Code Coverage for /lib/Controller.php

	Code Coverage
	Classes and Traits			Functions and Methods				Lines
Total	0.00% covered (danger)	0.00%	0 / 1	75.00% covered (warning)	75.00%	6 / 8	CRAP	98.44% covered (success)	98.44%	189 / 192
Controller	0.00% covered (danger)	0.00%	0 / 1	75.00% covered (warning)	75.00%	6 / 8	56	98.44% covered (success)	98.44%	189 / 192
__construct				0.00% covered (danger)	0.00%	0 / 1	9.03	92.86% covered (success)	92.86%	26 / 28
_init				100.00% covered (success)	100.00%	1 / 1	3	100.00% covered (success)	100.00%	11 / 11
_create				100.00% covered (success)	100.00%	1 / 1	17	100.00% covered (success)	100.00%	57 / 57
_delete				100.00% covered (success)	100.00%	1 / 1	10	100.00% covered (success)	100.00%	18 / 18
_read				0.00% covered (danger)	0.00%	0 / 1	5.01	91.67% covered (success)	91.67%	11 / 12
_view				100.00% covered (success)	100.00%	1 / 1	4	100.00% covered (success)	100.00%	43 / 43
_jsonld				100.00% covered (success)	100.00%	1 / 1	6	100.00% covered (success)	100.00%	15 / 15
_return_message				100.00% covered (success)	100.00%	1 / 1	2	100.00% covered (success)	100.00%	8 / 8

1	<?php
2	/**
3	* PrivateBin
4	*
5	* a zero-knowledge paste bin
6	*
7	* @link https://github.com/PrivateBin/PrivateBin
8	* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
9	* @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
10	* @version 1.2.1
11	*/
12
13	namespace PrivateBin;
14
15	use Exception;
16	use PrivateBin\Persistence\ServerSalt;
17	use PrivateBin\Persistence\TrafficLimiter;
18
19	/**
20	* Controller
21	*
22	* Puts it all together.
23	*/
24	class Controller
25	{
26	/**
27	* version
28	*
29	* @const string
30	*/
31	const VERSION = '1.2.1';
32
33	/**
34	* minimal required PHP version
35	*
36	* @const string
37	*/
38	const MIN_PHP_VERSION = '5.4.0';
39
40	/**
41	* show the same error message if the paste expired or does not exist
42	*
43	* @const string
44	*/
45	const GENERIC_ERROR = 'Paste does not exist, has expired or has been deleted.';
46
47	/**
48	* configuration
49	*
50	* @access private
51	* @var Configuration
52	*/
53	private $_conf;
54
55	/**
56	* error message
57	*
58	* @access private
59	* @var string
60	*/
61	private $_error = '';
62
63	/**
64	* status message
65	*
66	* @access private
67	* @var string
68	*/
69	private $_status = '';
70
71	/**
72	* JSON message
73	*
74	* @access private
75	* @var string
76	*/
77	private $_json = '';
78
79	/**
80	* Factory of instance models
81	*
82	* @access private
83	* @var model
84	*/
85	private $_model;
86
87	/**
88	* request
89	*
90	* @access private
91	* @var request
92	*/
93	private $_request;
94
95	/**
96	* URL base
97	*
98	* @access private
99	* @var string
100	*/
101	private $_urlBase;
102
103	/**
104	* constructor
105	*
106	* initializes and runs PrivateBin
107	*
108	* @access public
109	* @throws Exception
110	*/
111	public function __construct()
112	{
113	if (version_compare(PHP_VERSION, self::MIN_PHP_VERSION) < 0) {
114	throw new Exception(I18n::_('%s requires php %s or above to work. Sorry.', I18n::_('PrivateBin'), self::MIN_PHP_VERSION), 1);
115	}
116	if (strlen(PATH) < 0 && substr(PATH, -1) !== DIRECTORY_SEPARATOR) {
117	throw new Exception(I18n::_('%s requires the PATH to end in a "%s". Please update the PATH in your index.php.', I18n::_('PrivateBin'), DIRECTORY_SEPARATOR), 5);
118	}
119
120	// load config from ini file, initialize required classes
121	$this->_init();
122
123	switch ($this->_request->getOperation()) {
124	case 'create':
125	$this->_create();
126	break;
127	case 'delete':
128	$this->_delete(
129	$this->_request->getParam('pasteid'),
130	$this->_request->getParam('deletetoken')
131	);
132	break;
133	case 'read':
134	$this->_read($this->_request->getParam('pasteid'));
135	break;
