Code Coverage for /lib/Controller.php

	Code Coverage
	Classes and Traits			Functions and Methods				Lines
Total	0.00% covered (danger)	0.00%	0 / 1	62.50% covered (warning)	62.50%	5 / 8	CRAP	97.19% covered (success)	97.19%	173 / 178
Controller	0.00% covered (danger)	0.00%	0 / 1	62.50% covered (warning)	62.50%	5 / 8	46	97.19% covered (success)	97.19%	173 / 178
__construct				0.00% covered (danger)	0.00%	0 / 1	9.03	92.86% covered (success)	92.86%	26 / 28
_init				100.00% covered (success)	100.00%	1 / 1	3	100.00% covered (success)	100.00%	11 / 11
_create				0.00% covered (danger)	0.00%	0 / 1	11	95.24% covered (success)	95.24%	40 / 42
_delete				100.00% covered (success)	100.00%	1 / 1	6	100.00% covered (success)	100.00%	15 / 15
_read				0.00% covered (danger)	0.00%	0 / 1	5.01	91.67% covered (success)	91.67%	11 / 12
_view				100.00% covered (success)	100.00%	1 / 1	4	100.00% covered (success)	100.00%	47 / 47
_jsonld				100.00% covered (success)	100.00%	1 / 1	6	100.00% covered (success)	100.00%	15 / 15
_return_message				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	8 / 8

1	<?php
2	/**
3	* PrivateBin
4	*
5	* a zero-knowledge paste bin
6	*
7	* @link https://github.com/PrivateBin/PrivateBin
8	* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
9	* @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
10	* @version 1.3.4
11	*/
12
13	namespace PrivateBin;
14
15	use Exception;
16	use PrivateBin\Persistence\ServerSalt;
17	use PrivateBin\Persistence\TrafficLimiter;
18
19	/**
20	* Controller
21	*
22	* Puts it all together.
23	*/
24	class Controller
25	{
26	/**
27	* version
28	*
29	* @const string
30	*/
31	const VERSION = '1.3.4';
32
33	/**
34	* minimal required PHP version
35	*
36	* @const string
37	*/
38	const MIN_PHP_VERSION = '5.6.0';
39
40	/**
41	* show the same error message if the paste expired or does not exist
42	*
43	* @const string
44	*/
45	const GENERIC_ERROR = 'Paste does not exist, has expired or has been deleted.';
46
47	/**
48	* configuration
49	*
50	* @access private
51	* @var Configuration
52	*/
53	private $_conf;
54
55	/**
56	* error message
57	*
58	* @access private
59	* @var string
60	*/
61	private $_error = '';
62
63	/**
64	* status message
65	*
66	* @access private
67	* @var string
68	*/
69	private $_status = '';
70
71	/**
72	* JSON message
73	*
74	* @access private
75	* @var string
76	*/
77	private $_json = '';
78
79	/**
80	* Factory of instance models
81	*
82	* @access private
83	* @var model
84	*/
85	private $_model;
86
87	/**
88	* request
89	*
90	* @access private
91	* @var request
92	*/
93	private $_request;
94
95	/**
96	* URL base
97	*
98	* @access private
99	* @var string
100	*/
101	private $_urlBase;
102
103	/**
104	* constructor
105	*
106	* initializes and runs PrivateBin
107	*
108	* @access public
109	* @throws Exception
110	*/
111	public function __construct()
112	{
113	if (version_compare(PHP_VERSION, self::MIN_PHP_VERSION) < 0) {
114	throw new Exception(I18n::_('%s requires php %s or above to work. Sorry.', I18n::_('PrivateBin'), self::MIN_PHP_VERSION), 1);
115	}
116	if (strlen(PATH) < 0 && substr(PATH, -1) !== DIRECTORY_SEPARATOR) {
117	throw new Exception(I18n::_('%s requires the PATH to end in a "%s". Please update the PATH in your index.php.', I18n::_('PrivateBin'), DIRECTORY_SEPARATOR), 5);
118	}
119
120	// load config from ini file, initialize required classes
121	$this->_init();
122
123	switch ($this->_request->getOperation()) {
124	case 'create':
125	$this->_create();
126	break;
127	case 'delete':
128	$this->_delete(
129	$this->_request->getParam('pasteid'),
130	$this->_request->getParam('deletetoken')
131	);
132	break;
