From 9c132cd839fd5e91da18e4a1e8ebef64fce605fb Mon Sep 17 00:00:00 2001 From: rugk Date: Sat, 6 Jan 2018 18:04:01 +0100 Subject: [PATCH 1/9] Disallow form-action in CSP to limit outgoing connections See https://github.com/PrivateBin/PrivateBin/issues/272 --- cfg/conf.sample.php | 2 +- lib/Configuration.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cfg/conf.sample.php b/cfg/conf.sample.php index e693a32..db600d5 100644 --- a/cfg/conf.sample.php +++ b/cfg/conf.sample.php @@ -73,7 +73,7 @@ languageselection = false ; scripts or run your site behind certain DDoS-protection services. ; Check the documentation at https://content-security-policy.com/ ; Note: If you use a bootstrap theme, you can remove the allow-popups from the sandbox restrictions. -; cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; referrer no-referrer; sandbox allow-same-origin allow-scripts allow-forms allow-popups" +; cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; form-action 'none'; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; referrer no-referrer; sandbox allow-same-origin allow-scripts allow-forms allow-popups" ; stay compatible with PrivateBin Alpha 0.19, less secure ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of diff --git a/lib/Configuration.php b/lib/Configuration.php index c7c8451..173ae21 100644 --- a/lib/Configuration.php +++ b/lib/Configuration.php @@ -54,7 +54,7 @@ class Configuration 'urlshortener' => '', 'qrcode' => true, 'icon' => 'identicon', - 'cspheader' => 'default-src \'none\'; manifest-src \'self\'; connect-src *; script-src \'self\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data:; referrer no-referrer; sandbox allow-same-origin allow-scripts allow-forms allow-popups', + 'cspheader' => 'default-src \'none\'; manifest-src \'self\'; connect-src *; form-action \'none\'; script-src \'self\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data:; referrer no-referrer; sandbox allow-same-origin allow-scripts allow-forms allow-popups', 'zerobincompatibility' => false, ), 'expire' => array( From c9b0398df004ba59ef5db5da34767790c9b032c8 Mon Sep 17 00:00:00 2001 From: Felix Breidenstein Date: Tue, 20 Feb 2018 10:58:07 +0100 Subject: [PATCH 2/9] Dockerfile: User && instead of ; We don't want to continue if any of the commands fails. && only executes the next command on exitocde 0. --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index b012134..535d826 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,10 +6,10 @@ RUN apt-get update && apt-get install -y \ libpng12-dev \ wget \ zip \ - unzip; \ + unzip && \ # We install and enable php-gd - docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/; \ - docker-php-ext-install -j$(nproc) gd; \ + docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/ &&\ + docker-php-ext-install -j$(nproc) gd && \ # We enable Apache's mod_rewrite a2enmod rewrite From 460d7ec3eba1fd4314176da185cf47b551d91e98 Mon Sep 17 00:00:00 2001 From: Felix Breidenstein Date: Tue, 20 Feb 2018 10:59:04 +0100 Subject: [PATCH 3/9] Dockerfile: Be more specific about the path Without looking at the php:apache image, it is unclear what the destination of the COPY command is --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 535d826..4886a9e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,4 +14,4 @@ RUN apt-get update && apt-get install -y \ # We enable Apache's mod_rewrite a2enmod rewrite -COPY . . +COPY . /var/www/html From 82dc08e7e7e6ae3fc91fc9d2b0c8c0166b6eefa3 Mon Sep 17 00:00:00 2001 From: Felix Breidenstein Date: Tue, 20 Feb 2018 11:08:30 +0100 Subject: [PATCH 4/9] Dockerfile: Use correct libpng package for Debian Stretch --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4886a9e..3302beb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ FROM php:apache RUN apt-get update && apt-get install -y \ libfreetype6-dev \ libjpeg62-turbo-dev \ - libpng12-dev \ + libpng-dev \ wget \ zip \ unzip && \ From 43d48ae2df9ed4ed56b3861f442d73481d1fc713 Mon Sep 17 00:00:00 2001 From: Felix Breidenstein Date: Tue, 20 Feb 2018 11:11:12 +0100 Subject: [PATCH 5/9] Dockerfile: Remove empty line in RUN command This will throw errors in future Docker versions --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 3302beb..6e7e168 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,6 @@ RUN apt-get update && apt-get install -y \ # We install and enable php-gd docker-php-ext-configure gd --with-freetype-dir=/usr/include/ --with-jpeg-dir=/usr/include/ &&\ docker-php-ext-install -j$(nproc) gd && \ - # We enable Apache's mod_rewrite a2enmod rewrite From 8c19e869b75fce4d905c76d4d588fbf3cd64623b Mon Sep 17 00:00:00 2001 From: Felix Breidenstein Date: Tue, 20 Feb 2018 12:12:32 +0100 Subject: [PATCH 6/9] Dockerfile: Define data volume and entryscript The entryscript is needed to set correct permissions on the data directory. --- Dockerfile | 8 ++++++++ docker/entrypoint.sh | 5 +++++ 2 files changed, 13 insertions(+) create mode 100755 docker/entrypoint.sh diff --git a/Dockerfile b/Dockerfile index 6e7e168..c7d45ba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,4 +13,12 @@ RUN apt-get update && apt-get install -y \ # We enable Apache's mod_rewrite a2enmod rewrite + +# Copy app content COPY . /var/www/html + +# Copy start script +COPY docker/entrypoint.sh / +VOLUME /var/www/html/data + +CMD /entrypoint.sh diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh new file mode 100755 index 0000000..6d2df63 --- /dev/null +++ b/docker/entrypoint.sh @@ -0,0 +1,5 @@ +#! /bin/sh + +chown -R www-data /var/www/html/data +rm -r /var/www/html/docker +apache2-foreground From d3c3cb0c1f6bdf73078f58e2f2a2c6cc4ddf8bd7 Mon Sep 17 00:00:00 2001 From: Felix Breidenstein Date: Tue, 20 Feb 2018 12:23:52 +0100 Subject: [PATCH 7/9] Dockerfile: Better handling of entrypoint.sh --- Dockerfile | 4 +++- docker/entrypoint.sh | 1 - 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index c7d45ba..7bc9e12 100644 --- a/Dockerfile +++ b/Dockerfile @@ -18,7 +18,9 @@ RUN apt-get update && apt-get install -y \ COPY . /var/www/html # Copy start script -COPY docker/entrypoint.sh / +RUN mv /var/www/html/docker/entrypoint.sh / && \ + rm -r /var/www/html/docker + VOLUME /var/www/html/data CMD /entrypoint.sh diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 6d2df63..124f2ea 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,5 +1,4 @@ #! /bin/sh chown -R www-data /var/www/html/data -rm -r /var/www/html/docker apache2-foreground From 5602e47c5f8cbb6bdf96ad428373666e49f40f49 Mon Sep 17 00:00:00 2001 From: Felix Breidenstein Date: Tue, 20 Feb 2018 12:32:02 +0100 Subject: [PATCH 8/9] Added docker-compose.yml --- docker-compose.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 docker-compose.yml diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..3143221 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,15 @@ +version: '3' + +services: + privatebin: + build: . + ports: + - "3000:80" + volumes: + - data:/var/www/html/data + # Optionally mount a custom config file + #- /srv/docker/privatebin/conf.php:/var/www/html/cfg/conf.php + +volumes: + data: + From 0687448d0aaffe097452ec9ef97cf12c5d68c1a9 Mon Sep 17 00:00:00 2001 From: rugk Date: Wed, 21 Feb 2018 22:51:31 +0100 Subject: [PATCH 9/9] Fix some issues from ESLint --- .eslintrc | 1 + .jshintrc | 39 ++++++++++++++++++++++----------------- js/privatebin.js | 23 ++++++++++++----------- tpl/bootstrap.php | 2 +- tpl/page.php | 2 +- 5 files changed, 37 insertions(+), 30 deletions(-) diff --git a/.eslintrc b/.eslintrc index fb9e312..1f7106f 100644 --- a/.eslintrc +++ b/.eslintrc @@ -19,6 +19,7 @@ globals: it: false jsc: false jsdom: true + kjua: true # http://eslint.org/docs/rules/ rules: diff --git a/.jshintrc b/.jshintrc index 2eb6bce..fabd7e6 100644 --- a/.jshintrc +++ b/.jshintrc @@ -16,26 +16,31 @@ "nonew": true, "quotmark": "single", "singleGroups": true, - "strict": "global", + "strict": true, "undef": true, "unused": true, "jquery": true, + "browser": true, "predef": { - "after": true, - "before": true, - "cleanup": true, - "console": true, - "describe": false, - "document": true, - "fs": false, - "global": true, - "exports": true, - "it": false, - "jsc": false, - "jsdom": true, - "require": false, - "setTimeout": false, - "window": true + "after": true, + "before": true, + "cleanup": true, + "console": true, + "describe": false, + "document": true, + "fs": false, + "global": true, + "exports": true, + "it": false, + "jsc": false, + "jsdom": true, + "require": false, + "setTimeout": false, + "window": true + }, + "globals": { + "sjcl": true, + "DOMPurify": true, + "kjua": true } } - diff --git a/js/privatebin.js b/js/privatebin.js index 197ec58..a39c38a 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -28,6 +28,7 @@ sjcl.random.startCollectors(); // main application start, called when DOM is fully loaded jQuery(document).ready(function() { + 'use strict'; // run main controller $.PrivateBin.Controller.init(); }); @@ -331,7 +332,7 @@ jQuery.PrivateBin = (function($, sjcl, Base64, RawDeflate) { var usesPlurals = $.isArray(args[0]); if (usesPlurals) { // use the first plural form as messageId, otherwise the singular - messageId = (args[0].length > 1 ? args[0][1] : args[0][0]); + messageId = args[0].length > 1 ? args[0][1] : args[0][0]; } else { messageId = args[0]; } @@ -415,16 +416,16 @@ jQuery.PrivateBin = (function($, sjcl, Base64, RawDeflate) { case 'fr': case 'oc': case 'zh': - return (n > 1 ? 1 : 0); + return n > 1 ? 1 : 0; case 'pl': - return (n === 1 ? 0 : (n % 10 >= 2 && n %10 <=4 && (n % 100 < 10 || n % 100 >= 20) ? 1 : 2)); + return n === 1 ? 0 : (n % 10 >= 2 && n %10 <=4 && (n % 100 < 10 || n % 100 >= 20) ? 1 : 2); case 'ru': - return (n % 10 === 1 && n % 100 !== 11 ? 0 : (n % 10 >= 2 && n % 10 <= 4 && (n % 100 < 10 || n % 100 >= 20) ? 1 : 2)); + return n % 10 === 1 && n % 100 !== 11 ? 0 : (n % 10 >= 2 && n % 10 <= 4 && (n % 100 < 10 || n % 100 >= 20) ? 1 : 2); case 'sl': - return (n % 100 === 1 ? 1 : (n % 100 === 2 ? 2 : (n % 100 === 3 || n % 100 === 4 ? 3 : 0))); + return n % 100 === 1 ? 1 : (n % 100 === 2 ? 2 : (n % 100 === 3 || n % 100 === 4 ? 3 : 0)); // de, en, es, it, no, pt default: - return (n !== 1 ? 1 : 0); + return n !== 1 ? 1 : 0; } }; @@ -660,7 +661,7 @@ jQuery.PrivateBin = (function($, sjcl, Base64, RawDeflate) { */ me.hasCipherData = function() { - return (me.getCipherData().length > 0); + return me.getCipherData().length > 0; }; /** @@ -831,7 +832,7 @@ jQuery.PrivateBin = (function($, sjcl, Base64, RawDeflate) { var viewportTop = $(window).scrollTop(); var viewportBottom = viewportTop + $(window).height(); - return (elementTop > viewportTop && elementTop < viewportBottom); + return elementTop > viewportTop && elementTop < viewportBottom; }; /** @@ -1194,8 +1195,8 @@ jQuery.PrivateBin = (function($, sjcl, Base64, RawDeflate) { */ function sendToShortener() { - window.location.href = $shortenButton.data('shortener') - + encodeURIComponent($pasteUrl.attr('href')); + window.location.href = $shortenButton.data('shortener') + + encodeURIComponent($pasteUrl.attr('href')); } /** @@ -2008,7 +2009,7 @@ jQuery.PrivateBin = (function($, sjcl, Base64, RawDeflate) { me.hasAttachment = function() { var link = $attachmentLink.prop('href'); - return (typeof link !== 'undefined' && link !== ''); + return typeof link !== 'undefined' && link !== ''; }; /** diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index c1e3a6e..f97437b 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -75,7 +75,7 @@ if ($MARKDOWN): - + diff --git a/tpl/page.php b/tpl/page.php index 5992336..370f5f9 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -54,7 +54,7 @@ if ($QRCODE): - +