136	case 'jsonld':
137	$this->_jsonld($this->_request->getParam('jsonld'));
138	return;
139	}
140
141	// output JSON or HTML
142	if ($this->_request->isJsonApiCall()) {
143	header('Content-type: ' . Request::MIME_JSON);
144	header('Access-Control-Allow-Origin: *');
145	header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE');
146	header('Access-Control-Allow-Headers: X-Requested-With, Content-Type');
147	echo $this->_json;
148	} else {
149	$this->_view();
150	}
151	}
152
153	/**
154	* initialize PrivateBin
155	*
156	* @access private
157	*/
158	private function _init()
159	{
160	$this->_conf = new Configuration;
161	$this->_model = new Model($this->_conf);
162	$this->_request = new Request;
163	$this->_urlBase = $this->_request->getRequestUri();
164	ServerSalt::setPath($this->_conf->getKey('dir', 'traffic'));
165
166	// set default language
167	$lang = $this->_conf->getKey('languagedefault');
168	I18n::setLanguageFallback($lang);
169	// force default language, if language selection is disabled and a default is set
170	if (!$this->_conf->getKey('languageselection') && strlen($lang) == 2) {
171	$_COOKIE['lang'] = $lang;
172	setcookie('lang', $lang);
173	}
174	}
175
176	/**
177	* Store new paste or comment
178	*
179	* POST contains one or both:
180	* data = json encoded SJCL encrypted text (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
181	* attachment = json encoded SJCL encrypted text (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
182	*
183	* All optional data will go to meta information:
184	* expire (optional) = expiration delay (never,5min,10min,1hour,1day,1week,1month,1year,burn) (default:never)
185	* formatter (optional) = format to display the paste as (plaintext,syntaxhighlighting,markdown) (default:syntaxhighlighting)
186	* burnafterreading (optional) = if this paste may only viewed once ? (0/1) (default:0)
187	* opendiscusssion (optional) = is the discussion allowed on this paste ? (0/1) (default:0)
188	* attachmentname = json encoded SJCL encrypted text (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
189	* nickname (optional) = in discussion, encoded SJCL encrypted text nickname of author of comment (containing keys: iv,v,iter,ks,ts,mode,adata,cipher,salt,ct)
190	* parentid (optional) = in discussion, which comment this comment replies to.
191	* pasteid (optional) = in discussion, which paste this comment belongs to.
192	*
193	* @access private
194	* @return string
195	*/
196	private function _create()
197	{
198	// Ensure last paste from visitors IP address was more than configured amount of seconds ago.
199	TrafficLimiter::setConfiguration($this->_conf);
200	if (!TrafficLimiter::canPass()) {
201	return $this->_return_message(
202	1, I18n::_(
203	'Please wait %d seconds between each post.',
204	$this->_conf->getKey('limit', 'traffic')
205	)
206	);
207	}
208
209	$data = $this->_request->getParam('data');
210	$attachment = $this->_request->getParam('attachment');
211	$attachmentname = $this->_request->getParam('attachmentname');
212
213	// Ensure content is not too big.
214	$sizelimit = $this->_conf->getKey('sizelimit');
215	if (
216	strlen($data) + strlen($attachment) + strlen($attachmentname) > $sizelimit
217	) {
218	return $this->_return_message(
219	1,
220	I18n::_(
221	'Paste is limited to %s of encrypted data.',
222	Filter::formatHumanReadableSize($sizelimit)
223	)
224	);
225	}
226
227	// Ensure attachment did not get lost due to webserver limits or Suhosin
228	if (strlen($attachmentname) > 0 && strlen($attachment) == 0) {
229	return $this->_return_message(1, 'Attachment missing in data received by server. Please check your webserver or suhosin configuration for maximum POST parameter limitations.');
230	}
231
232	// The user posts a comment.