133	case 'read':
134	$this->_read($this->_request->getParam('pasteid'));
135	break;
136	case 'jsonld':
137	$this->_jsonld($this->_request->getParam('jsonld'));
138	return;
139	}
140
141	// output JSON or HTML
142	if ($this->_request->isJsonApiCall()) {
143	header('Content-type: ' . Request::MIME_JSON);
144	header('Access-Control-Allow-Origin: *');
145	header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
146	header('Access-Control-Allow-Headers: X-Requested-With, Content-Type');
147	echo $this->_json;
148	} else {
149	$this->_view();
150	}
151	}
152
153	/**
154	* initialize PrivateBin
155	*
156	* @access private
157	* @throws Exception
158	*/
159	private function _init()
160	{
161	$this->_conf = new Configuration;
162	$this->_model = new Model($this->_conf);
163	$this->_request = new Request;
164	$this->_urlBase = $this->_request->getRequestUri();
165	ServerSalt::setPath($this->_conf->getKey('dir', 'traffic'));
166
167	// set default language
168	$lang = $this->_conf->getKey('languagedefault');
169	I18n::setLanguageFallback($lang);
170	// force default language, if language selection is disabled and a default is set
171	if (!$this->_conf->getKey('languageselection') && strlen($lang) == 2) {
172	$_COOKIE['lang'] = $lang;
173	setcookie('lang', $lang);
174	}
175	}
176
177	/**
178	* Store new paste or comment
179	*
180	* POST contains one or both:
181	* data = json encoded FormatV2 encrypted text (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
182	* attachment = json encoded FormatV2 encrypted text (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
183	*
184	* All optional data will go to meta information:
185	* expire (optional) = expiration delay (never,5min,10min,1hour,1day,1week,1month,1year,burn) (default:never)
186	* formatter (optional) = format to display the paste as (plaintext,syntaxhighlighting,markdown) (default:syntaxhighlighting)
187	* burnafterreading (optional) = if this paste may only viewed once ? (0/1) (default:0)
188	* opendiscusssion (optional) = is the discussion allowed on this paste ? (0/1) (default:0)
189	* attachmentname = json encoded FormatV2 encrypted text (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
190	* nickname (optional) = in discussion, encoded FormatV2 encrypted text nickname of author of comment (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
191	* parentid (optional) = in discussion, which comment this comment replies to.
192	* pasteid (optional) = in discussion, which paste this comment belongs to.
193	*
194	* @access private
195	* @return string
196	*/
197	private function _create()
198	{
199	// Ensure last paste from visitors IP address was more than configured amount of seconds ago.
200	TrafficLimiter::setConfiguration($this->_conf);
201	if (!TrafficLimiter::canPass()) {
202	$this->_return_message(
203	1, I18n::_(
204	'Please wait %d seconds between each post.',
205	$this->_conf->getKey('limit', 'traffic')
206	)
207	);
208	return;
209	}
210
211	$data = $this->_request->getData();
212	$isComment = array_key_exists('pasteid', $data) &&
213	!empty($data['pasteid']) &&
214	array_key_exists('parentid', $data) &&
215	!empty($data['parentid']);
216	if (!FormatV2::isValid($data, $isComment)) {
217	$this->_return_message(1, I18n::_('Invalid data.'));
218	return;
219	}
220	$sizelimit = $this->_conf->getKey('sizelimit');
221	// Ensure content is not too big.
222	if (strlen($data['ct']) > $sizelimit) {
223	$this->_return_message(
224	1,
225	I18n::_(
226	'Paste is limited to %s of encrypted data.',
227	Filter::formatHumanReadableSize($sizelimit)
228	)
229	);
230	return;
231	}
232
233	// The user posts a comment.
