2015-09-27 18:34:39 +00:00
|
|
|
<?php
|
|
|
|
/**
|
2016-07-11 09:58:15 +00:00
|
|
|
* PrivateBin
|
2015-09-27 18:34:39 +00:00
|
|
|
*
|
|
|
|
* a zero-knowledge paste bin
|
|
|
|
*
|
2016-07-11 09:58:15 +00:00
|
|
|
* @link https://github.com/PrivateBin/PrivateBin
|
2015-09-27 18:34:39 +00:00
|
|
|
* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
|
2016-07-19 11:56:52 +00:00
|
|
|
* @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
|
2024-05-13 17:18:30 +00:00
|
|
|
* @version 1.7.3
|
2015-09-27 18:34:39 +00:00
|
|
|
*/
|
2016-12-12 17:43:23 +00:00
|
|
|
|
2016-12-12 17:50:00 +00:00
|
|
|
namespace PrivateBin;
|
2016-07-21 15:09:48 +00:00
|
|
|
|
2022-12-12 19:46:47 +00:00
|
|
|
use Exception;
|
|
|
|
|
2015-09-27 18:34:39 +00:00
|
|
|
/**
|
2016-08-09 09:54:42 +00:00
|
|
|
* Request
|
2015-09-27 18:34:39 +00:00
|
|
|
*
|
|
|
|
* parses request parameters and provides helper functions for routing
|
2016-08-15 14:45:47 +00:00
|
|
|
*/
|
2016-08-09 09:54:42 +00:00
|
|
|
class Request
|
2015-09-27 18:34:39 +00:00
|
|
|
{
|
2016-04-08 21:29:44 +00:00
|
|
|
/**
|
|
|
|
* MIME type for JSON
|
|
|
|
*
|
|
|
|
* @const string
|
|
|
|
*/
|
|
|
|
const MIME_JSON = 'application/json';
|
|
|
|
|
|
|
|
/**
|
|
|
|
* MIME type for HTML
|
|
|
|
*
|
|
|
|
* @const string
|
|
|
|
*/
|
|
|
|
const MIME_HTML = 'text/html';
|
|
|
|
|
|
|
|
/**
|
|
|
|
* MIME type for XHTML
|
|
|
|
*
|
|
|
|
* @const string
|
|
|
|
*/
|
|
|
|
const MIME_XHTML = 'application/xhtml+xml';
|
|
|
|
|
2015-09-27 18:34:39 +00:00
|
|
|
/**
|
2017-03-24 23:58:59 +00:00
|
|
|
* Input stream to use for PUT parameter parsing
|
2015-09-27 18:34:39 +00:00
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @var string
|
|
|
|
*/
|
2015-10-11 16:50:48 +00:00
|
|
|
private static $_inputStream = 'php://input';
|
2015-09-27 18:34:39 +00:00
|
|
|
|
|
|
|
/**
|
2017-03-24 23:58:59 +00:00
|
|
|
* Operation to perform
|
2015-09-27 18:34:39 +00:00
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @var string
|
|
|
|
*/
|
|
|
|
private $_operation = 'view';
|
|
|
|
|
|
|
|
/**
|
2017-03-24 23:58:59 +00:00
|
|
|
* Request parameters
|
2015-09-27 18:34:39 +00:00
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @var array
|
|
|
|
*/
|
|
|
|
private $_params = array();
|
|
|
|
|
|
|
|
/**
|
2017-03-24 23:58:59 +00:00
|
|
|
* If we are in a JSON API context
|
2015-09-27 18:34:39 +00:00
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @var bool
|
|
|
|
*/
|
|
|
|
private $_isJsonApi = false;
|
|
|
|
|
2019-01-21 22:06:25 +00:00
|
|
|
/**
|
|
|
|
* Return the paste ID of the current paste.