233	$pasteid = $this->_request->getParam('pasteid');
234	$parentid = $this->_request->getParam('parentid');
235	if (!empty($pasteid) && !empty($parentid)) {
236	$paste = $this->_model->getPaste($pasteid);
237	if ($paste->exists()) {
238	try {
239	$comment = $paste->getComment($parentid);
240
241	$nickname = $this->_request->getParam('nickname');
242	if (!empty($nickname)) {
243	$comment->setNickname($nickname);
244	}
245
246	$comment->setData($data);
247	$comment->store();
248	} catch (Exception $e) {
249	return $this->_return_message(1, $e->getMessage());
250	}
251	$this->_return_message(0, $comment->getId());
252	} else {
253	$this->_return_message(1, 'Invalid data.');
254	}
255	}
256	// The user posts a standard paste.
257	else {
258	$this->_model->purge();
259	$paste = $this->_model->getPaste();
260	try {
261	$paste->setData($data);
262
263	if (!empty($attachment)) {
264	$paste->setAttachment($attachment);
265	if (!empty($attachmentname)) {
266	$paste->setAttachmentName($attachmentname);
267	}
268	}
269
270	$expire = $this->_request->getParam('expire');
271	if (!empty($expire)) {
272	$paste->setExpiration($expire);
273	}
274
275	$burnafterreading = $this->_request->getParam('burnafterreading');
276	if (!empty($burnafterreading)) {
277	$paste->setBurnafterreading($burnafterreading);
278	}
279
280	$opendiscussion = $this->_request->getParam('opendiscussion');
281	if (!empty($opendiscussion)) {
282	$paste->setOpendiscussion($opendiscussion);
283	}
284
285	$formatter = $this->_request->getParam('formatter');
286	if (!empty($formatter)) {
287	$paste->setFormatter($formatter);
288	}
289
290	$paste->store();
291	} catch (Exception $e) {
292	return $this->_return_message(1, $e->getMessage());
293	}
294	$this->_return_message(0, $paste->getId(), array('deletetoken' => $paste->getDeleteToken()));
295	}
296	}
297
298	/**
299	* Delete an existing paste
300	*
301	* @access private
302	* @param string $dataid
303	* @param string $deletetoken
304	*/
305	private function _delete($dataid, $deletetoken)
306	{
307	try {
308	$paste = $this->_model->getPaste($dataid);
309	if ($paste->exists()) {
310	// accessing this property ensures that the paste would be
311	// deleted if it has already expired
312	$burnafterreading = $paste->isBurnafterreading();
313	if (
314	($burnafterreading && $deletetoken == 'burnafterreading') \|\| // either we burn-after it has been read //@TODO: not needed anymore now?
315	Filter::slowEquals($deletetoken, $paste->getDeleteToken()) // or we manually delete it with this secret token
316	) {
317	// Paste exists and deletion token (if required) is valid: Delete the paste.
318	$paste->delete();
319	$this->_status = 'Paste was properly deleted.';
320	} else {
321	if (!$burnafterreading && $deletetoken == 'burnafterreading') {
322	$this->_error = 'Paste is not of burn-after-reading type.';
323	} else {
324	$this->_error = 'Wrong deletion token. Paste was not deleted.';
325	}
326	}
327	} else {
328	$this->_error = self::GENERIC_ERROR;
329	}
330	} catch (Exception $e) {
331	$this->_error = $e->getMessage();
332	}
333	if ($this->_request->isJsonApiCall()) {
334	if (strlen($this->_error)) {
335	$this->_return_message(1, $this->_error);
336	} else {
337	$this->_return_message(0, $dataid);
338	}
339	}
340	}
341
342	/**
343	* Read an existing paste or comment, only allowed via a JSON API call
344	*
345	* @access private
346	* @param string $dataid
347	*/
348	private function _read($dataid)
349	{
350	if (!$this->_request->isJsonApiCall()) {
351	return;
352	}
353
354	try {
355	$paste = $this->_model->getPaste($dataid);
356	if ($paste->exists()) {
357	$data = $paste->get();
358	if (property_exists($data->meta, 'salt')) {
359	unset($data->meta->salt);
360	}
361	$this->_return_message(0, $dataid, (array) $data);
362	} else {
363	$this->_return_message(1, self::GENERIC_ERROR);
364	}
365	} catch (Exception $e) {
366	$this->_return_message(1, $e->getMessage());
367	}
368	}
369
370	/**
371	* Display frontend.
