diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md index f8363e8..55fbca6 100644 --- a/.github/ISSUE_TEMPLATE.md +++ b/.github/ISSUE_TEMPLATE.md @@ -35,5 +35,4 @@ If you have access to the server log files, also copy them here. **PrivateBin version:** -* I can reproduce this issue on : Yes / No - +I can reproduce this issue on : Yes / No diff --git a/.travis.yml b/.travis.yml index 7998718..b18d048 100644 --- a/.travis.yml +++ b/.travis.yml @@ -15,7 +15,7 @@ before_script: - composer install -n - npm install -g mocha - cd js - - npm install jsverify jsdom jsdom-global + - npm install jsverify jsdom@9 jsdom-global@2 - cd .. script: diff --git a/INSTALL.md b/INSTALL.md index ffd5d39..7e5fa31 100644 --- a/INSTALL.md +++ b/INSTALL.md @@ -1,154 +1 @@ -# Installation - -**TL;DR:** Download the -[latest release archive](https://github.com/PrivateBin/PrivateBin/releases/latest) -and extract it in your web hosts folder where you want to install your PrivateBin -instance. We try to provide a safe default configuration, but we advise you to -check the options and adjust them as you see fit. - -## Basic installation - -### Requirements - -- PHP version 5.4 or above -- _one_ of the following sources of cryptographically safe randomness is required: - - PHP 7 or higher - - [Libsodium](https://download.libsodium.org/libsodium/content/installation/) and it's [PHP extension](https://paragonie.com/book/pecl-libsodium/read/00-intro.md#installing-libsodium) - - open_basedir access to `/dev/urandom` - - mcrypt extension - - com_dotnet extension - - Mcrypt needs to be able to access `/dev/urandom`. This means if `open_basedir` is set, it must include this file. -- GD extension -- some disk space or (optional) a database supported by [PDO](https://secure.php.net/manual/book.pdo.php) -- ability to create files and folders in the installation directory and the PATH -- A web browser with javascript support - -### Configuration - -In the file `cfg/conf.ini` you can configure PrivateBin. A `cfg/conf.ini.sample` -is provided containing all options and default values. You can copy it to -`cfg/conf.ini` and adapt it as needed. The config file is divided into multiple -sections, which are enclosed in square brackets. - -In the `[main]` section you can enable or disable the discussion feature, set -the limit of stored pastes and comments in bytes. The `[traffic]` section lets -you set a time limit in seconds. Users may not post more often then this limit -to your PrivateBin installation. - -More details can be found in the -[configuration documentation](https://github.com/PrivateBin/PrivateBin/wiki/Configuration). - -## Further configuration - -After (or before) setting up PrivateBin, also set up HTTPS, as without HTTPS -PrivateBin is not secure. ( -[More information](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#how-should-i-setup-https)) - -If you want to use PrivateBin behind Cloudflare, make sure you disabled Rocket -loader and unchecked "Javascript" for Auto Minify, found in your domain settings, -under "Speed". (More information -[in this FAQ entry](https://github.com/PrivateBin/PrivateBin/wiki/FAQ#user-content-how-to-make-privatebin-work-when-using-cloudflare-for-ddos-protection)) - -## Advanced installation - -### Changing the path - -In the index.php you can define a different `PATH`. This is useful to secure your -installation. You can move the configuration, data files, templates and PHP -libraries (directories cfg, doc, data, lib, tpl, tst and vendor) outside of your -document root. This new location must still be accessible to your webserver / PHP -process (see also -[open_basedir setting](https://secure.php.net/manual/en/ini.core.php#ini.open-basedir)). - -> #### PATH Example -> Your PrivateBin installation lives in a subfolder called "paste" inside of -> your document root. The URL looks like this: -> https://example.com/paste/ -> -> The full path of PrivateBin on your webserver is: -> /home/example.com/htdocs/paste -> -> When setting the path like this: -> define('PATH', '../../secret/privatebin/'); -> -> PrivateBin will look for your includes / data here: -> /home/example.com/secret/privatebin - -### Web server configuration - -A `robots.txt` file is provided in the