Issues in Controller.php (master) - Issues in master - PrivateBin/PrivateBin - Measure and Improve Code Quality continuously with Scrutinizer

Issues (12)

lib/Controller.php (1 issue)

Labels

Bug 1

Severity

Minor 1

El RIDO 1

<?php
/**
 * PrivateBin
 *
 * a zero-knowledge paste bin
 *
 * @link      https://github.com/PrivateBin/PrivateBin
 * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
 * @license   https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
 */

namespace PrivateBin;

use Exception;
use PrivateBin\Persistence\ServerSalt;
use PrivateBin\Persistence\TrafficLimiter;

/**
 * Controller
 *
 * Puts it all together.
 */
class Controller
{
    /**
     * version
     *
     * @const string
     */
    const VERSION = '1.7.3';

    /**
     * minimal required PHP version
     *
     * @const string
     */
    const MIN_PHP_VERSION = '7.3.0';

    /**
     * show the same error message if the paste expired or does not exist
     *
     * @const string
     */
    const GENERIC_ERROR = 'Paste does not exist, has expired or has been deleted.';

    /**
     * configuration
     *
     * @access private
     * @var    Configuration
     */
    private $_conf;

    /**
     * error message
     *
     * @access private
     * @var    string
     */
    private $_error = '';

    /**
     * status message
     *
     * @access private
     * @var    string
     */
    private $_status = '';

    /**
     * JSON message
     *
     * @access private
     * @var    string
     */
    private $_json = '';

    /**
     * Factory of instance models
     *
     * @access private
     * @var    model
     */
    private $_model;

    /**
     * request
     *
     * @access private
     * @var    request
     */
    private $_request;

    /**
     * URL base
     *
     * @access private
     * @var    string
     */
    private $_urlBase;

    /**
     * constructor
     *
     * initializes and runs PrivateBin
     *
     * @access public
     * @throws Exception
     */
    public function __construct()
    {
        if (version_compare(PHP_VERSION, self::MIN_PHP_VERSION) < 0) {
            error_log(I18n::_('%s requires php %s or above to work. Sorry.', I18n::_('PrivateBin'), self::MIN_PHP_VERSION));
            return;
        }
        if (strlen(PATH) < 0 && substr(PATH, -1) !== DIRECTORY_SEPARATOR) {
            error_log(I18n::_('%s requires the PATH to end in a "%s". Please update the PATH in your index.php.', I18n::_('PrivateBin'), DIRECTORY_SEPARATOR));
            return;
        }

        // load config from ini file, initialize required classes
        $this->_init();

        switch ($this->_request->getOperation()) {
            case 'create':
                $this->_create();
                break;
            case 'delete':
                $this->_delete(
                    $this->_request->getParam('pasteid'),
                    $this->_request->getParam('deletetoken')
                );
                break;
            case 'read':
                $this->_read($this->_request->getParam('pasteid'));
                break;
            case 'jsonld':
                $this->_jsonld($this->_request->getParam('jsonld'));
                return;
            case 'yourlsproxy':
                $this->_yourlsproxy($this->_request->getParam('link'));
                break;
        }

        $this->_setCacheHeaders();

        // output JSON or HTML
        if ($this->_request->isJsonApiCall()) {
            header('Content-type: ' . Request::MIME_JSON);
            header('Access-Control-Allow-Origin: *');
            header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
            header('Access-Control-Allow-Headers: X-Requested-With, Content-Type');
            header('X-Uncompressed-Content-Length: ' . strlen($this->_json));
            header('Access-Control-Expose-Headers: X-Uncompressed-Content-Length');
            echo $this->_json;
        } else {
            $this->_view();
        }
    }

    /**
     * initialize PrivateBin
     *
     * @access private
     * @throws Exception
     */
    private function _init()
    {
        $this->_conf    = new Configuration;
        $this->_model   = new Model($this->_conf);
        $this->_request = new Request;
        $this->_urlBase = $this->_request->getRequestUri();

        // set default language
        $lang = $this->_conf->getKey('languagedefault');
        I18n::setLanguageFallback($lang);
        // force default language, if language selection is disabled and a default is set
        if (!$this->_conf->getKey('languageselection') && strlen($lang) == 2) {
            $_COOKIE['lang'] = $lang;
            setcookie('lang', $lang, array('SameSite' => 'Lax', 'Secure' => true));
        }
    }

