From 1a159c973fb50e55a0059e1e1d8f150572f75fa4 Mon Sep 17 00:00:00 2001
From: rugk <rugk@posteo.de>
Date: Sat, 3 Sep 2016 18:12:24 +0200
Subject: [PATCH] Prevent referrer to be send

Uses both CSP and Referrer-Policy
Fixes #96
---
 cfg/conf.ini.sample         |  4 ++--
 lib/Configuration.php       |  2 +-
 test.php                    | 17 +++++++++++++++++
 tpl/bootstrap-compact.php   |  1 +
 tpl/bootstrap-dark-page.php |  1 +
 tpl/bootstrap-dark.php      |  1 +
 tpl/bootstrap-page.php      |  1 +
 tpl/bootstrap.php           |  1 +
 tpl/page.php                |  1 +
 9 files changed, 26 insertions(+), 3 deletions(-)
 create mode 100755 test.php

diff --git a/cfg/conf.ini.sample b/cfg/conf.ini.sample
index 5ab7191..aee6990 100644
--- a/cfg/conf.ini.sample
+++ b/cfg/conf.ini.sample
@@ -1,5 +1,5 @@
 ; config file for PrivateBin
-; 
+;
 ; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
 
 [main]
@@ -60,7 +60,7 @@ languageselection = false
 ; custom scripts from third-party domains to your templates, e.g. tracking
 ; scripts or run your site behind certain DDoS-protection services.
 ; Check the documentation at https://content-security-policy.com/
-cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:;"
+cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; referrer no-referrer;"
 
 ; stay compatible with PrivateBin Alpha 0.19, less secure
 ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
diff --git a/lib/Configuration.php b/lib/Configuration.php
index 03c7615..47daa5a 100644
--- a/lib/Configuration.php
+++ b/lib/Configuration.php
@@ -51,7 +51,7 @@ class Configuration
             'languagedefault' => '',
             'urlshortener' => '',
             'icon' => 'identicon',
-            'cspheader' => 'default-src \'none\'; manifest-src \'self\'; connect-src *; script-src \'self\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data:;',
+            'cspheader' => 'default-src \'none\'; manifest-src \'self\'; connect-src *; script-src \'self\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data:; referrer no-referrer;',
             'zerobincompatibility' => false,
         ),
         'expire' => array(
diff --git a/test.php b/test.php
new file mode 100755
index 0000000..6b6aa18
--- /dev/null
+++ b/test.php
@@ -0,0 +1,17 @@
+<?php
+            $RandomCompat_basedir = ini_get('open_basedir');
+            if (!empty($RandomCompat_basedir)) {
+                $RandomCompat_open_basedir = explode(
+                    PATH_SEPARATOR,
+                    strtolower($RandomCompat_basedir)
+                );
+                $RandomCompatUrandom = (array() !== array_intersect(
+                    array('/dev', '/dev/', '/dev/urandom'),
+                    $RandomCompat_open_basedir
+                ));
+                $RandomCompat_open_basedir = null;
+            }
+
+           var_dump($RandomCompat_basedir);
+           var_dump($RandomCompat_open_basedir);
+?>
diff --git a/tpl/bootstrap-compact.php b/tpl/bootstrap-compact.php
index 025f35e..2196608 100644
--- a/tpl/bootstrap-compact.php
+++ b/tpl/bootstrap-compact.php
@@ -7,6 +7,7 @@ use PrivateBin\I18n;
 		<meta http-equiv="X-UA-Compatible" content="IE=edge">
 		<meta name="viewport" content="width=device-width, initial-scale=1">
 		<meta name="robots" content="noindex" />
+		<meta name="referrer" content="no-referrer">
 		<title><?php echo I18n::_('PrivateBin'); ?></title>
 		<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-3.3.5.css" />
 		<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" />
diff --git a/tpl/bootstrap-dark-page.php b/tpl/bootstrap-dark-page.php
index 5e4a5ee..17b7807 100644
--- a/tpl/bootstrap-dark-page.php
+++ b/tpl/bootstrap-dark-page.php
@@ -7,6 +7,7 @@ use PrivateBin\I18n;
 		<meta http-equiv="X-UA-Compatible" content="IE=edge">
 		<meta name="viewport" content="width=device-width, initial-scale=1">
 		<meta name="robots" content="noindex" />
+		<meta name="referrer" content="no-referrer">
 		<title><?php echo I18n::_('PrivateBin'); ?></title>
 		<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" />
 		<link type="text/css" rel="stylesheet" href="css/bootstrap/darkstrap-0.9.3.css" />
diff --git a/tpl/bootstrap-dark.php b/tpl/bootstrap-dark.php
index c6709a3..e21936c 100644
--- a/tpl/bootstrap-dark.php
+++ b/tpl/bootstrap-dark.php
@@ -7,6 +7,7 @@ use PrivateBin\I18n;
 		<meta http-equiv="X-UA-Compatible" content="IE=edge">
 		<meta name="viewport" content="width=device-width, initial-scale=1">
 		<meta name="robots" content="noindex" />
+		<meta name="referrer" content="no-referrer">
 		<title><?php echo I18n::_('PrivateBin'); ?></title>
 		<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" />
 		<link type="text/css" rel="stylesheet" href="css/bootstrap/darkstrap-0.9.3.css" />
diff --git a/tpl/bootstrap-page.php b/tpl/bootstrap-page.php
index 2687339..a23e388 100644
--- a/tpl/bootstrap-page.php
+++ b/tpl/bootstrap-page.php
@@ -7,6 +7,7 @@ use PrivateBin\I18n;
 		<meta http-equiv="X-UA-Compatible" content="IE=edge">
 		<meta name="viewport" content="width=device-width, initial-scale=1">
 		<meta name="robots" content="noindex" />
+		<meta name="referrer" content="no-referrer">
 		<title><?php echo I18n::_('PrivateBin'); ?></title>
 		<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-3.3.5.css" />
 		<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" />
diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php
index 4e3291e..5f86fbc 100644
--- a/tpl/bootstrap.php
+++ b/tpl/bootstrap.php
@@ -7,6 +7,7 @@ use PrivateBin\I18n;
 		<meta http-equiv="X-UA-Compatible" content="IE=edge">
 		<meta name="viewport" content="width=device-width, initial-scale=1">
 		<meta name="robots" content="noindex" />
+		<meta name="referrer" content="no-referrer">
 		<title><?php echo I18n::_('PrivateBin'); ?></title>
 		<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-3.3.5.css" />
 		<link type="text/css" rel="stylesheet" href="css/bootstrap/bootstrap-theme-3.3.5.css" />
diff --git a/tpl/page.php b/tpl/page.php
index bbfbf19..d87cdfd 100644
--- a/tpl/page.php
+++ b/tpl/page.php
@@ -5,6 +5,7 @@ use PrivateBin\I18n;
 	<head>
 		<meta charset="utf-8" />
 		<meta name="robots" content="noindex" />
+		<meta name="referrer" content="no-referrer">
 		<title><?php echo I18n::_('PrivateBin'); ?></title>
 		<link type="text/css" rel="stylesheet" href="css/privatebin.css?<?php echo rawurlencode($VERSION); ?>" />
 <?php