yarn/js/multi-ef0f9f31a5
chore(deps): bump uuid and nyc in /js
2026-06-10 20:38:41 +02:00
dependabot[bot]
406c274ed8
chore(deps): bump uuid and nyc in /js
Removes [uuid](https://github.com/uuidjs/uuid). It's no longer used after updating ancestor dependency [nyc](https://github.com/istanbuljs/nyc). These dependencies need to be updated together.


Removes `uuid`

Updates `nyc` from 17.1.0 to 18.0.0
- [Release notes](https://github.com/istanbuljs/nyc/releases)
- [Changelog](https://github.com/istanbuljs/nyc/blob/main/CHANGELOG.md)
- [Commits](https://github.com/istanbuljs/nyc/compare/nyc-v17.1.0...nyc-v18.0.0)

---
updated-dependencies:
- dependency-name: nyc
  dependency-version: 18.0.0
  dependency-type: direct:development
- dependency-name: uuid
  dependency-version:
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-10 18:31:30 +00:00
El RIDO
f4a820d8b9
fix php unit tests using newer google cloud storage library 2026-06-10 20:29:37 +02:00
El RIDO
425a6d32d2
fix php unit tests using newer google cloud storage library 2026-06-10 20:23:04 +02:00
El RIDO
0daec0ae67
Merge pull request #1860 from PrivateBin/crowdin-translation
New Crowdin updates
2026-06-10 19:39:08 +02:00
El RIDO
fa4e25efe6
Merge pull request #1802 from slegarraga/fix/modal-focus-accessibility
Fix: Focus modals when opened for accessibility
2026-06-10 19:38:03 +02:00
El RIDO
f1353de849
Merge pull request #1853 from PrivateBin/github-actions-hardening
harden github actions
2026-06-10 18:39:33 +02:00
PrivateBin Translator Bot
7868a769cb New translations en.json (Chinese Simplified)
[ci skip]
2026-06-09 06:50:28 +02:00
Ribas160
ec2d230d1b
refactor: deduplicate OS-specific hotkey detection into a shared helper 2026-05-29 15:43:41 +03:00
Ribas160
5d946c52a7
feat: Show OS-specific copy hotkey hint 2026-05-27 00:28:32 +03:00
Ribas160
4005094d38
chore: CHANGELOG.md updated 2026-05-26 09:25:13 +03:00
El RIDO
116b60060c
Merge pull request #1854 from PrivateBin/fix-yourls-status-code
fix: cast statusCode to int before strict comparison in YourlsProxy
2026-05-26 06:33:40 +02:00
Ribas160
f0e5001982
fix: cast statusCode to int before strict comparison 2026-05-25 23:34:57 +03:00
El RIDO
3f70f3732e
Merge pull request #1852 from PrivateBin/crowdin-translation
New Crowdin updates
2026-05-25 11:02:39 +02:00
PrivateBin Translator Bot
fe3ef3166b New translations en.json (Dutch)
[ci skip]
2026-05-25 10:34:01 +02:00
PrivateBin Translator Bot
d7cd6daad0 New translations en.json (Italian)
[ci skip]
2026-05-25 10:34:00 +02:00
PrivateBin Translator Bot
8ac3370797 New translations en.json (German)
[ci skip]
2026-05-25 10:33:58 +02:00
PrivateBin Translator Bot
2add3920b2 New translations en.json (French)
[ci skip]
2026-05-25 10:33:57 +02:00
El RIDO
630886e2c2
harden gihub actions
- restrict all default permissions
- content: read is not necessary for public repos
- security-events: write is needed for CodeQL uploads of SARIF reports
- persist-credentials: false prevents any github token to remain configured in the checked out repo (not necessary when not intending to push from the action)
2026-05-25 08:03:43 +02:00
PrivateBin Translator Bot
a081f71155 New translations en.json (Russian)
[ci skip]
2026-05-25 07:21:58 +02:00
PrivateBin Translator Bot
665d7fc023 New translations en.json (German)
[ci skip]
2026-05-25 07:21:57 +02:00