    /**
     * Turn off browser caching
     *
     * @access private
     */
    private function _setCacheHeaders()
    {
        // set headers to disable caching
        $time = gmdate('D, d M Y H:i:s \G\M\T');
        header('Cache-Control: no-store, no-cache, no-transform, must-revalidate');
        header('Pragma: no-cache');
        header('Expires: ' . $time);
        header('Last-Modified: ' . $time);
        header('Vary: Accept');
    }

    /**
     * Store new paste or comment
     *
     * POST contains one or both:
     * data = json encoded FormatV2 encrypted text (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
     * attachment = json encoded FormatV2 encrypted text (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
     *
     * All optional data will go to meta information:
     * expire (optional) = expiration delay (never,5min,10min,1hour,1day,1week,1month,1year,burn) (default:never)
     * formatter (optional) = format to display the paste as (plaintext,syntaxhighlighting,markdown) (default:syntaxhighlighting)
     * burnafterreading (optional) = if this paste may only viewed once ? (0/1) (default:0)
     * opendiscusssion (optional) = is the discussion allowed on this paste ? (0/1) (default:0)
     * attachmentname = json encoded FormatV2 encrypted text (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
     * nickname (optional) = in discussion, encoded FormatV2 encrypted text nickname of author of comment (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
     * parentid (optional) = in discussion, which comment this comment replies to.
     * pasteid (optional) = in discussion, which paste this comment belongs to.
     *
     * @access private
     * @return string
     */
    private function _create()
    {
        // Ensure last paste from visitors IP address was more than configured amount of seconds ago.
        ServerSalt::setStore($this->_model->getStore());
        TrafficLimiter::setConfiguration($this->_conf);
        TrafficLimiter::setStore($this->_model->getStore());
        try {
            TrafficLimiter::canPass();
        } catch (Exception $e) {
            $this->_return_message(1, $e->getMessage());
            return;
        }

        $data      = $this->_request->getData();
        $isComment = array_key_exists('pasteid', $data) &&
            !empty($data['pasteid']) &&
            array_key_exists('parentid', $data) &&
            !empty($data['parentid']);
        if (!FormatV2::isValid($data, $isComment)) {
            $this->_return_message(1, I18n::_('Invalid data.'));
            return;
        }
        $sizelimit = $this->_conf->getKey('sizelimit');
        // Ensure content is not too big.
        if (strlen($data['ct']) > $sizelimit) {
            $this->_return_message(
                1,
                I18n::_(
                    'Paste is limited to %s of encrypted data.',
                    Filter::formatHumanReadableSize($sizelimit)
                )
            );
            return;
        }

        // The user posts a comment.
        if ($isComment) {
            $paste = $this->_model->getPaste($data['pasteid']);
            if ($paste->exists()) {
                try {
                    $comment = $paste->getComment($data['parentid']);
                    $comment->setData($data);
                    $comment->store();
                } catch (Exception $e) {
                    $this->_return_message(1, $e->getMessage());
                    return;
                }
                $this->_return_message(0, $comment->getId());
            } else {
                $this->_return_message(1, I18n::_('Invalid data.'));
            }
        }
        // The user posts a standard paste.
        else {
            try {
                $this->_model->purge();
            } catch (Exception $e) {
                error_log('Error purging pastes: ' . $e->getMessage() . PHP_EOL .
                    'Use the administration scripts statistics to find ' .
                    'damaged paste IDs and either delete them or restore them ' .
                    'from backup.');
            }
            $paste = $this->_model->getPaste();
            try {
                $paste->setData($data);
                $paste->store();
            } catch (Exception $e) {
                return $this->_return_message(1, $e->getMessage());
class A
{
    function getObject()
    {
        return null;
    }

}

$a = new A();
if ($a->getObject()) {
            }
            $this->_return_message(0, $paste->getId(), array('deletetoken' => $paste->getDeleteToken()));
        }
    }

    /**
     * Delete an existing paste
     *
     * @access private
     * @param  string $dataid
     * @param  string $deletetoken
     */
    private function _delete($dataid, $deletetoken)
    {
        try {
            $paste = $this->_model->getPaste($dataid);
            if ($paste->exists()) {
                // accessing this method ensures that the paste would be
                // deleted if it has already expired
                $paste->get();
                if (hash_equals($paste->getDeleteToken(), $deletetoken)) {
                    // Paste exists and deletion token is valid: Delete the paste.
                    $paste->delete();
                    $this->_status = 'Paste was properly deleted.';
                } else {
                    $this->_error = 'Wrong deletion token. Paste was not deleted.';
                }
            } else {
                $this->_error = self::GENERIC_ERROR;
            }
        } catch (Exception $e) {
            $this->_error = $e->getMessage();
        }
        if ($this->_request->isJsonApiCall()) {
            if (empty($this->_error)) {
                $this->_return_message(0, $dataid);
            } else {
                $this->_return_message(1, $this->_error);
            }
        }
    }

