Commit graph

162 commits

Author SHA1 Message Date
Sebastien SAUVAGE
43a439e7d0 Time attack protection on hmac comparison
This fixes issue 2.7 of https://defuse.ca/audits/zerobin.htm, and thus
(with commit a24212afda90ca3e4b4ff5ce30d2012709b58a28) also issue 2.8.

(cherry picked from commit 0b4db7ece313dd268e51fc47a0293a649927558a)

Conflicts:
	index.php
2015-08-15 23:44:03 +02:00
Sebastien SAUVAGE
daf5522b1e Potentiel security bug corrected
Bug reproduction: 1) paste texte containing html/javascript. 2) send 3)
clic "Raw text"  4) refresh: The html/javascript is interpreted instead
of just displayed.
Under some versions of Chrome, it happens without refreshing.
This bug was corrected.

(cherry picked from commit 4f8750bbddcb137213529875e45e3ace3be9a769)
2015-08-15 22:24:25 +02:00
Sebastien SAUVAGE
e7feca0e53 Stronger server salt
ZeroBin now generates a much stronger salt. This fixes issue #68
(mentioned in section 2.1 of https://defuse.ca/audits/zerobin.htm)

(cherry picked from commit a24212afda90ca3e4b4ff5ce30d2012709b58a28)

Conflicts:
	lib/serversalt.php
	lib/vizhash16x16.php
2015-08-15 22:18:57 +02:00
jeldrik
4f72f04eda Prevent inconstitent /data/trafic_limiter.php due to file read while writing
(cherry picked from commit 71a7f6adaea9a86a84fa8ebbcb9e5c506a785527)

Conflicts:
	index.php
2015-08-15 22:10:05 +02:00
Sébastien SAUVAGE
5b54ca34ad Update index.php
Removed ugly error message when paste identifier is invalid (eg. http://mydomain.com/zerobin?foo)
(cherry picked from commit 43fa904979a29e4c205b9f4f08e1c487555bbe1c)

Conflicts:
	index.php
2015-08-15 22:07:07 +02:00
Sebastien SAUVAGE
bc8b23d35e XSS flaw correction
With a client IE < 10 there was a XSS security flaw. Other browsers were
not affected.
Also corrected spacing display with IE<10.

(cherry picked from commit 28813cd82ae47e556b610da3c7302a6709e27431)

Conflicts:
	CHANGELOG.md
	index.php
	js/zerobin.js
	lib/vizhash16x16.php
2015-08-15 22:01:43 +02:00
Sebastien SAUVAGE
d9930978ba Make sure there is enough entropy.
This patch will improve key randomness by requiring the user to move the
mouse if there is not enough entropy.

(cherry picked from commit c6e98045aa833dff824f892eb3392744c03a59f7)
2015-08-15 21:52:14 +02:00
El RIDO
e646729b2d fixing regressions from cherrypicking 2015-08-15 21:39:08 +02:00
Sebastien SAUVAGE
5f87ea6843 ZeroBin 0.18
(cherry picked from commit 7a8cbee2f99cd74a50bce7e8df8130e2c477d903)

Conflicts:
	CHANGELOG.md
	index.php
	js/zerobin.js
	lib/vizhash16x16.php
2015-08-15 21:06:19 +02:00
Sebastien SAUVAGE
ecd2e067f8 replaceState() changed to pushState()
so that the "Back" button works after clicking on "Raw text".

(cherry picked from commit 47fae2b2467df2ab017102d82833cb380c286867)
2015-08-15 20:26:25 +02:00
Sebastien SAUVAGE
fdc87a7fcf Added "Raw text" button.
(cherry picked from commit 00cfcafc996c55afd069b665ad3875693e22d36d)

Conflicts:
	css/zerobin.css
	js/zerobin.js
	tpl/page.html
2015-08-15 20:25:46 +02:00
Sebastien SAUVAGE
09bebae286 Removed dead code.
(cherry picked from commit 87e17b36f9b2ec777c14257eb9c8efec0e7bd053)

Conflicts:
	css/zerobin.css
	js/zerobin.js
	tpl/page.html
2015-08-15 20:06:44 +02:00
Sebastien SAUVAGE
cff4d99f05 "Burn after reading" as a checkbox
"Burn after reading" option has been moved out of Expiration combo to a
separate checkbox.
Reason is: You can prevent a read-once paste to be available ad vitam
eternam on the net.

(cherry picked from commit 190b278402c086ebc4d1a78aae27d1e2666e3e7a)

Conflicts:
	css/zerobin.css
	index.php
	js/zerobin.js
	tpl/page.html
2015-08-15 19:01:03 +02:00
Sebastien SAUVAGE
1b95d6fff7 base64.js downgraded from 2.6 to 1.7
because otherwise it would have broken compatibility with data files.

(cherry picked from commit 75a27b6243b8cffa69f59c068dac61263574dc5b)
2015-08-15 18:39:47 +02:00
Sebastien SAUVAGE
8435b9ab3a Added version to js/css assets URLs.
(in order to prevent some abusive caches to serve an obsolete version of
these files when ZeroBin is upgraded.)