|
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
private function getPasteId()
|
|
|
|
{
|
2019-01-21 22:19:41 +00:00
|
|
|
foreach ($_GET as $key => $value) {
|
2024-03-23 10:27:25 +00:00
|
|
|
// only return if value is empty and key is 16 hex chars
|
|
|
|
if (($value === '') && strlen($key) === 16 && ctype_xdigit($key)) {
|
|
|
|
return $key;
|
2019-01-21 23:12:02 +00:00
|
|
|
}
|
2019-01-21 22:19:41 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return 'invalid id';
|
2019-01-21 22:06:25 +00:00
|
|
|
}
|
|
|
|
|
2015-09-27 18:34:39 +00:00
|
|
|
/**
|
2017-03-24 23:58:59 +00:00
|
|
|
* Constructor
|
2015-09-27 18:34:39 +00:00
|
|
|
*
|
|
|
|
* @access public
|
|
|
|
*/
|
|
|
|
public function __construct()
|
|
|
|
{
|
|
|
|
// decide if we are in JSON API or HTML context
|
2016-04-08 21:29:44 +00:00
|
|
|
$this->_isJsonApi = $this->_detectJsonRequest();
|
2015-09-27 18:34:39 +00:00
|
|
|
|
|
|
|
// parse parameters, depending on request type
|
2016-07-26 06:19:35 +00:00
|
|
|
switch (array_key_exists('REQUEST_METHOD', $_SERVER) ? $_SERVER['REQUEST_METHOD'] : 'GET') {
|
2015-10-11 19:22:00 +00:00
|
|
|
case 'DELETE':
|
2015-09-27 18:34:39 +00:00
|
|
|
case 'PUT':
|
|
|
|
case 'POST':
|
2021-06-13 08:44:26 +00:00
|
|
|
// it might be a creation or a deletion, the latter is detected below
|
|
|
|
$this->_operation = 'create';
|
2022-12-12 19:46:47 +00:00
|
|
|
try {
|
|
|
|
$this->_params = Json::decode(
|
|
|
|
file_get_contents(self::$_inputStream)
|
|
|
|
);
|
|
|
|
} catch (Exception $e) {
|
|
|
|
// ignore error, $this->_params will remain empty
|
|
|
|
}
|
2015-09-27 18:34:39 +00:00
|
|
|
break;
|
|
|
|
default:
|
2024-03-23 10:27:25 +00:00
|
|
|
$this->_params = filter_var_array($_GET, array(
|
|
|
|
'deletetoken' => FILTER_SANITIZE_SPECIAL_CHARS,
|
|
|
|
'jsonld' => FILTER_SANITIZE_SPECIAL_CHARS,
|
|
|
|
'link' => FILTER_SANITIZE_URL,
|
|
|
|
'pasteid' => FILTER_SANITIZE_SPECIAL_CHARS,
|
|
|
|
'shortenviayourls' => FILTER_SANITIZE_SPECIAL_CHARS,
|
|
|
|
), false);
|
2015-09-27 18:34:39 +00:00
|
|
|
}
|
2015-10-15 20:04:57 +00:00
|
|
|
if (
|
|
|
|
!array_key_exists('pasteid', $this->_params) &&
|
2015-10-18 12:37:58 +00:00
|
|
|
!array_key_exists('jsonld', $this->_params) &&
|
2022-10-23 06:10:56 +00:00
|
|
|
!array_key_exists('link', $this->_params) &&
|
2015-10-15 20:04:57 +00:00
|
|
|
array_key_exists('QUERY_STRING', $_SERVER) &&
|
|
|
|
!empty($_SERVER['QUERY_STRING'])
|
2016-07-26 06:19:35 +00:00
|
|
|
) {
|
2019-01-21 22:06:25 +00:00
|
|
|
$this->_params['pasteid'] = $this->getPasteId();
|
2015-10-11 19:22:00 +00:00
|
|
|
}
|
2015-09-27 18:34:39 +00:00
|
|
|
|
2015-10-11 19:22:00 +00:00
|
|
|
// prepare operation, depending on current parameters
|
2021-06-13 08:44:26 +00:00
|
|
|
if (array_key_exists('pasteid', $this->_params) && !empty($this->_params['pasteid'])) {
|
2016-07-26 06:19:35 +00:00
|
|
|
if (array_key_exists('deletetoken', $this->_params) && !empty($this->_params['deletetoken'])) {
|
2015-10-11 19:22:00 +00:00
|
|
|
$this->_operation = 'delete';
|
2021-06-13 09:16:29 +00:00
|
|
|
} elseif ($this->_operation != 'create') {
|
2015-10-11 19:22:00 +00:00
|
|
|
$this->_operation = 'read';
|
|
|
|
}
|
2016-07-26 06:19:35 +00:00
|
|
|
} elseif (array_key_exists('jsonld', $this->_params) && !empty($this->_params['jsonld'])) {
|
2015-10-18 12:37:58 +00:00
|
|
|
$this->_operation = 'jsonld';
|
