george/PrivateBin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

implemented JSON file conversion on purge and storage in PHP files for data leak protection

Browse Source
This commit is contained in:
El RIDO
2017-10-08 11:03:17 +02:00
parent e326310c57
commit 6b87a6e0e1
9 changed files with 128 additions and 137 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
lib/Data/Filesystem.php
View File

@@ -22,6 +22,13 @@ use PrivateBin\Model\Paste;
*/
class Filesystem extends AbstractData
{
/**
* First line in JSON files, to hide contents
*
* @const string
*/
const PROTECTION_LINE = '<?php http_response_code(403); /*' . PHP_EOL;
/**
* directory where data is stored
*
@@ -68,13 +75,13 @@ class Filesystem extends AbstractData
public function create($pasteid, $paste)
{
$storagedir = self::_dataid2path($pasteid);
if (is_file($storagedir . $pasteid)) {
if (is_file($storagedir . $pasteid . '.php')) {
return false;
}
if (!is_dir($storagedir)) {
mkdir($storagedir, 0700, true);
}
return (bool) file_put_contents($storagedir . $pasteid, Json::encode($paste));
return (bool) file_put_contents($storagedir . $pasteid . '.php', self::PROTECTION_LINE . Json::encode($paste));
}
/**
@@ -89,9 +96,7 @@ class Filesystem extends AbstractData
if (!$this->exists($pasteid)) {
return false;
}
$paste = json_decode(
file_get_contents(self::_dataid2path($pasteid) . $pasteid)
);
$paste = self::_decodeFile(self::_dataid2path($pasteid) . $pasteid . '.php');
if (property_exists($paste->meta, 'attachment')) {
$paste->attachment = $paste->meta->attachment;
unset($paste->meta->attachment);
@@ -115,8 +120,8 @@ class Filesystem extends AbstractData
$pastedir = self::_dataid2path($pasteid);
if (is_dir($pastedir)) {
// Delete the paste itself.
if (is_file($pastedir . $pasteid)) {
unlink($pastedir . $pasteid);
if (is_file($pastedir . $pasteid . '.php')) {
unlink($pastedir . $pasteid . '.php');
}
// Delete discussion if it exists.
@@ -144,7 +149,41 @@ class Filesystem extends AbstractData
*/
public function exists($pasteid)
{
return is_file(self::_dataid2path($pasteid) . $pasteid);
$basePath = self::_dataid2path($pasteid) . $pasteid;
$pastePath = $basePath . '.php';
// convert to PHP protected files if needed
if (is_readable($basePath)) {
$context = stream_context_create();
// don't overwrite already converted file
if (!is_file($pastePath)) {
$handle = fopen($basePath, 'r', false, $context);
file_put_contents($pastePath, self::PROTECTION_LINE);
file_put_contents($pastePath, $handle, FILE_APPEND);
fclose($handle);
}
unlink($basePath);
// convert comments, too
$discdir = self::_dataid2discussionpath($pasteid);
if (is_dir($discdir)) {
$dir = dir($discdir);
while (false !== ($filename = $dir->read())) {
if (substr($filename, -4) !== '.php' && strlen($filename) >= 16) {
$commentFilename = $discdir . $filename . '.php';
// don't overwrite already converted file
if (!is_file($commentFilename)) {
$handle = fopen($discdir . $filename, 'r', false, $context);
file_put_contents($commentFilename, self::PROTECTION_LINE);
file_put_contents($commentFilename, $handle, FILE_APPEND);
fclose($handle);
}
unlink($discdir . $filename);
}
}
$dir->close();
}
}
return is_readable($pastePath);
}
/**
@@ -161,14 +200,14 @@ class Filesystem extends AbstractData
public function createComment($pasteid, $parentid, $commentid, $comment)
{
$storagedir = self::_dataid2discussionpath($pasteid);
$filename = $pasteid . '.' . $commentid . '.' . $parentid;
$filename = $pasteid . '.' . $commentid . '.' . $parentid . '.php';
if (is_file($storagedir . $filename)) {
return false;
}
if (!is_dir($storagedir)) {
mkdir($storagedir, 0700, true);
}
return (bool) file_put_contents($storagedir . $filename, Json::encode($comment));
return (bool) file_put_contents($storagedir . $filename, self::PROTECTION_LINE . Json::encode($comment));
}
/**
@@ -183,15 +222,14 @@ class Filesystem extends AbstractData
$comments = array();
$discdir = self::_dataid2discussionpath($pasteid);
if (is_dir($discdir)) {
// Delete all files in discussion directory
$dir = dir($discdir);
while (false !== ($filename = $dir->read())) {
// Filename is in the form pasteid.commentid.parentid:
// Filename is in the form pasteid.commentid.parentid.php:
// - pasteid is the paste this reply belongs to.
// - commentid is the comment identifier itself.
// - parentid is the comment this comment replies to (It can be pasteid)
if (is_file($discdir . $filename)) {
$comment = json_decode(file_get_contents($discdir . $filename));
$comment = self::_decodeFile($discdir . $filename);
$items = explode('.', $filename);
// Add some meta information not contained in file.
$comment->id = $items[1];
@@ -223,7 +261,7 @@ class Filesystem extends AbstractData
{
return is_file(
self::_dataid2discussionpath($pasteid) .
$pasteid . '.' . $commentid . '.' . $parentid
$pasteid . '.' . $commentid . '.' . $parentid . '.php'
);
}
@@ -263,7 +301,14 @@ class Filesystem extends AbstractData
continue;
}
$thirdLevel = array_filter(
scandir($path),
array_map(
function($filename) {
return strlen($filename) >= 20 ?
substr($filename, 0, -4) :
$filename;
},
scandir($path)
),
'PrivateBin\\Model\\Paste::isValidId'
);
if (count($thirdLevel) == 0) {
@@ -378,4 +423,17 @@ class Filesystem extends AbstractData
{
return (bool) preg_match('/^[a-f0-9]{2}$/', $element);
}
/**
* Decodes a paste or comment file.
*
* @access private
* @static
* @param string $file
* @return array
*/
private static function _decodeFile($file)
{
return json_decode(substr(file_get_contents($file), strlen(self::PROTECTION_LINE)));
}
}