234	if ($isComment) {
235	$paste = $this->_model->getPaste($data['pasteid']);
236	if ($paste->exists()) {
237	try {
238	$comment = $paste->getComment($data['parentid']);
239	$comment->setData($data);
240	$comment->store();
241	} catch (Exception $e) {
242	$this->_return_message(1, $e->getMessage());
243	return;
244	}
245	$this->_return_message(0, $comment->getId());
246	} else {
247	$this->_return_message(1, I18n::_('Invalid data.'));
248	}
249	}
250	// The user posts a standard paste.
251	else {
252	$this->_model->purge();
253	$paste = $this->_model->getPaste();
254	try {
255	$paste->setData($data);
256	$paste->store();
257	} catch (Exception $e) {
258	return $this->_return_message(1, $e->getMessage());
259	}
260	$this->_return_message(0, $paste->getId(), array('deletetoken' => $paste->getDeleteToken()));
261	}
262	}
263
264	/**
265	* Delete an existing paste
266	*
267	* @access private
268	* @param string $dataid
269	* @param string $deletetoken
270	*/
271	private function _delete($dataid, $deletetoken)
272	{
273	try {
274	$paste = $this->_model->getPaste($dataid);
275	if ($paste->exists()) {
276	// accessing this method ensures that the paste would be
277	// deleted if it has already expired
278	$paste->get();
279	if (hash_equals($paste->getDeleteToken(), $deletetoken)) {
280	// Paste exists and deletion token is valid: Delete the paste.
281	$paste->delete();
282	$this->_status = 'Paste was properly deleted.';
283	} else {
284	$this->_error = 'Wrong deletion token. Paste was not deleted.';
285	}
286	} else {
287	$this->_error = self::GENERIC_ERROR;
288	}
289	} catch (Exception $e) {
290	$this->_error = $e->getMessage();
291	}
292	if ($this->_request->isJsonApiCall()) {
293	if (strlen($this->_error)) {
294	$this->_return_message(1, $this->_error);
295	} else {
296	$this->_return_message(0, $dataid);
297	}
298	}
299	}
300
301	/**
302	* Read an existing paste or comment, only allowed via a JSON API call
303	*
304	* @access private
305	* @param string $dataid
306	*/
307	private function _read($dataid)
308	{
309	if (!$this->_request->isJsonApiCall()) {
310	return;
311	}
312
313	try {
314	$paste = $this->_model->getPaste($dataid);
315	if ($paste->exists()) {
316	$data = $paste->get();
317	if (array_key_exists('salt', $data['meta'])) {
318	unset($data['meta']['salt']);
319	}
320	$this->_return_message(0, $dataid, (array) $data);
321	} else {
322	$this->_return_message(1, self::GENERIC_ERROR);
323	}
324	} catch (Exception $e) {
325	$this->_return_message(1, $e->getMessage());
326	}
327	}
328
329	/**
330	* Display frontend.