2022-10-23 06:10:56 +00:00
|
|
|
} elseif (array_key_exists('link', $this->_params) && !empty($this->_params['link'])) {
|
2024-03-16 14:17:58 +00:00
|
|
|
if (strpos($this->getRequestUri(), '/shortenviayourls') !== false || array_key_exists('shortenviayourls', $this->_params)) {
|
2022-10-23 06:10:56 +00:00
|
|
|
$this->_operation = 'yourlsproxy';
|
|
|
|
}
|
2015-10-18 12:37:58 +00:00
|
|
|
}
|
2015-09-27 18:34:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2017-03-24 23:58:59 +00:00
|
|
|
* Get current operation
|
2015-09-27 18:34:39 +00:00
|
|
|
*
|
|
|
|
* @access public
|
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
public function getOperation()
|
|
|
|
{
|
|
|
|
return $this->_operation;
|
|
|
|
}
|
|
|
|
|
2019-05-08 20:11:21 +00:00
|
|
|
/**
|
|
|
|
* Get data of paste or comment
|
|
|
|
*
|
|
|
|
* @access public
|
|
|
|
* @return array
|
|
|
|
*/
|
|
|
|
public function getData()
|
|
|
|
{
|
|
|
|
$data = array(
|
2019-05-19 08:13:47 +00:00
|
|
|
'adata' => $this->getParam('adata'),
|
2019-05-08 20:11:21 +00:00
|
|
|
);
|
|
|
|
$required_keys = array('v', 'ct');
|
2019-05-19 08:13:47 +00:00
|
|
|
$meta = $this->getParam('meta');
|
2019-05-08 20:11:21 +00:00
|
|
|
if (empty($meta)) {
|
|
|
|
$required_keys[] = 'pasteid';
|
|
|
|
$required_keys[] = 'parentid';
|
|
|
|
} else {
|
2019-05-13 20:31:52 +00:00
|
|
|
$data['meta'] = $meta;
|
2019-05-08 20:11:21 +00:00
|
|
|
}
|
|
|
|
foreach ($required_keys as $key) {
|
2021-06-13 08:44:26 +00:00
|
|
|
$data[$key] = $this->getParam($key, $key == 'v' ? 1 : '');
|
2019-05-08 20:11:21 +00:00
|
|
|
}
|
|
|
|
// forcing a cast to int or float
|
|
|
|
$data['v'] = $data['v'] + 0;
|
|
|
|
return $data;
|
|
|
|
}
|
|
|
|
|
2015-09-27 18:34:39 +00:00
|
|
|
/**
|
2017-03-24 23:58:59 +00:00
|
|
|
* Get a request parameter
|
2015-09-27 18:34:39 +00:00
|
|
|
*
|
|
|
|
* @access public
|
|
|
|
* @param string $param
|
2019-05-19 08:13:47 +00:00
|
|
|
* @param string $default
|
|
|
|
* @return string
|
2015-09-27 18:34:39 +00:00
|
|
|
*/
|
|
|
|
public function getParam($param, $default = '')
|
|
|
|
{
|
2018-01-06 09:27:58 +00:00
|
|
|
return array_key_exists($param, $this->_params) ?
|
|
|
|
$this->_params[$param] : $default;
|
|
|
|
}
|
|
|
|
|
2019-09-19 17:14:48 +00:00
|
|
|
/**
|
|
|
|
* Get host as requested by the client
|
|
|
|
*
|
|
|
|
* @access public
|
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
public function getHost()
|
|
|
|
{
|
2024-03-23 10:27:25 +00:00
|
|
|
$host = array_key_exists('HTTP_HOST', $_SERVER) ? filter_var($_SERVER['HTTP_HOST'], FILTER_SANITIZE_URL) : '';
|
|
|
|
return empty($host) ? 'localhost' : $host;
|
2019-09-19 17:14:48 +00:00
|
|
|
}
|
|
|
|
|
2018-01-06 09:27:58 +00:00
|
|
|
/**
|
|
|
|
* Get request URI
|
|
|
|
*
|
|
|
|
* @access public
|
|
|
|
* @return string
|
|
|
|
*/
|
|
|
|
public function getRequestUri()
|
|
|
|
{
|
2024-03-23 10:27:25 +00:00
|
|
|
$uri = array_key_exists('REQUEST_URI', $_SERVER) ? filter_var($_SERVER['REQUEST_URI'], FILTER_SANITIZE_URL) : '';
|
|
|
|
return empty($uri) ? '/' : $uri;
|
2015-09-27 18:34:39 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2017-03-24 23:58:59 +00:00
|
|
|
* If we are in a JSON API context
|
2015-09-27 18:34:39 +00:00
|
|
|
*
|
|
|
|
* @access public
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
public function isJsonApiCall()
|
|
|
|
{
|
|
|
|