    /**
     * Read an existing paste or comment, only allowed via a JSON API call
     *
     * @access private
     * @param  string $dataid
     */
    private function _read($dataid)
    {
        if (!$this->_request->isJsonApiCall()) {
            return;
        }

        try {
            $paste = $this->_model->getPaste($dataid);
            if ($paste->exists()) {
                $data = $paste->get();
                if (array_key_exists('salt', $data['meta'])) {
                    unset($data['meta']['salt']);
                }
                $this->_return_message(0, $dataid, (array) $data);
            } else {
                $this->_return_message(1, self::GENERIC_ERROR);
            }
        } catch (Exception $e) {
            $this->_return_message(1, $e->getMessage());
        }
    }

    /**
     * Display frontend.
     *
     * @access private
     */
    private function _view()
    {
        header('Content-Security-Policy: ' . $this->_conf->getKey('cspheader'));
        header('Cross-Origin-Resource-Policy: same-origin');
        header('Cross-Origin-Embedder-Policy: require-corp');
        // disabled, because it prevents links from a paste to the same site to
        // be opened. Didn't work with `same-origin-allow-popups` either.
        // See issue https://github.com/PrivateBin/PrivateBin/issues/970 for details.
        // header('Cross-Origin-Opener-Policy: same-origin');
        header('Permissions-Policy: browsing-topics=()');
        header('Referrer-Policy: no-referrer');
        header('X-Content-Type-Options: nosniff');
        header('X-Frame-Options: deny');
        header('X-XSS-Protection: 1; mode=block');

        // label all the expiration options
        $expire = array();
        foreach ($this->_conf->getSection('expire_options') as $time => $seconds) {
            $expire[$time] = ($seconds == 0) ? I18n::_(ucfirst($time)) : Filter::formatHumanReadableTime($time);
        }

        // translate all the formatter options
        $formatters = array_map('PrivateBin\\I18n::_', $this->_conf->getSection('formatter_options'));

        // set language cookie if that functionality was enabled
        $languageselection = '';
        if ($this->_conf->getKey('languageselection')) {
            $languageselection = I18n::getLanguage();
            setcookie('lang', $languageselection, array('SameSite' => 'Lax', 'Secure' => true));
        }

        // strip policies that are unsupported in meta tag
        $metacspheader = str_replace(
            array(
                'frame-ancestors \'none\'; ',
                '; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
            ),
            '',
            $this->_conf->getKey('cspheader')
        );

        $page = new View;
        $page->assign('CSPHEADER', $metacspheader);
        $page->assign('ERROR', I18n::_($this->_error));
        $page->assign('NAME', $this->_conf->getKey('name'));
        if ($this->_request->getOperation() === 'yourlsproxy') {
            $page->assign('SHORTURL', $this->_status);
            $page->draw('yourlsproxy');
            return;
        }
        $page->assign('BASEPATH', I18n::_($this->_conf->getKey('basepath')));
        $page->assign('STATUS', I18n::_($this->_status));
        $page->assign('VERSION', self::VERSION);
        $page->assign('DISCUSSION', $this->_conf->getKey('discussion'));
        $page->assign('OPENDISCUSSION', $this->_conf->getKey('opendiscussion'));
        $page->assign('MARKDOWN', array_key_exists('markdown', $formatters));
        $page->assign('SYNTAXHIGHLIGHTING', array_key_exists('syntaxhighlighting', $formatters));
        $page->assign('SYNTAXHIGHLIGHTINGTHEME', $this->_conf->getKey('syntaxhighlightingtheme'));
        $page->assign('FORMATTER', $formatters);
        $page->assign('FORMATTERDEFAULT', $this->_conf->getKey('defaultformatter'));
        $page->assign('INFO', I18n::_(str_replace("'", '"', $this->_conf->getKey('info'))));
        $page->assign('NOTICE', I18n::_($this->_conf->getKey('notice')));
        $page->assign('BURNAFTERREADINGSELECTED', $this->_conf->getKey('burnafterreadingselected'));
        $page->assign('PASSWORD', $this->_conf->getKey('password'));
        $page->assign('FILEUPLOAD', $this->_conf->getKey('fileupload'));
        $page->assign('ZEROBINCOMPATIBILITY', $this->_conf->getKey('zerobincompatibility'));
        $page->assign('LANGUAGESELECTION', $languageselection);
        $page->assign('LANGUAGES', I18n::getLanguageLabels(I18n::getAvailableLanguages()));
        $page->assign('EXPIRE', $expire);
        $page->assign('EXPIREDEFAULT', $this->_conf->getKey('default', 'expire'));
        $page->assign('URLSHORTENER', $this->_conf->getKey('urlshortener'));
        $page->assign('QRCODE', $this->_conf->getKey('qrcode'));
        $page->assign('EMAIL', $this->_conf->getKey('email'));
        $page->assign('HTTPWARNING', $this->_conf->getKey('httpwarning'));
        $page->assign('HTTPSLINK', 'https://' . $this->_request->getHost() . $this->_request->getRequestUri());
        $page->assign('COMPRESSION', $this->_conf->getKey('compression'));
        $page->draw($this->_conf->getKey('template'));
    }