root dir of PrivateBin. It disallows all -robots from accessing your pastes. It is recommend to place it into the root of -your web directory if you have installed PrivateBin in a subdirectory. Make sure -to adjust it, so that the file paths match your installation. Of course also -adjust the file if you already use a `robots.txt`. - -A `.htaccess.disabled` file is provided in the root dir of PrivateBin. It blocks -some known robots and link-scanning bots. If you use Apache, you can rename the -file to `.htaccess` to enable this feature. If you use another webserver, you -have to configure it manually to do the same. - -### Using a database instead of flat files - -In the configuration file the `[model]` and `[model_options]` sections let you -configure your favourite way of storing the pastes and discussions on your -server. - -`Filesystem` is the default model, which stores everything in files in the -data folder. This is the recommended setup for most sites. - -Under high load, in distributed setups or if you are not allowed to store files -locally, you might want to switch to the `Database` model. This lets you -store your data in a database. Basically all databases that are supported by -[PDO](https://secure.php.net/manual/en/book.pdo.php) may be used. Automatic table -creation is provided for `pdo_ibm`, `pdo_informix`, `pdo_mssql`, `pdo_mysql`, -`pdo_oci`, `pdo_pgsql` and `pdo_sqlite`. You may want to provide a table prefix, -if you have to share the PrivateBin database with another application or you want -to use a prefix for -[security reasons](https://security.stackexchange.com/questions/119510/is-using-a-db-prefix-for-tables-more-secure). -The table prefix option is called `tbl`. - -> #### Note -> The `Database` model has only been tested with SQLite, MySQL and PostgreSQL, -> although it would not be recommended to use SQLite in a production environment. -> If you gain any experience running PrivateBin on other RDBMS, please let us -> know. - -For reference or if you want to create the table schema for yourself (replace -`prefix_` with your own table prefix and create the table schema with phpMyAdmin -or the MYSQL console): - -```sql -CREATE TABLE prefix_paste ( - dataid CHAR(16) NOT NULL, - data BLOB, - postdate INT, - expiredate INT, - opendiscussion INT, - burnafterreading INT, - meta TEXT, - attachment MEDIUMBLOB, - attachmentname BLOB, - PRIMARY KEY (dataid) -); - -CREATE TABLE prefix_comment ( - dataid CHAR(16), - pasteid CHAR(16), - parentid CHAR(16), - data BLOB, - nickname BLOB, - vizhash BLOB, - postdate INT, - PRIMARY KEY (dataid) -); -CREATE INDEX parent ON prefix_comment(pasteid); - -CREATE TABLE prefix_config ( - id CHAR(16) NOT NULL, value TEXT, PRIMARY KEY (id) -); -INSERT INTO prefix_config VALUES('VERSION', '1.1'); -``` - -In PostgreSQL the attachment column needs to be TEXT and not BLOB or MEDIUMBLOB. - +For installation instructions, see [our wiki](https://github.com/PrivateBin/PrivateBin/wiki/Installation). diff --git a/README.md b/README.md index a259cb5..802942c 100644 --- a/README.md +++ b/README.md @@ -12,13 +12,13 @@ **PrivateBin** is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. -Data is encrypted/decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode). +Data is encrypted and decrypted in the browser using 256bit AES in [Galois Counter mode](https://en.wikipedia.org/wiki/Galois/Counter_Mode). This is a fork of ZeroBin, originally developed by -[Sébastien Sauvage](https://github.com/sebsauvage/ZeroBin). It was refactored -to allow easier and cleaner extensions and has now many more features than the -original. It is however still fully compatible to the original ZeroBin 0.19 -data storage scheme. Therefore such installations can be upgraded to this fork +[Sébastien Sauvage](https://github.com/sebsauvage/ZeroBin). ZeroBin was refactored +to allow easier and cleaner extensions. PrivateBin has many more features than the +original ZeroBin. It is, however, still fully compatible to the original ZeroBin 0.19 +data storage scheme. Therefore, such installations can be upgraded to PrivateBin without losing any data. ## What PrivateBin provides @@ -38,37 +38,37 @@ without losing any data. ## What it doesn't provide -- As a