fix display of v2 pastes in JS, fixing parsing of comments in PHP, avoid exposing expiration date (we provide time_to_live, would allow calculation of creation date of paste)
This commit is contained in:
El RIDO
@@ -213,7 +213,7 @@ class Controller
|
||||
array_key_exists('parentid', $data) &&
|
||||
!empty($data['parentid']);
|
||||
if (!FormatV2::isValid($data, $isComment)) {
|
||||
return $this->_return_message(1, 'Invalid data.');
|
||||
return $this->_return_message(1, I18n::_('Invalid data.'));
|
||||
}
|
||||
$sizelimit = $this->_conf->getKey('sizelimit');
|
||||
// Ensure content is not too big.
|
||||
@@ -240,7 +240,7 @@ class Controller
|
||||
}
|
||||
$this->_return_message(0, $comment->getId());
|
||||
} else {
|
||||
$this->_return_message(1, 'Invalid data.');
|
||||
$this->_return_message(1, I18n::_('Invalid data.'));
|
||||
}
|
||||
}
|
||||
// The user posts a standard paste.
|
||||
|
||||
@@ -52,13 +52,15 @@ class FormatV2
|
||||
}
|
||||
}
|
||||
|
||||
$cipherParams = $isComment ? $message['adata'] : $message['adata'][0];
|
||||
|
||||
// Make sure some fields are base64 data:
|
||||
// - initialization vector
|
||||
if (!base64_decode($message['adata'][0][0], true)) {
|
||||
if (!base64_decode($cipherParams[0], true)) {
|
||||
return false;
|
||||
}
|
||||
// - salt
|
||||
if (!base64_decode($message['adata'][0][1], true)) {
|
||||
if (!base64_decode($cipherParams[1], true)) {
|
||||
return false;
|
||||
}
|
||||
// - cipher text
|
||||
@@ -68,11 +70,11 @@ class FormatV2
|
||||
|
||||
// Make sure some fields have a reasonable size:
|
||||
// - initialization vector
|
||||
if (strlen($message['adata'][0][0]) > 24) {
|
||||
if (strlen($cipherParams[0]) > 24) {
|
||||
return false;
|
||||
}
|
||||
// - salt
|
||||
if (strlen($message['adata'][0][1]) > 14) {
|
||||
if (strlen($cipherParams[1]) > 14) {
|
||||
return false;
|
||||
}
|
||||
|
||||
@@ -82,27 +84,27 @@ class FormatV2
|
||||
return false;
|
||||
}
|
||||
// - iterations, refuse less then 10000 iterations (minimum NIST recommendation)
|
||||
if (!is_int($message['adata'][0][2]) || $message['adata'][0][2] <= 10000) {
|
||||
if (!is_int($cipherParams[2]) || $cipherParams[2] <= 10000) {
|
||||
return false;
|
||||
}
|
||||
// - key size
|
||||
if (!in_array($message['adata'][0][3], array(128, 192, 256), true)) {
|
||||
if (!in_array($cipherParams[3], array(128, 192, 256), true)) {
|
||||
return false;
|
||||
}
|
||||
// - tag size
|
||||
if (!in_array($message['adata'][0][4], array(64, 96, 128), true)) {
|
||||
if (!in_array($cipherParams[4], array(64, 96, 128), true)) {
|
||||
return false;
|
||||
}
|
||||
// - algorithm, must be AES
|
||||
if ($message['adata'][0][5] !== 'aes') {
|
||||
if ($cipherParams[5] !== 'aes') {
|
||||
return false;
|
||||
}
|
||||
// - mode
|
||||
if (!in_array($message['adata'][0][6], array('ctr', 'cbc', 'gcm'), true)) {
|
||||
if (!in_array($cipherParams[6], array('ctr', 'cbc', 'gcm'), true)) {
|
||||
return false;
|
||||
}
|
||||
// - compression
|
||||
if (!in_array($message['adata'][0][7], array('zlib', 'none'), true)) {
|
||||
if (!in_array($cipherParams[7], array('zlib', 'none'), true)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
@@ -45,6 +45,7 @@ class Paste extends AbstractModel
|
||||
}
|
||||
// We kindly provide the remaining time before expiration (in seconds)
|
||||
$data['meta']['time_to_live'] = $data['meta']['expire_date'] - time();
|
||||
unset($data['meta']['expire_date']);
|
||||
}
|
||||
|
||||
// check if non-expired burn after reading paste needs to be deleted
|
||||
|
||||
Reference in New Issue
Block a user