    /**
     * outputs requested JSON-LD context
     *
     * @access private
     * @param string $type
     */
    private function _jsonld($type)
    {
        if (!in_array($type, array(
            'comment',
            'commentmeta',
            'paste',
            'pastemeta',
            'types',
        ))) {
            $type = '';
        }
        $content = '{}';
        $file    = PUBLIC_PATH . DIRECTORY_SEPARATOR . 'js' . DIRECTORY_SEPARATOR . $type . '.jsonld';
        if (is_readable($file)) {
            $content = str_replace(
                '?jsonld=',
                $this->_urlBase . '?jsonld=',
                file_get_contents($file)
            );
        }
        if ($type === 'types') {
            $content = str_replace(
                implode('", "', array_keys($this->_conf->getDefaults()['expire_options'])),
                implode('", "', array_keys($this->_conf->getSection('expire_options'))),
                $content
            );
        }

        header('Content-type: application/ld+json');
        header('Access-Control-Allow-Origin: *');
        header('Access-Control-Allow-Methods: GET');
        echo $content;
    }

    /**
     * proxies link to YOURLS, updates status or error with response
     *
     * @access private
     * @param string $link
     */
    private function _yourlsproxy($link)
    {
        $yourls = new YourlsProxy($this->_conf, $link);
        if ($yourls->isError()) {
            $this->_error = $yourls->getError();
        } else {
            $this->_status = $yourls->getUrl();
        }
    }

    /**
     * prepares JSON encoded status message
     *
     * @access private
     * @param  int $status
     * @param  string $message
     * @param  array $other
     */
    private function _return_message($status, $message, $other = array())
    {
        $result = array('status' => $status);
        if ($status) {
            $result['message'] = I18n::_($message);
        } else {
            $result['id']  = $message;
            $result['url'] = $this->_urlBase . '?' . $message;
        }
        $result += $other;
        $this->_json = Json::encode($result);
    }
}