331	*
332	* @access private
333	*/
334	private function _view()
335	{
336	// set headers to disable caching
337	$time = gmdate('D, d M Y H:i:s \G\M\T');
338	header('Cache-Control: no-store, no-cache, no-transform, must-revalidate');
339	header('Pragma: no-cache');
340	header('Expires: ' . $time);
341	header('Last-Modified: ' . $time);
342	header('Vary: Accept');
343	header('Content-Security-Policy: ' . $this->_conf->getKey('cspheader'));
344	header('Referrer-Policy: no-referrer');
345	header('X-Xss-Protection: 1; mode=block');
346	header('X-Frame-Options: DENY');
347	header('X-Content-Type-Options: nosniff');
348
349	// label all the expiration options
350	$expire = array();
351	foreach ($this->_conf->getSection('expire_options') as $time => $seconds) {
352	$expire[$time] = ($seconds == 0) ? I18n::_(ucfirst($time)) : Filter::formatHumanReadableTime($time);
353	}
354
355	// translate all the formatter options
356	$formatters = array_map('PrivateBin\\I18n::_', $this->_conf->getSection('formatter_options'));
357
358	// set language cookie if that functionality was enabled
359	$languageselection = '';
360	if ($this->_conf->getKey('languageselection')) {
361	$languageselection = I18n::getLanguage();
362	setcookie('lang', $languageselection);
363	}
364
365	$page = new View;
366	$page->assign('NAME', $this->_conf->getKey('name'));
367	$page->assign('ERROR', I18n::_($this->_error));
368	$page->assign('STATUS', I18n::_($this->_status));
369	$page->assign('VERSION', self::VERSION);
370	$page->assign('DISCUSSION', $this->_conf->getKey('discussion'));
371	$page->assign('OPENDISCUSSION', $this->_conf->getKey('opendiscussion'));
372	$page->assign('MARKDOWN', array_key_exists('markdown', $formatters));
373	$page->assign('SYNTAXHIGHLIGHTING', array_key_exists('syntaxhighlighting', $formatters));
374	$page->assign('SYNTAXHIGHLIGHTINGTHEME', $this->_conf->getKey('syntaxhighlightingtheme'));
375	$page->assign('FORMATTER', $formatters);
376	$page->assign('FORMATTERDEFAULT', $this->_conf->getKey('defaultformatter'));
377	$page->assign('NOTICE', I18n::_($this->_conf->getKey('notice')));
378	$page->assign('BURNAFTERREADINGSELECTED', $this->_conf->getKey('burnafterreadingselected'));
379	$page->assign('PASSWORD', $this->_conf->getKey('password'));
380	$page->assign('FILEUPLOAD', $this->_conf->getKey('fileupload'));
381	$page->assign('ZEROBINCOMPATIBILITY', $this->_conf->getKey('zerobincompatibility'));
382	$page->assign('LANGUAGESELECTION', $languageselection);
383	$page->assign('LANGUAGES', I18n::getLanguageLabels(I18n::getAvailableLanguages()));
384	$page->assign('EXPIRE', $expire);
385	$page->assign('EXPIREDEFAULT', $this->_conf->getKey('default', 'expire'));
386	$page->assign('URLSHORTENER', $this->_conf->getKey('urlshortener'));
387	$page->assign('QRCODE', $this->_conf->getKey('qrcode'));
388	$page->assign('HTTPWARNING', $this->_conf->getKey('httpwarning'));
389	$page->assign('HTTPSLINK', 'https://' . $this->_request->getHost() . $this->_request->getRequestUri());
390	$page->assign('COMPRESSION', $this->_conf->getKey('compression'));
391	$page->draw($this->_conf->getKey('template'));
392	}
393
394	/**
395	* outputs requested JSON-LD context
396	*
397	* @access private
398	* @param string $type
399	*/
400	private function _jsonld($type)
401	{
402	if (
403	$type !== 'paste' && $type !== 'comment' &&
404	$type !== 'pastemeta' && $type !== 'commentmeta'
405	) {
406	$type = '';
407	}
408	$content = '{}';
409	$file = PUBLIC_PATH . DIRECTORY_SEPARATOR . 'js' . DIRECTORY_SEPARATOR . $type . '.jsonld';
410	if (is_readable($file)) {
411	$content = str_replace(
412	'?jsonld=',
413	$this->_urlBase . '?jsonld=',
414	file_get_contents($file)
415	);
416	}
417
418	header('Content-type: application/ld+json');
419	header('Access-Control-Allow-Origin: *');
420	header('Access-Control-Allow-Methods: GET');
421	echo $content;
422	}
423
424	/**
425	* prepares JSON encoded status message
426	*
427	* @access private
428	* @param int $status
429	* @param string $message
430	* @param array $other
431	*/
432	private function _return_message($status, $message, $other = array())
433	{
434	$result = array('status' => $status);
435	if ($status) {
436	$result['message'] = I18n::_($message);
437	} else {
438	$result['id'] = $message;
439	$result['url'] = $this->_urlBase . '?' . $message;
440	}
441	$result += $other;
442	$this->_json = Json::encode($result);
443	}
444	}