From dd721c651b216fd334d985a5f282a079f37ab86d Mon Sep 17 00:00:00 2001 From: rugk Date: Sat, 11 Feb 2017 16:19:59 +0100 Subject: [PATCH 1/2] Update SRI hashes Fixes https://github.com/PrivateBin/PrivateBin/issues/181 --- tpl/bootstrap.php | 2 +- tpl/page.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index 60c6727..4bf3ca1 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -69,7 +69,7 @@ if ($MARKDOWN): - + diff --git a/tpl/page.php b/tpl/page.php index c92136f..4ae0b6a 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -47,7 +47,7 @@ if ($MARKDOWN): - + From db307c3a7770044c5e6e52d40188262797fdf1ce Mon Sep 17 00:00:00 2001 From: El RIDO Date: Wed, 22 Feb 2017 21:42:14 +0100 Subject: [PATCH 2/2] updated test cases and delete logic to properly implement documented API, thanks @r4sas #188 --- lib/PrivateBin.php | 28 ++++++++++++++++------------ tst/JsonApiTest.php | 3 +-- tst/PrivateBinTest.php | 2 +- 3 files changed, 18 insertions(+), 15 deletions(-) diff --git a/lib/PrivateBin.php b/lib/PrivateBin.php index e754016..fc69e57 100644 --- a/lib/PrivateBin.php +++ b/lib/PrivateBin.php @@ -334,19 +334,16 @@ class PrivateBin // accessing this property ensures that the paste would be // deleted if it has already expired $burnafterreading = $paste->isBurnafterreading(); - if ($deletetoken == 'burnafterreading') { - if ($burnafterreading) { - $paste->delete(); - $this->_return_message(0, $dataid); - } else { - $this->_return_message(1, 'Paste is not of burn-after-reading type.'); - } + if ( + ($burnafterreading && $deletetoken == 'burnafterreading') || + Filter::slowEquals($deletetoken, $paste->getDeleteToken()) + ) { + // Paste exists and deletion token is valid: Delete the paste. + $paste->delete(); + $this->_status = 'Paste was properly deleted.'; } else { - // Make sure the token is valid. - if (Filter::slowEquals($deletetoken, $paste->getDeleteToken())) { - // Paste exists and deletion token is valid: Delete the paste. - $paste->delete(); - $this->_status = 'Paste was properly deleted.'; + if (!$burnafterreading && $deletetoken == 'burnafterreading') { + $this->_error = 'Paste is not of burn-after-reading type.'; } else { $this->_error = 'Wrong deletion token. Paste was not deleted.'; } @@ -357,6 +354,13 @@ class PrivateBin } catch (Exception $e) { $this->_error = $e->getMessage(); } + if ($this->_request->isJsonApiCall()) { + if (strlen($this->_error)) { + $this->_return_message(1, $this->_error); + } else { + $this->_return_message(0, $dataid); + } + } } /** diff --git a/tst/JsonApiTest.php b/tst/JsonApiTest.php index 8579f01..5cf1360 100644 --- a/tst/JsonApiTest.php +++ b/tst/JsonApiTest.php @@ -147,10 +147,9 @@ class JsonApiTest extends PHPUnit_Framework_TestCase $this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists before deleting data'); $paste = $this->_model->read(Helper::getPasteId()); $_POST = array( - 'action' => 'delete', + 'pasteid' => Helper::getPasteId(), 'deletetoken' => hash_hmac('sha256', Helper::getPasteId(), $paste->meta->salt), ); - $_SERVER['QUERY_STRING'] = Helper::getPasteId(); $_SERVER['HTTP_X_REQUESTED_WITH'] = 'JSONHttpRequest'; $_SERVER['REQUEST_METHOD'] = 'POST'; ob_start(); diff --git a/tst/PrivateBinTest.php b/tst/PrivateBinTest.php index 355b3f9..cebda5a 100644 --- a/tst/PrivateBinTest.php +++ b/tst/PrivateBinTest.php @@ -1047,7 +1047,7 @@ class PrivateBinTest extends PHPUnit_Framework_TestCase ob_end_clean(); $response = json_decode($content, true); $this->assertEquals(1, $response['status'], 'outputs status'); - $this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste successfully deleted'); + $this->assertTrue($this->_model->exists(Helper::getPasteId()), 'paste exists after failing to delete data'); } /**