1		<?php
2		/**
3		* PrivateBin
4		*
5		* a zero-knowledge paste bin
6		*
7		* @link https://github.com/PrivateBin/PrivateBin
8		* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
9		* @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
10		*/
11
12		namespace PrivateBin;
13
14		use Exception;
15		use PrivateBin\Persistence\ServerSalt;
16		use PrivateBin\Persistence\TrafficLimiter;
17
18		/**
19		* Controller
20		*
21		* Puts it all together.
22		*/
23		class Controller
24		{
25		/**
26		* version
27		*
28		* @const string
29		*/
30		const VERSION = '1.7.3';
31
32		/**
33		* minimal required PHP version
34		*
35		* @const string
36		*/
37		const MIN_PHP_VERSION = '7.3.0';
38
39		/**
40		* show the same error message if the paste expired or does not exist
41		*
42		* @const string
43		*/
44		const GENERIC_ERROR = 'Paste does not exist, has expired or has been deleted.';
45
46		/**
47		* configuration
48		*
49		* @access private
50		* @var Configuration
51		*/
52		private $_conf;
53
54		/**
55		* error message
56		*
57		* @access private
58		* @var string
59		*/
60		private $_error = '';
61
62		/**
63		* status message
64		*
65		* @access private
66		* @var string
67		*/
68		private $_status = '';
69
70		/**
71		* JSON message
72		*
73		* @access private
74		* @var string
75		*/
76		private $_json = '';
77
78		/**
79		* Factory of instance models
80		*
81		* @access private
82		* @var model
83		*/
84		private $_model;
85
86		/**
87		* request
88		*
89		* @access private
90		* @var request
91		*/
92		private $_request;
93
94		/**
95		* URL base
96		*
97		* @access private
98		* @var string
99		*/
100		private $_urlBase;
101
102		/**
103		* constructor
104		*
105		* initializes and runs PrivateBin
106		*
107		* @access public
108		* @throws Exception
109		*/
110	126	public function __construct()
111		{
112	126	if (version_compare(PHP_VERSION, self::MIN_PHP_VERSION) < 0) {
113		error_log(I18n::_('%s requires php %s or above to work. Sorry.', I18n::_('PrivateBin'), self::MIN_PHP_VERSION));
114		return;
115		}
116	126	if (strlen(PATH) < 0 && substr(PATH, -1) !== DIRECTORY_SEPARATOR) {
117		error_log(I18n::_('%s requires the PATH to end in a "%s". Please update the PATH in your index.php.', I18n::_('PrivateBin'), DIRECTORY_SEPARATOR));
118		return;
119		}
120
121		// load config from ini file, initialize required classes
122	126	$this->_init();
123
124	123	switch ($this->_request->getOperation()) {
125	123	case 'create':
126	56	$this->_create();
127	56	break;
128	67	case 'delete':
129	23	$this->_delete(
130	23	$this->_request->getParam('pasteid'),
131	23	$this->_request->getParam('deletetoken')
132	23	);
133	23	break;
134	44	case 'read':
135	25	$this->_read($this->_request->getParam('pasteid'));
136	25	break;
137	19	case 'jsonld':
138	6	$this->_jsonld($this->_request->getParam('jsonld'));
139	6	return;
140	13	case 'yourlsproxy':
141	4	$this->_yourlsproxy($this->_request->getParam('link'));
142	4	break;
143		}
144
145	117	$this->_setCacheHeaders();
146
147		// output JSON or HTML
148	117	if ($this->_request->isJsonApiCall()) {
149	83	header('Content-type: ' . Request::MIME_JSON);
150	83	header('Access-Control-Allow-Origin: *');
151	83	header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
152	83	header('Access-Control-Allow-Headers: X-Requested-With, Content-Type');
153	83	header('X-Uncompressed-Content-Length: ' . strlen($this->_json));
154	83	header('Access-Control-Expose-Headers: X-Uncompressed-Content-Length');
155	83	echo $this->_json;
156		} else {
157	34	$this->_view();
158		}
159		}
160
161		/**
162		* initialize PrivateBin
163		*
164		* @access private
165		* @throws Exception
166		*/
167	126	private function _init()
168		{
169	126	$this->_conf = new Configuration;
170	123	$this->_model = new Model($this->_conf);
171	123	$this->_request = new Request;
172	123	$this->_urlBase = $this->_request->getRequestUri();
173
174		// set default language
175	123	$lang = $this->_conf->getKey('languagedefault');
176	123	I18n::setLanguageFallback($lang);
177		// force default language, if language selection is disabled and a default is set
178	123	if (!$this->_conf->getKey('languageselection') && strlen($lang) == 2) {
179	3	$_COOKIE['lang'] = $lang;
180	3	setcookie('lang', $lang, array('SameSite' => 'Lax', 'Secure' => true));
181		}
182		}
183
