Commit graph

439 commits

Author SHA1 Message Date
El RIDO
6c1f0dde0c
set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header 2022-03-13 18:11:13 +01:00
El RIDO
3e02818335
actually support the short CIDR notation 2022-02-28 16:24:06 +01:00
El RIDO
f83f80b5f6
Merge branch 'master' into stevenandres-master 2022-02-26 11:56:58 +01:00
El RIDO
f39934a104
Merge pull request #896 from Patriccollu/PB-in-Corsican
Adding Corsican as brand new locale
2022-02-26 11:52:43 +01:00
El RIDO
fe89161848
replace deprecated function calls 2022-02-26 07:18:59 +01:00
El RIDO
288cf3f005
Merge branch 'master' into stevenandres-master 2022-02-25 06:42:18 +01:00
Patriccollu
30c0d22468
Updating I18n.php to add Corsican as new locale 2022-02-24 20:05:19 +01:00
El RIDO
0e3a7196f9
set frame-ancestors to none
disables embedding the site in any frames, which can bypass some of the security mechanisms reg. cross site scripting
2022-02-20 15:21:47 +01:00
El RIDO
f987e96d4b
apply StyleCI recommendation 2022-02-20 12:25:55 +01:00
El RIDO
1034d4038e
unify IP-related logic into traffic limiter 2022-02-20 11:25:19 +01:00
El RIDO
190a35a53b
small unit test refactoring, comment wording 2022-02-20 09:30:41 +01:00
El RIDO
91041d8c59
simplify/unify naming & wording of the two types of IP lists for the traffic limiter 2022-02-20 09:09:20 +01:00
El RIDO
d764c03759
Merge branch 'master' of https://github.com/stevenandres/PrivateBin into stevenandres-master 2022-02-20 08:44:09 +01:00
El RIDO
a200f8875c
php warning in templates, fixes #875 2022-02-15 19:02:44 +01:00
El RIDO
8faf0501f4
improve Lojban support
- Crowdin has to use the 3 letter language code, since Lojban has no 2 letter code. Added support for this in the PHP backend and renamed the translation file.
- Lojban has no plural cases, updated the plural-formulas accordingly.
- Credited the change and documented it.
- Updated the SRI hashes.
2022-02-12 16:17:09 +01:00
El RIDO
29ffd25c18
apply suggestion of @r4sas 2022-01-30 21:42:24 +01:00
El RIDO
1d20eee169
readability 2022-01-26 05:28:29 +01:00
El RIDO
53c0e4976b
document what the U type stands for 2022-01-26 05:26:47 +01:00
El RIDO
0333777a37
remove duplicate CLOB sanitation 2022-01-25 05:59:22 +01:00
El RIDO
f4438a0103
inserting CLOB absolutely requires a length argument
Co-authored-by: Austin Huang <im@austinhuang.me>
2022-01-24 21:44:20 +01:00
El RIDO
55db9426b9
Throws ORA-00942: table or view does not exist otherwise
Co-authored-by: Austin Huang <im@austinhuang.me>
2022-01-24 21:43:48 +01:00
El RIDO
535f038daa
handle LIMIT in oci
Co-authored-by: Austin Huang <im@austinhuang.me>
2022-01-24 21:43:31 +01:00
El RIDO
0c4852c099
this fixes the comment display issue
Co-authored-by: Austin Huang <im@austinhuang.me>
2022-01-24 21:40:10 +01:00
El RIDO
b8e8755fb1
Basically it wants a non-empty catch statement
Co-authored-by: Austin Huang <im@austinhuang.me>
2022-01-24 21:36:18 +01:00
El RIDO
0b6af67b99
removed obsolete comment 2022-01-24 17:50:24 +01:00
El RIDO
56c54dd880
prefer switch statements for complex logic, all comparing the same variable 2022-01-24 17:48:27 +01:00
El RIDO
a8e1c33b54
stick to single convention of binding parameters 2022-01-24 17:26:09 +01:00
El RIDO
0cc2b67753
bindValue doesn't need the length 2022-01-23 21:45:22 +01:00
El RIDO
4f051fe5a5
revert regression 2022-01-23 21:31:40 +01:00
El RIDO
8d63921924
workaround bug in OCI PDO driver 2022-01-23 21:24:28 +01:00
El RIDO
0be55e05bf
use quoted identifiers, tell MySQL to expect ANSI SQL 2022-01-23 20:59:02 +01:00
El RIDO
b133c2e233
sanitize both single rows and multiple ones 2022-01-23 07:32:28 +01:00
El RIDO
b54308a77e
don't mangle non-arrays 2022-01-23 07:19:35 +01:00
El RIDO
47deaeb7ca
use the correct function 2022-01-23 07:11:36 +01:00
El RIDO
35ef64ff79
remove duplication, kudos @rugk 2022-01-22 22:11:49 +01:00
El RIDO
c725b4f0fe
handle 'IF NOT EXISTS' differently in OCI 2022-01-22 21:29:39 +01:00
El RIDO
2182cdd44f
generalize OCI handling of queries and results 2022-01-22 08:45:12 +01:00
Austin Huang
041ef7f7a5
Support OCI (Satisfy the CI) 2022-01-20 13:33:23 -05:00
Austin Huang
6a489d35ab
Support OCI (Create table) 2022-01-20 09:15:10 -05:00
Austin Huang
ee99952d90
Support OCI (Read/Write) 2022-01-17 20:06:26 -05:00
El RIDO
df2f5931cd
improve readability, kudos @rugk 2021-08-19 19:28:52 +02:00
El RIDO
ff3b668958
apply StyleCI recommendation 2021-08-19 11:04:31 +02:00
El RIDO
eb10d4d35e
be more flexible with configuration paths
1. only consider CONFIG_PATH environment variable, if non-empty
2. fall back to search in PATH (defined in index.php), if CONFIG_PATH doesn't contain a readable configuration file