(cherry picked from commit 889eba47962771c612692d1d8028258804605563)

Conflicts:
	tpl/page.html
2015-08-15 18:37:51 +02:00
Sebastien SAUVAGE
c7c5dd6f4e Removed unused icon.
(cherry picked from commit afb3844920803a8c9c3e941482456f118b6c78ad)
2015-08-15 18:34:36 +02:00
Sebastien SAUVAGE
eccd4a816a base64.js updated to 2.6
From https://github.com/dankogai/js-base64

(cherry picked from commit 7e5c36ed5b7fc67ba919973834e015ce92b5708b)
2015-08-15 18:33:58 +02:00
El RIDO
ad70051323 reviewed unit tests, fixing line endings, added more tests 2015-08-15 18:32:31 +02:00
Sebastien SAUVAGE
7db76d8d71 Updated json checking.
- adapted to SJCL changed
- added entropy checking (from
f2ee2e8ba2)

(cherry picked from commit 57e6274c64e2c99c754b63586af6b34c374fbc2b)

Conflicts:
	index.php
2015-08-15 18:16:55 +02:00
Sebastien SAUVAGE
315c45ed0c Auto-select paste URL
When creating a paste, we auto-select the resulting URL so that the user
only has to press CTRL+C to copy the link.
So you basically click "SEND" then press CTRL+C.

(cherry picked from commit 3feb4641c7892eeeaff2fe61c6e153919687b9c6)

Conflicts:
	css/zerobin.css
2015-08-15 16:56:11 +02:00
El RIDO
134d22c958 small unit testing improvements, removing never accessed code 2015-08-15 16:37:44 +02:00
ic0nic
c918a9fe2e Incorrect structure
The structure for robots.txt is incorrect for some/most search engines.
2013-11-01 01:22:16 +01:00
Mihail Fedorov
3b3a841be6 Included .htaccess and .htapasswd for safety. 2013-11-01 01:20:59 +01:00
Sebastien SAUVAGE
72f5361a77 Changelog markdown correction (again). 2013-11-01 01:16:57 +01:00
Sebastien SAUVAGE
54a24f104c Readme and changes update. 2013-11-01 01:16:37 +01:00
Simon Rupf
badf459390 split common persistance logic into abstract class 2013-11-01 01:15:58 +01:00
Sebastien SAUVAGE
5b253cf77c ZeroBin 0.17
* added deletion link.
* small refactoring.
* improved regex checks.
* larger server alt on installation.
2013-11-01 01:15:14 +01:00
Sébastien SAUVAGE
6c7de8aca8 Libs upgrade
* Upgraded jQuery to 1.9.1
* Upgraded SJCL to Git version 2013-02-22
2013-10-31 22:59:01 +01:00
Sébastien SAUVAGE
c26c4a8bec arbitrary JSON file disclosure correction
The following securit issue has been fixed:
https://github.com/sebsauvage/ZeroBin/issues/30
2013-10-31 22:53:22 +01:00
Steeve
d850f343e5 Update README.md 2013-10-31 22:45:02 +01:00
Sean McGregor
956b82b825 added functions for placing many parameters in the anchor string 2013-10-31 22:42:20 +01:00
Frédérik Paradis
7cb345001a Change URL on clone 2013-10-31 22:41:30 +01:00
Simon Rupf
d247bff897 syntax highlighting can now be turned off, template can be changed in
configuration
2013-10-31 22:24:40 +01:00
Simon Rupf
630e16c4a0 Added more configuration options, based on patch by Uli Köhler 2013-10-30 23:54:42 +01:00
El RIDO
b19e4d4689 Merge pull request #5 from ic0nic/patch-1
Allow discovery
2013-03-21 14:10:30 -07:00
ic0nic
50d4fb9bf3 Allow discovery
To allow search engines to at least find the website.
2013-01-29 19:33:31 +00:00
Simon Rupf
8582dd0d35 Merge branch 'master' of git@github.com:elrido/ZeroBin.git 2012-09-08 19:56:47 +02:00
Simon Rupf
51008d3e68 added test for entropy of cypher text - closes #3 2012-09-08 19:54:24 +02:00
Simon Rupf
0079c73a84 added test for entropy of cypher text 2012-09-08 19:52:44 +02:00
Simon Rupf
2b69a862ec moved updated sjcl into place 2012-09-08 16:34:34 +02:00
Simon Rupf
8b21a4ae41 Merge branch 'master' of /home/elrido/Projekte/SJCL 2012-09-08 16:15:21 +02:00
Simon Rupf
6f4758839b cleanup repository before import 2012-09-08 16:13:48 +02:00
Simon Rupf
2470871e70 add robots meta tag, in case we are not installed in the root
folder of a domain or subdomain. fixes #2
2012-09-08 13:24:39 +02:00
Simon Rupf
2d4f155064 had to revert to HTML5 instead of XHTML5 because of compatibility
problem with code prettifier, fixed some display bugs
2012-08-28 23:28:41 +02:00
Simon Rupf
907538875b removed leftovers from submodule uglifyjs, added credits file,
cleaned up CSS, changed template to output clean XHTML 5,
added unit tests for 60% of the code, found a few bugs by doing
that and fixed them
2012-08-26 00:49:11 +02:00
Greg Knaddison
f37303d858 For server-load and privacy reasons, disallow robots. 2012-08-10 18:21:26 +02:00
Simon Rupf
f1e5769f03 removed submodule uglifyjs - i don't think it improves performance that much
and also the whole trust of zerobin rests in the JS code, so some people
might feel safer if the can read a servers JS files.
2012-08-10 18:18:50 +02:00
Mike Hamburg
da0c687131 fix exception when mouse crosses 0 2012-07-25 22:27:31 -07:00
Mike Hamburg
7c426619c8 remake 2012-07-24 22:00:52 -07:00
bitwiseshiftleft
45d99e5dd9 Merge pull request #60 from Sc00bz/master
sjcl.random.addEntropy() and sjcl.random._loadTimeCollector() are broken
2012-07-24 21:59:20 -07:00