184		/**
185		* Turn off browser caching
186		*
187		* @access private
188		*/
189	117	private function _setCacheHeaders()
190		{
191		// set headers to disable caching
192	117	$time = gmdate('D, d M Y H:i:s \G\M\T');
193	117	header('Cache-Control: no-store, no-cache, no-transform, must-revalidate');
194	117	header('Pragma: no-cache');
195	117	header('Expires: ' . $time);
196	117	header('Last-Modified: ' . $time);
197	117	header('Vary: Accept');
198		}
199
200		/**
201		* Store new paste or comment
202		*
203		* POST contains one or both:
204		* data = json encoded FormatV2 encrypted text (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
205		* attachment = json encoded FormatV2 encrypted text (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
206		*
207		* All optional data will go to meta information:
208		* expire (optional) = expiration delay (never,5min,10min,1hour,1day,1week,1month,1year,burn) (default:never)
209		* formatter (optional) = format to display the paste as (plaintext,syntaxhighlighting,markdown) (default:syntaxhighlighting)
210		* burnafterreading (optional) = if this paste may only viewed once ? (0/1) (default:0)
211		* opendiscusssion (optional) = is the discussion allowed on this paste ? (0/1) (default:0)
212		* attachmentname = json encoded FormatV2 encrypted text (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
213		* nickname (optional) = in discussion, encoded FormatV2 encrypted text nickname of author of comment (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
214		* parentid (optional) = in discussion, which comment this comment replies to.
215		* pasteid (optional) = in discussion, which paste this comment belongs to.
216		*
217		* @access private
218		* @return string
219		*/
220	56	private function _create()
221		{
222		// Ensure last paste from visitors IP address was more than configured amount of seconds ago.
223	56	ServerSalt::setStore($this->_model->getStore());
224	56	TrafficLimiter::setConfiguration($this->_conf);
225	56	TrafficLimiter::setStore($this->_model->getStore());
226		try {
227	56	TrafficLimiter::canPass();
228	3	} catch (Exception $e) {
229	3	$this->_return_message(1, $e->getMessage());
230	3	return;
231		}
232
233	56	$data = $this->_request->getData();
234	56	$isComment = array_key_exists('pasteid', $data) &&
235	56	!empty($data['pasteid']) &&
236	56	array_key_exists('parentid', $data) &&
237	56	!empty($data['parentid']);
238	56	if (!FormatV2::isValid($data, $isComment)) {
239	6	$this->_return_message(1, I18n::_('Invalid data.'));
240	6	return;
241		}
242	50	$sizelimit = $this->_conf->getKey('sizelimit');
243		// Ensure content is not too big.
244	50	if (strlen($data['ct']) > $sizelimit) {
245	3	$this->_return_message(
246	3	1,
247	3	I18n::_(
248	3	'Paste is limited to %s of encrypted data.',
249	3	Filter::formatHumanReadableSize($sizelimit)
250	3	)
251	3	);
252	3	return;
253		}
254
255		// The user posts a comment.
256	47	if ($isComment) {
257	15	$paste = $this->_model->getPaste($data['pasteid']);
258	15	if ($paste->exists()) {
259		try {
260	12	$comment = $paste->getComment($data['parentid']);
261	9	$comment->setData($data);
262	9	$comment->store();
263	9	} catch (Exception $e) {
264	9	$this->_return_message(1, $e->getMessage());
265	9	return;
266		}
267	3	$this->_return_message(0, $comment->getId());
268		} else {
269	6	$this->_return_message(1, I18n::_('Invalid data.'));
270		}
271		}
272		// The user posts a standard paste.
273		else {
274		try {
275	32	$this->_model->purge();
276		} catch (Exception $e) {
277		error_log('Error purging pastes: ' . $e->getMessage() . PHP_EOL .
278		'Use the administration scripts statistics to find ' .
279		'damaged paste IDs and either delete them or restore them ' .
280		'from backup.');
281		}
282	32	$paste = $this->_model->getPaste();
283		try {
284	32	$paste->setData($data);
285	26	$paste->store();
286	9	} catch (Exception $e) {
287	9	return $this->_return_message(1, $e->getMessage());
		0 ignored issues – show Bug introduced 2018-07-29 14:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this Are you sure the usage of `$this->_return_message(1, $e->getMessage())` targeting `PrivateBin\Controller::_return_message()` seems to always return null. This check looks for function or method calls that always return null and whose return value is used. class A { function getObject() { return null; } } $a = new A(); if ($a->getObject()) { The method `getObject()` can return nothing but null, so it makes no sense to use the return value. The reason is most likely that a function or method is imcomplete or has been reduced for debug purposes. Loading history...