2021-08-19 10:21:21 +02:00
El RIDO
1fd998f325
address Scrutinizer issues 2021-06-16 05:57:26 +02:00
El RIDO
9c09018e6e
address Scrutinizer issues 2021-06-16 05:50:41 +02:00
El RIDO
be164bb6a9
apply StyleCI recommendation 2021-06-16 05:43:18 +02:00
El RIDO
fd08d991fe
log errors storing persistance 2021-06-16 05:32:45 +02:00
El RIDO
3d9ba10fcb
more consistent AbstractData implementation 2021-06-16 05:19:45 +02:00
El RIDO
3327645fd4
updated doc blocks, comments, fixed indentations, moved some constant strings 2021-06-14 06:44:30 +02:00
Mark van Holsteijn
b4c75b541b removed json encoding from get/setValue 2021-06-13 21:16:30 +02:00
El RIDO
9357f122b7
address Scrutinizer issues 2021-06-13 12:49:59 +02:00
El RIDO
d0248d55d3
address Scrutinizer issues 2021-06-13 12:43:18 +02:00
El RIDO
078c5785dd
fix unit tests on php < 7.3 2021-06-13 12:40:06 +02:00
El RIDO
68b097087d
apply StyleCI recommendation 2021-06-13 11:16:29 +02:00
El RIDO
f04043a399
address Scrutinizer issues 2021-06-13 11:02:53 +02:00
El RIDO
1f2dddd9d8
address Codacy issues 2021-06-13 10:53:01 +02:00
El RIDO
93135e0abf
improving code coverage 2021-06-13 10:44:26 +02:00
El RIDO
e294145a2b
ip-lib doesn't except on the matches interfaces 2021-06-13 08:26:05 +02:00
Mark van Holsteijn
1b88eef356 improved implementation of GoogleStorageBucket 2021-06-10 21:39:15 +02:00
El RIDO
5af069b4f0
Merge pull request #810 from binxio/persistence-into-data
added purgeValues function
2021-06-10 08:22:10 +02:00
Mark van Holsteijn
1232717334 added purgeValues to GCS 2021-06-09 22:27:34 +02:00
El RIDO
7b2f0ff302
apply StyleCI recommendation 2021-06-09 19:16:22 +02:00
El RIDO
a203e6322b
implementing key/value store of Persistance in Database storage 2021-06-09 07:47:40 +02:00
El RIDO
7901ec74a7
folding Persistance\ServerSalt into Data\Filesystem 2021-06-08 22:01:29 +02:00
El RIDO
b5a6ce323e
folding Persistance\TrafficLimiter into Data\Filesystem 2021-06-08 07:49:22 +02:00
El RIDO
3429d293d3
remove configurable dir for traffic & purge limiters 2021-06-08 06:37:27 +02:00
El RIDO
ae486d651b
folding Persistance\PurgeLimiter into Data\Filesystem 2021-06-07 21:53:42 +02:00
Mark van Holsteijn
55efc858b5 simplest implementation of kv support on gcs 2021-06-07 09:11:24 +02:00
El RIDO
7bdcc2ae15
conclude scaffolding of AbstractData key/value storage, missing implementation 2021-06-07 07:02:47 +02:00
El RIDO
1a7d0799c0
scaffolding interface for AbstractData key/value storage, folding Persistance\DataStore into Data\Filesystem 2021-06-07 06:53:15 +02:00
El RIDO
de8f40ac1a
kudos @StyleCI 2021-06-06 19:35:31 +02:00
El RIDO
c758eca0a4
removed automatic .ini configuration file migration, closes #808 2021-06-06 17:53:08 +02:00
El RIDO
2bc54caa07
fix never matched condition, kudos @ShiftLeftSecurity, found via #807 2021-06-05 10:33:01 +02:00
El RIDO
abb2b90e9b
make StyleCI happy 2021-06-05 05:52:13 +02:00
El RIDO
edb8e5e078
handle edge cases with file locking: file needs to exist before it can be locked, fixes #803 2021-06-05 05:48:17 +02:00
Mark van Holsteijn
342270d6dd added Google Cloud Storage support 2021-05-28 22:39:50 +02:00
El RIDO
b6460616ba
address Scrutinizer issues 2021-05-22 11:30:17 +02:00
El RIDO
91c8f9f23c
use namespaces 2021-05-22 11:02:54 +02:00
El RIDO
3dd01b1f70
testing IP exemption, handle corner cases found in testing 2021-05-22 10:59:47 +02:00
rodehoed
af5a14afc3 Optimized the canPass() functions 2021-05-19 09:01:45 +02:00
rodehoed
5812a6bb68 Optimized the canPass() functions 2021-05-19 08:47:35 +02:00
Rodehoed
502bb5fa15 Put the ip-matching function in a private function 2021-05-06 12:18:44 +02:00
Rodehoed
89bdc92451 Put the ip-matching function in a private function 2021-05-06 12:13:03 +02:00
LinQhost Managed hosting
63d6816c7c Merge branch 'api-ip-exempt' of https://github.com/rodehoed/PrivateBin into api-ip-exempt 2021-05-05 08:43:32 +02:00
rodehoed
a806a6455e
QA 2021-05-04 11:20:24 +02:00
rodehoed
4296b43832
QA 2021-05-04 11:19:34 +02:00
rodehoed
c3ad4a4b4d
QA 2021-05-04 11:18:06 +02:00
rodehoed
805eb288d9
QA 2021-05-04 11:14:11 +02:00
rodehoed
b21efd8336
Code quality 2021-05-04 11:01:46 +02:00
LinQhost Managed hosting
7d82c82fd9 Make it possible to exempt ips from the rate-limiter 2021-05-04 10:29:25 +02:00
El RIDO
fcb6422663
re-adding CSP directive sandbox allow-forms, it is needed for the password input form to work on the JS side 2021-04-18 21:05:32 +02:00
rugk
3ca01024fd
feat: disallow form submission alltogether
Following the tests and HTTP Observatory, I think we can disable forms altogether.