return $this->_isJsonApi;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2017-03-24 23:58:59 +00:00
|
|
|
* Override the default input stream source, used for unit testing
|
2015-09-27 18:34:39 +00:00
|
|
|
*
|
2015-11-09 20:39:42 +00:00
|
|
|
* @param string $input
|
2015-09-27 18:34:39 +00:00
|
|
|
*/
|
2015-10-11 16:50:48 +00:00
|
|
|
public static function setInputStream($input)
|
2015-09-27 18:34:39 +00:00
|
|
|
{
|
2015-10-11 16:50:48 +00:00
|
|
|
self::$_inputStream = $input;
|
2015-09-27 18:34:39 +00:00
|
|
|
}
|
2016-04-08 21:29:44 +00:00
|
|
|
|
|
|
|
/**
|
2017-03-24 23:58:59 +00:00
|
|
|
* Detect the clients supported media type and decide if its a JSON API call or not
|
2016-04-08 21:29:44 +00:00
|
|
|
*
|
2016-07-19 11:56:52 +00:00
|
|
|
* Adapted from: https://stackoverflow.com/questions/3770513/detect-browser-language-in-php#3771447
|
2016-04-08 21:29:44 +00:00
|
|
|
*
|
|
|
|
* @access private
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
private function _detectJsonRequest()
|
|
|
|
{
|
|
|
|
$hasAcceptHeader = array_key_exists('HTTP_ACCEPT', $_SERVER);
|
2016-08-15 14:45:47 +00:00
|
|
|
$acceptHeader = $hasAcceptHeader ? $_SERVER['HTTP_ACCEPT'] : '';
|
2016-04-08 21:29:44 +00:00
|
|
|
|
|
|
|
// simple cases
|
|
|
|
if (
|
|
|
|
(array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) &&
|
|
|
|
$_SERVER['HTTP_X_REQUESTED_WITH'] == 'JSONHttpRequest') ||
|
|
|
|
($hasAcceptHeader &&
|
|
|
|
strpos($acceptHeader, self::MIME_JSON) !== false &&
|
|
|
|
strpos($acceptHeader, self::MIME_HTML) === false &&
|
|
|
|
strpos($acceptHeader, self::MIME_XHTML) === false)
|
2016-07-26 06:19:35 +00:00
|
|
|
) {
|
2016-04-08 21:29:44 +00:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
// advanced case: media type negotiation
|
2016-07-26 06:19:35 +00:00
|
|
|
if ($hasAcceptHeader) {
|
2024-03-23 10:27:25 +00:00
|
|
|
$mediaTypes = array();
|
|
|
|
foreach (explode(',', trim($acceptHeader)) as $mediaTypeRange) {
|
2016-04-08 21:29:44 +00:00
|
|
|
if (preg_match(
|
|
|
|
'#(\*/\*|[a-z\-]+/[a-z\-+*]+(?:\s*;\s*[^q]\S*)*)(?:\s*;\s*q\s*=\s*(0(?:\.\d{0,3})|1(?:\.0{0,3})))?#',
|
|
|
|
trim($mediaTypeRange), $match
|
2016-07-26 06:19:35 +00:00
|
|
|
)) {
|
|
|
|
if (!isset($match[2])) {
|
2016-04-08 21:29:44 +00:00
|
|
|
$match[2] = '1.0';
|
2016-07-26 06:19:35 +00:00
|
|
|
} else {
|
2016-04-08 21:29:44 +00:00
|
|
|
$match[2] = (string) floatval($match[2]);
|
2024-03-23 10:27:25 +00:00
|
|
|
if ($match[2] === '0.0') {
|
|
|
|
continue;
|
|
|
|
}
|
2016-04-08 21:29:44 +00:00
|
|
|
}
|
2016-07-26 06:19:35 +00:00
|
|
|
if (!isset($mediaTypes[$match[2]])) {
|
2016-04-08 21:29:44 +00:00
|
|
|
$mediaTypes[$match[2]] = array();
|
|
|
|
}
|
|
|
|
$mediaTypes[$match[2]][] = strtolower($match[1]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
krsort($mediaTypes);
|
2016-07-26 06:19:35 +00:00
|
|
|
foreach ($mediaTypes as $acceptedQuality => $acceptedValues) {
|
|
|
|
foreach ($acceptedValues as $acceptedValue) {
|
2016-04-08 21:29:44 +00:00
|
|
|
if (
|
|
|
|
strpos($acceptedValue, self::MIME_HTML) === 0 ||
|
|
|
|
strpos($acceptedValue, self::MIME_XHTML) === 0
|
2016-07-26 06:19:35 +00:00
|
|
|
) {
|
2016-04-08 21:29:44 +00:00
|
|
|
return false;
|
2016-07-26 06:19:35 +00:00
|
|
|
} elseif (strpos($acceptedValue, self::MIME_JSON) === 0) {
|
2016-04-08 21:29:44 +00:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
2016-07-11 12:15:20 +00:00
|
|
|
}
|