288		}
289	23	$this->_return_message(0, $paste->getId(), array('deletetoken' => $paste->getDeleteToken()));
290		}
291		}
292
293		/**
294		* Delete an existing paste
295		*
296		* @access private
297		* @param string $dataid
298		* @param string $deletetoken
299		*/
300	23	private function _delete($dataid, $deletetoken)
301		{
302		try {
303	23	$paste = $this->_model->getPaste($dataid);
304	20	if ($paste->exists()) {
305		// accessing this method ensures that the paste would be
306		// deleted if it has already expired
307	17	$paste->get();
308	14	if (hash_equals($paste->getDeleteToken(), $deletetoken)) {
309		// Paste exists and deletion token is valid: Delete the paste.
310	8	$paste->delete();
311	8	$this->_status = 'Paste was properly deleted.';
312		} else {
313	14	$this->_error = 'Wrong deletion token. Paste was not deleted.';
314		}
315		} else {
316	17	$this->_error = self::GENERIC_ERROR;
317		}
318	6	} catch (Exception $e) {
319	6	$this->_error = $e->getMessage();
320		}
321	23	if ($this->_request->isJsonApiCall()) {
322	5	if (empty($this->_error)) {
323	2	$this->_return_message(0, $dataid);
324		} else {
325	3	$this->_return_message(1, $this->_error);
326		}
327		}
328		}
329
330		/**
331		* Read an existing paste or comment, only allowed via a JSON API call
332		*
333		* @access private
334		* @param string $dataid
335		*/
336	25	private function _read($dataid)
337		{
338	25	if (!$this->_request->isJsonApiCall()) {
339	3	return;
340		}
341
342		try {
343	22	$paste = $this->_model->getPaste($dataid);
344	19	if ($paste->exists()) {
345	16	$data = $paste->get();
346	13	if (array_key_exists('salt', $data['meta'])) {
347	13	unset($data['meta']['salt']);
348		}
349	13	$this->_return_message(0, $dataid, (array) $data);
350		} else {
351	16	$this->_return_message(1, self::GENERIC_ERROR);
352		}
353	6	} catch (Exception $e) {
354	6	$this->_return_message(1, $e->getMessage());
355		}
356		}
357
358		/**
359		* Display frontend.
360		*
361		* @access private
362		*/
363	34	private function _view()
364		{
365	34	header('Content-Security-Policy: ' . $this->_conf->getKey('cspheader'));
366	34	header('Cross-Origin-Resource-Policy: same-origin');
367	34	header('Cross-Origin-Embedder-Policy: require-corp');
368		// disabled, because it prevents links from a paste to the same site to
369		// be opened. Didn't work with `same-origin-allow-popups` either.
370		// See issue https://github.com/PrivateBin/PrivateBin/issues/970 for details.
371		// header('Cross-Origin-Opener-Policy: same-origin');
372	34	header('Permissions-Policy: browsing-topics=()');
373	34	header('Referrer-Policy: no-referrer');
374	34	header('X-Content-Type-Options: nosniff');
375	34	header('X-Frame-Options: deny');
376	34	header('X-XSS-Protection: 1; mode=block');
377
378		// label all the expiration options
379	34	$expire = array();
380	34	foreach ($this->_conf->getSection('expire_options') as $time => $seconds) {
381	34	$expire[$time] = ($seconds == 0) ? I18n::_(ucfirst($time)) : Filter::formatHumanReadableTime($time);
382		}
383
384		// translate all the formatter options
385	34	$formatters = array_map('PrivateBin\\I18n::_', $this->_conf->getSection('formatter_options'));
386
387		// set language cookie if that functionality was enabled
388	34	$languageselection = '';
389	34	if ($this->_conf->getKey('languageselection')) {
390	3	$languageselection = I18n::getLanguage();
391	3	setcookie('lang', $languageselection, array('SameSite' => 'Lax', 'Secure' => true));
392		}
393
394		// strip policies that are unsupported in meta tag
395	34	$metacspheader = str_replace(
396	34	array(
397	34	'frame-ancestors \'none\'; ',
398	34	'; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
399	34	),
400	34	'',
401	34	$this->_conf->getKey('cspheader')
402	34	);
403
404	34	$page = new View;
405	34	$page->assign('CSPHEADER', $metacspheader);
406	34	$page->assign('ERROR', I18n::_($this->_error));
407	34	$page->assign('NAME', $this->_conf->getKey('name'));
