Commit graph

403 commits

Author SHA1 Message Date
TowyTowy
bb8b77d714 Use a string statusCode in the YourlsProxy test
YOURLS returns the status code as a string (see #1844); mirror that in
the regression test so it stays correct if the comparison ever changes.
2026-07-14 08:51:35 +02:00
TowyTowy
a0c0d154ee fix: handle YOURLS 200 response without shorturl gracefully
When YOURLS replies with statusCode 200 but no "shorturl" field,
YourlsProxy::_extractShortUrl() returned int 0 for its ?string return
type. Under the file's declare(strict_types=1) this raises an uncaught
TypeError, aborting paste creation instead of surfacing the intended
"Error parsing proxy response" message. Fall back to null (matching
ShlinkProxy) so the existing graceful error path is taken.

Co-Authored-By: Claude <noreply@anthropic.com>
2026-07-12 23:02:26 +02:00
El RIDO
bd63b434c9
Merge remote-tracking branch 'upstream/master' into advisory-fix-1 2026-07-11 10:11:29 +02:00
Ribas160
233e3e2399
Merge remote-tracking branch 'upstream/master' into os-copy-hotkey
# Conflicts:
#	i18n/zh.json
#	lib/Configuration.php
2026-06-19 20:03:38 +03:00
El RIDO
e3041700cf
add test to catch URL path extraction not removing query 2026-06-15 23:06:35 +02:00
El RIDO
f4a820d8b9
fix php unit tests using newer google cloud storage library 2026-06-10 20:29:37 +02:00
El RIDO
425a6d32d2
fix php unit tests using newer google cloud storage library 2026-06-10 20:23:04 +02:00
Ribas160
ec2d230d1b
refactor: deduplicate OS-specific hotkey detection into a shared helper 2026-05-29 15:43:41 +03:00
Ribas160
f0e5001982
fix: cast statusCode to int before strict comparison 2026-05-25 23:34:57 +03:00
El RIDO
43a729b1f9
updating zlib to 1.3.2 2026-04-03 18:15:54 +02:00
rugk
47c986a781 fix(test): fix directory separator actually being used everywhere 2026-02-23 13:55:16 +00:00
El RIDO
d00fb264fb
deduplicate code, clarifications 2026-01-25 10:37:32 +01:00
El RIDO
520408b830
typos 2026-01-25 10:36:10 +01:00
El RIDO
52c0846dad
Merge pull request #1734 from PrivateBin/php85
Enable PHP 8.5 testing and handle deprecations
2025-12-03 19:10:03 +01:00
El RIDO
4f28c357ae
Merge pull request #1715 from PrivateBin/i18n/soften-html-encoding
fix: do not encode source JSON translation string resulting in wrong display of special characters like '
2025-12-03 19:07:17 +01:00
El RIDO
6f778eeec3
address PHP 8.5 deprecation 2025-12-02 06:54:36 +01:00
El RIDO
348d36d6ee
prefer DirectoryIterator for readability, also test jbo translation, log deletion errors 2025-11-20 09:13:15 +01:00
El RIDO
b4db5f8e57
apply null coalescing operator, strict equality, avoid aliases, prefer empty 2025-11-20 08:19:14 +01:00
rugk
72d4c7aa2b style: clarify comments 2025-11-13 12:33:31 +00:00
rugk
e676264616 test: make I18nTest actually reload English translations again 2025-11-13 12:28:03 +00:00
rugk
38a722d2f5 test: make sure to unset HTTP_ACCEPT_LANGUAGE at test teardown 2025-11-13 12:19:49 +00:00
rugk
2c4dd2594c fix: do not encode source JSON translation string resulting in wrong display of special characters like '
Fixes #1712

Disclosure: Coded with help of Copiot. (description wrtten by me)

So this does indeed loosen the encoding a bit. However, IMHO, it was neither better before though. You could always bypass the encoding for `args{0]` when  you just include `<a` (or the other tag) somewhere or so.

**One important notice:** This was (due to the exceptions before and afterwards) valid before and also now: Translators **could** (and can) if they have malicious intent, inject/do "XSS attacks".
Thus, translations PRs (also from Crowdin) should be reviewed for wild HTML code inside translations. I suppose this is easy to fix, but anyway a valid risk.

But IMHO, we should teat the JSON files being part of our source code as a "trusted source". In the end, such an attak is basicaly just ends up being injecting malicious code. I hope such contributors would be detected.

References I explicitly checked again to not introduce an XSS here: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html and the PHP doc for he HTML encoding.

I feel the safter way obviously would be encoding the _whole_ string _after_ translation (just like you should apply DOMPurify after everything), but as explained it was not done before and would break compatibility. Also, I looked through the sources and I see no risk described by doing it only for the "dangerous" "untrusted" inputs.
Only here is a notice that `%s` shall not be used in some contexts, for example to define a tag: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#dangerous-contexts (obviously in such a case, attacks may be possible even with encoding; but again; this is nothing new)

The basic "problem" of it all is: We want HTML to be translated/be usable in our translation. If we'd get rid of that, we would get for sure rid of all such XSS attack possibilities. But that woud be a bigger refactoring, so IMHO, this here is fine for a fix for the issue at hand.

