introduce new zerobincompatibility option, replacing the base64 one, if it is enabled, delete tokens use sha256; added per paste salt with server salt fallback; this resolves the points 2.2 & 2.9 in #103

2016-07-06 11:37:13 +02:00
parent 6b0b814dc6
commit 0e217a42c5
8 changed files with 87 additions and 38 deletions
--- a/lib/configuration.php
+++ b/lib/configuration.php
@@ -41,10 +41,10 @@ class configuration
            'sizelimit' => 2097152,
            'template' => 'bootstrap',
            'notice' => '',
-            'base64version' => '2.1.9',
            'languageselection' => false,
            'languagedefault' => '',
            'urlshortener' => '',
+            'zerobincompatibility' => false,
        ),
        'expire' => array(
            'default' => '1week',
--- a/lib/model/paste.php
+++ b/lib/model/paste.php
@@ -27,7 +27,7 @@ class model_paste extends model_abstract
    public function get()
    {
        $this->_data = $this->_store->read($this->getId());
-        // See if paste has expired and delete it if neccessary.
+        // check if paste has expired and delete it if neccessary.
        if (property_exists($this->_data->meta, 'expire_date'))
        {
            if ($this->_data->meta->expire_date < time())
@@ -52,6 +52,12 @@ class model_paste extends model_abstract
                $this->_data->meta->formatter = $this->_conf->getKey('defaultformatter');
            }
        }
+
+        // support old paste format with server wide salt
+        if (!property_exists($this->_data->meta, 'salt'))
+        {
+            $this->_data->meta->salt = serversalt::get();
+        }
        $this->_data->comments = array_values($this->getComments());
        $this->_data->comment_count = count($this->_data->comments);
        $this->_data->comment_offset = 0;
@@ -73,6 +79,7 @@ class model_paste extends model_abstract
            throw new Exception('You are unlucky. Try again.', 75);

        $this->_data->meta->postdate = time();
+        $this->_data->meta->salt = serversalt::generate();

        // store paste
        if (
@@ -151,7 +158,12 @@ class model_paste extends model_abstract
     */
    public function getDeleteToken()
    {
-        return hash_hmac('sha1', $this->getId(), serversalt::get());
+        if (!property_exists($this->_data->meta, 'salt')) $this->get();
+        return hash_hmac(
+            $this->_conf->getKey('zerobincompatibility') ? 'sha1' : 'sha256',
+            $this->getId(),
+            $this->_data->meta->salt
+        );
    }

    /**
--- a/lib/zerobin.php
+++ b/lib/zerobin.php
@@ -327,7 +327,6 @@ class zerobin
                else
                {
                    // Make sure the token is valid.
-                    serversalt::setPath($this->_conf->getKey('dir', 'traffic'));
                    if (filter::slow_equals($deletetoken, $paste->getDeleteToken()))
                    {
                        // Paste exists and deletion token is valid: Delete the paste.
@@ -364,6 +363,7 @@ class zerobin
            {
                $data = $paste->get();
                $this->_doesExpire = property_exists($data, 'meta') && property_exists($data->meta, 'expire_date');
+                if (property_exists($data->meta, 'salt')) unset($data->meta->salt);
                $this->_data = json_encode($data);
            }
            else
@@ -439,7 +439,7 @@ class zerobin
        $page->assign('BURNAFTERREADINGSELECTED', $this->_conf->getKey('burnafterreadingselected'));
        $page->assign('PASSWORD', $this->_conf->getKey('password'));
        $page->assign('FILEUPLOAD', $this->_conf->getKey('fileupload'));
-        $page->assign('BASE64JSVERSION', $this->_conf->getKey('base64version'));
+        $page->assign('BASE64JSVERSION', $this->_conf->getKey('zerobincompatibility') ? '1.7' : '2.1.9');
        $page->assign('LANGUAGESELECTION', $languageselection);
        $page->assign('LANGUAGES', i18n::getLanguageLabels(i18n::getAvailableLanguages()));
        $page->assign('EXPIRE', $expire);