408	34	if ($this->_request->getOperation() === 'yourlsproxy') {
409	4	$page->assign('SHORTURL', $this->_status);
410	4	$page->draw('yourlsproxy');
411	4	return;
412		}
413	30	$page->assign('BASEPATH', I18n::_($this->_conf->getKey('basepath')));
414	30	$page->assign('STATUS', I18n::_($this->_status));
415	30	$page->assign('VERSION', self::VERSION);
416	30	$page->assign('DISCUSSION', $this->_conf->getKey('discussion'));
417	30	$page->assign('OPENDISCUSSION', $this->_conf->getKey('opendiscussion'));
418	30	$page->assign('MARKDOWN', array_key_exists('markdown', $formatters));
419	30	$page->assign('SYNTAXHIGHLIGHTING', array_key_exists('syntaxhighlighting', $formatters));
420	30	$page->assign('SYNTAXHIGHLIGHTINGTHEME', $this->_conf->getKey('syntaxhighlightingtheme'));
421	30	$page->assign('FORMATTER', $formatters);
422	30	$page->assign('FORMATTERDEFAULT', $this->_conf->getKey('defaultformatter'));
423	30	$page->assign('INFO', I18n::_(str_replace("'", '"', $this->_conf->getKey('info'))));
424	30	$page->assign('NOTICE', I18n::_($this->_conf->getKey('notice')));
425	30	$page->assign('BURNAFTERREADINGSELECTED', $this->_conf->getKey('burnafterreadingselected'));
426	30	$page->assign('PASSWORD', $this->_conf->getKey('password'));
427	30	$page->assign('FILEUPLOAD', $this->_conf->getKey('fileupload'));
428	30	$page->assign('ZEROBINCOMPATIBILITY', $this->_conf->getKey('zerobincompatibility'));
429	30	$page->assign('LANGUAGESELECTION', $languageselection);
430	30	$page->assign('LANGUAGES', I18n::getLanguageLabels(I18n::getAvailableLanguages()));
431	30	$page->assign('EXPIRE', $expire);
432	30	$page->assign('EXPIREDEFAULT', $this->_conf->getKey('default', 'expire'));
433	30	$page->assign('URLSHORTENER', $this->_conf->getKey('urlshortener'));
434	30	$page->assign('QRCODE', $this->_conf->getKey('qrcode'));
435	30	$page->assign('EMAIL', $this->_conf->getKey('email'));
436	30	$page->assign('HTTPWARNING', $this->_conf->getKey('httpwarning'));
437	30	$page->assign('HTTPSLINK', 'https://' . $this->_request->getHost() . $this->_request->getRequestUri());
438	30	$page->assign('COMPRESSION', $this->_conf->getKey('compression'));
439	30	$page->draw($this->_conf->getKey('template'));
440		}
441
442		/**
443		* outputs requested JSON-LD context
444		*
445		* @access private
446		* @param string $type
447		*/
448	6	private function _jsonld($type)
449		{
450	6	if (!in_array($type, array(
451	6	'comment',
452	6	'commentmeta',
453	6	'paste',
454	6	'pastemeta',
455	6	'types',
456	6	))) {
457	1	$type = '';
458		}
459	6	$content = '{}';
460	6	$file = PUBLIC_PATH . DIRECTORY_SEPARATOR . 'js' . DIRECTORY_SEPARATOR . $type . '.jsonld';
461	6	if (is_readable($file)) {
462	5	$content = str_replace(
463	5	'?jsonld=',
464	5	$this->_urlBase . '?jsonld=',
465	5	file_get_contents($file)
466	5	);
467		}
468	6	if ($type === 'types') {
469	1	$content = str_replace(
470	1	implode('", "', array_keys($this->_conf->getDefaults()['expire_options'])),
471	1	implode('", "', array_keys($this->_conf->getSection('expire_options'))),
472	1	$content
473	1	);
474		}
475
476	6	header('Content-type: application/ld+json');
477	6	header('Access-Control-Allow-Origin: *');
478	6	header('Access-Control-Allow-Methods: GET');
479	6	echo $content;
480		}
481
482		/**
483		* proxies link to YOURLS, updates status or error with response
484		*
485		* @access private
486		* @param string $link
487		*/
488	4	private function _yourlsproxy($link)
489		{
490	4	$yourls = new YourlsProxy($this->_conf, $link);
491	4	if ($yourls->isError()) {
492	1	$this->_error = $yourls->getError();
493		} else {
494	3	$this->_status = $yourls->getUrl();
495		}
496		}
497
498		/**
499		* prepares JSON encoded status message
500		*
501		* @access private
502		* @param int $status
503		* @param string $message
504		* @param array $other
505		*/
506	83	private function _return_message($status, $message, $other = array())
507		{
508	83	$result = array('status' => $status);
509	83	if ($status) {
510	45	$result['message'] = I18n::_($message);
511		} else {
512	41	$result['id'] = $message;
513	41	$result['url'] = $this->_urlBase . '?' . $message;
514		}
515	83	$result += $other;
516	83	$this->_json = Json::encode($result);
517		}
518		}
519

PrivateBin / PrivateBin

Issues (12)

lib/Controller.php (1 issue)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like