Fixes https://github.com/PrivateBin/PrivateBin/issues/778
2021-04-18 14:16:39 +02:00
rugk
5809a7cfa7
feat: add form-action CSP restriction
This follows a suggestion from HTTP Observatory:
> Restricts where <form> contents may be submitted by using form-action 'none', form-action 'self', or specific URIs

Fixes #778
2021-04-18 14:14:46 +02:00
El RIDO
9b893f09d7
Merge branch 'master' into floc 2021-04-17 08:35:21 +02:00
El RIDO
7b7a32c0a7
apply StyleCI recommendation 2021-04-17 08:20:08 +02:00
rugk
fd7d05e862
Add base URL as default CSP restriction
This follows an [HTTP Observatory recommendation](https://observatory.mozilla.org/analyze/privatebin.net):
> Restricts use of the <base> tag by using base-uri 'none', base-uri 'self', or specific origins.

Given we don't use that anywhere, this safe should be safe. (not tested practically though)
2021-04-16 22:04:28 +02:00
El RIDO
6f3bb25b09
disable Google FloC 2021-04-16 20:25:50 +02:00
El RIDO
1dc8b24665
transmit cookie only over HTTPS, fixes #472 2021-04-16 20:15:12 +02:00
El RIDO
9e6eb50ced
adding new security headers, fixes #765 2021-04-16 19:19:11 +02:00
El RIDO
175d14224e
set plurals for and credit Estonian translation 2021-04-16 18:27:12 +02:00