Ah another point: I think the `is_int` check is harmless, but it's also kinda useless. Maybe it is some kind of obscure performance optimisation. (Yeah ints have nothing to encode as they have nothing that could be used for XSS, but they could also just be passed through that function.)
2025-11-13 10:52:08 +00:00
El RIDO
f48544978b
apply StyleCI suggestion 2025-11-12 07:57:30 +01:00
El RIDO
f2164353c3
use realpath and validate tpl directory contents
to ensure only php files inside the tpl dir can get used as templates
2025-11-11 09:34:54 +01:00
El RIDO
dae5f7fd61
partially revert #1559
Instead of automatically adding custom templates, we log an error if
that template is missing in the available templates. Still mitigates
arbitrary file inclusion, as the string is now checked against a fixed
allow list.
2025-11-10 17:31:35 +01:00
El RIDO
5f6c2beb3b
Unit test on escaping the template directory 2025-11-10 12:00:29 +01:00
El RIDO
85962a537a
fix php unit tests & SRI hash 2025-10-06 23:53:13 +02:00
El RIDO
4cd1770c76
fix indentation, tests & unify plural forms
command used was:
jq --indent 4 '(.. | select(type=="array")) |= . + [(.[-1:][] | sub("3rd";"4th")),(.[-1:][] | sub("3rd";"5th"))]' i18n/pl.json > /tmp/pl.json

test fix & plural unification was done manually, also cross-checking with online translation services
2025-10-06 11:40:28 +02:00
El RIDO
bd61a3d021
enable tests to pass
The path is only optional when it is / and the very last element, otherwise it is required. As soon as it is in the middle of a URL it helps the parser to identify which part is the username and domain and what is path and GET parameters. The @ sign is legitimate, if unusual, in the latter two.
2025-09-03 20:13:33 +02:00
rugk
a6034ace1b test: PHP considers this invalid 2025-09-03 14:25:04 +00:00
rugk
616635c66c style: scruintizer wants some trailing comma 2025-09-03 14:21:00 +00:00
rugk
e4f2383dd8 test: more test cases for testForeignUrlUsingUsernameTrick 2025-09-03 14:20:03 +00:00
rugk
168fed64b9 chore: apply Scruintizer diff 2025-09-03 14:11:35 +00:00
rugk
4f13d93af2 style: use explicit types 2025-09-03 13:53:51 +00:00
rugk
f76704a88c refactor: simplify tests 2025-09-03 13:48:28 +00:00
rugk
dbaa70ec11 test: move ftp example to rejected because of foreign URL 2025-09-03 13:45:30 +00:00
rugk
fae7e233f3 test: write some tests for testing proxy ensurance 2025-09-03 12:38:44 +00:00
Karthik Kasturi
77395c147f updated test cases, added clarity in error messages 2025-08-20 01:23:06 +00:00
Karthik Kasturi
39e527915e Add test cases for shlink 2025-08-19 23:55:32 +00:00
Karthik Kasturi
0be1cef224 i18n updates 2025-08-19 21:39:16 +01:00
Karthik Kasturi
7ec8bc6ef1 chore: moved proxy classes to different folder and namespaces 2025-08-19 20:34:39 +01:00
Karthik Kasturi
4a39a2ad0f refactor: added AbstractProxy base class for shortener proxies 2025-08-15 23:28:44 +01:00
Karthik Kasturi
0808052acf Added shlink integration 2025-08-15 00:07:51 +01:00
El RIDO
bde805d2f1
replaced the term "paste" with the more generic "document"
kudos @Ribas160
2025-07-25 08:16:08 +02:00
El RIDO
ddd2d72064
replaced the term "paste" with the more generic "document"
Some of the references to "paste" in code or comments got changed as well, but to clarify the intended usage of the terms:

- A PrivateBin document can consist of a paste text (key "paste" in the encrypted payload) and one or several attachments and discussion entries.
- Internally the root document is called a "Paste" and each discussion entry is called a "Discussion".
- When referring to a whole document with one paste and optional discussion(s), we call it just "document".
- When talking about a particular JSON payload type in the internal logic, i.e. during storage or transmission, we call them a paste or discussion to distinguish which type we refer to.

closes #397
2025-07-24 10:46:31 +02:00
Ribas160
863cb89ad9
Switch from binary bytes to SI-units 2025-07-23 21:06:20 +03:00
El RIDO
734b85eb08
remove more v1 remnants
kudos @Ribas160
2025-07-21 12:28:40 +02:00
El RIDO
cdb8010f6d
Merge branch 'master' into drop-legacy-zerobin-support 2025-07-21 11:42:47 +02:00
Ribas160
273b11e1b4 Fix bootstrap template fallback in unit tests 2025-07-21 09:30:30 +03:00
El RIDO
009f53e5fd
fix deprecated creation of dynamic property
caught by Scrutinizer after upgrading from PHP 7.4 to 8.2
2025-07-19 21:30:05 +02:00