user you have to trust the server administrator, your internet provider - and any country the traffic passes not to inject any malicious javascript code. - For a basic security the PrivateBin installation *has to provide HTTPS*! - Additionally it should be secured by +- As a user you have to trust the server administrator not to inject any malicious + javascript code. + For basic security, the PrivateBin installation *has to provide HTTPS*! + Otherwise you would also have to trust your internet provider, and any country + the traffic passes through. + Additionally the instance should be secured by [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) and ideally by [HPKP](https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning) using a - certificate either validated by a trusted third party (check the certificate - when first using a new PrivateBin instance) or self-signed by the server - operator, validated using a + certificate. It can use traditional certificate authorities and/or use [DNSSEC](https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) protected [DANE](https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities) record. - The "key" used to encrypt the paste is part of the URL. If you publicly post - the URL of a paste that is not password-protected, everybody can read it. - Use a password if you want your paste to be private. In this case make sure to - use a strong password and do only share it privately and end-to-end-encrypted. + the URL of a paste that is not password-protected, anyone can read it. + Use a password if you want your paste to be private. In this case, make sure to + use a strong password and only share it privately and end-to-end-encrypted. - A server admin might be forced to hand over access logs to the authorities. - PrivateBin encrypts your text and the discussion contents, but who accessed it - first might still be disclosed via such access logs. + PrivateBin encrypts your text and the discussion contents, but who accessed a + paste (first) might still be disclosed via access logs. - In case of a server breach your data is secure as it is only stored encrypted - on the server. However the server could be misused or the server admin could + on the server. However, the server could be misused or the server admin could be legally forced into sending malicious JavaScript to all web users, which - grabs the decryption key and send it to the server when a user accesses a + grabs the decryption key and sends it to the server when a user accesses a PrivateBin. - Therefore do not access any PrivateBin instance if you think it has been + Therefore, do not access any PrivateBin instance if you think it has been compromised. As long as no user accesses this instance with a previously - generated URL, the content can''t be decrypted. + generated URL, the content can't be decrypted. ## Options diff --git a/js/test.js b/js/test.js index c6e5c7a..3f24a2e 100644 --- a/js/test.js +++ b/js/test.js @@ -561,6 +561,40 @@ describe('CryptTool', function () { }); describe('Model', function () { + describe('getExpirationDefault', function () { + before(function () { + $.PrivateBin.Model.reset(); + cleanup(); + }); + + jsc.property( + 'returns the contents of the element with id "pasteExpiration"', + 'array asciinestring', + 'string', + 'small nat', + function (keys, value, key) { + keys = keys.map($.PrivateBin.Helper.htmlEntities); + value = $.PrivateBin.Helper.htmlEntities(value); + var content = keys.length > key ? keys[key] : (keys.length > 0 ? keys[0] : 'null'), + contents = ''; + $('body').html(contents); + var result = $.PrivateBin.Helper.htmlEntities( + $.PrivateBin.Model.getExpirationDefault() + ); + $.PrivateBin.Model.reset(); + return content === result; + } + ); + }); + describe('getPasteId', function () { before(function () { $.PrivateBin.Model.reset(); diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index a898900..c8b92f3 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -269,7 +269,7 @@ if ($PASSWORD): ?>
    • = 6, then you can install +the latest jsdom and jsdom-global packages and don't need to use @9 and @2. + To run the tests, just change into the `js` directory and run istanbul: ```console $ cd PrivateBin/js