372	*
373	* @access private
374	*/
375	private function _view()
376	{
377	// set headers to disable caching
378	$time = gmdate('D, d M Y H:i:s \G\M\T');
379	header('Cache-Control: no-store, no-cache, no-transform, must-revalidate');
380	header('Pragma: no-cache');
381	header('Expires: ' . $time);
382	header('Last-Modified: ' . $time);
383	header('Vary: Accept');
384	header('Content-Security-Policy: ' . $this->_conf->getKey('cspheader'));
385	header('X-Xss-Protection: 1; mode=block');
386	header('X-Frame-Options: DENY');
387	header('X-Content-Type-Options: nosniff');
388
389	// label all the expiration options
390	$expire = array();
391	foreach ($this->_conf->getSection('expire_options') as $time => $seconds) {
392	$expire[$time] = ($seconds == 0) ? I18n::_(ucfirst($time)) : Filter::formatHumanReadableTime($time);
393	}
394
395	// translate all the formatter options
396	$formatters = array_map('PrivateBin\\I18n::_', $this->_conf->getSection('formatter_options'));
397
398	// set language cookie if that functionality was enabled
399	$languageselection = '';
400	if ($this->_conf->getKey('languageselection')) {
401	$languageselection = I18n::getLanguage();
402	setcookie('lang', $languageselection);
403	}
404
405	$page = new View;
406	$page->assign('NAME', $this->_conf->getKey('name'));
407	$page->assign('ERROR', I18n::_($this->_error));
408	$page->assign('STATUS', I18n::_($this->_status));
409	$page->assign('VERSION', self::VERSION);
410	$page->assign('DISCUSSION', $this->_conf->getKey('discussion'));
411	$page->assign('OPENDISCUSSION', $this->_conf->getKey('opendiscussion'));
412	$page->assign('MARKDOWN', array_key_exists('markdown', $formatters));
413	$page->assign('SYNTAXHIGHLIGHTING', array_key_exists('syntaxhighlighting', $formatters));
414	$page->assign('SYNTAXHIGHLIGHTINGTHEME', $this->_conf->getKey('syntaxhighlightingtheme'));
415	$page->assign('FORMATTER', $formatters);
416	$page->assign('FORMATTERDEFAULT', $this->_conf->getKey('defaultformatter'));
417	$page->assign('NOTICE', I18n::_($this->_conf->getKey('notice')));
418	$page->assign('BURNAFTERREADINGSELECTED', $this->_conf->getKey('burnafterreadingselected'));
419	$page->assign('PASSWORD', $this->_conf->getKey('password'));
420	$page->assign('FILEUPLOAD', $this->_conf->getKey('fileupload'));
421	$page->assign('ZEROBINCOMPATIBILITY', $this->_conf->getKey('zerobincompatibility'));
422	$page->assign('LANGUAGESELECTION', $languageselection);
423	$page->assign('LANGUAGES', I18n::getLanguageLabels(I18n::getAvailableLanguages()));
424	$page->assign('EXPIRE', $expire);
425	$page->assign('EXPIREDEFAULT', $this->_conf->getKey('default', 'expire'));
426	$page->assign('URLSHORTENER', $this->_conf->getKey('urlshortener'));
427	$page->assign('QRCODE', $this->_conf->getKey('qrcode'));
428	$page->draw($this->_conf->getKey('template'));
429	}
430
431	/**
432	* outputs requested JSON-LD context
433	*
434	* @access private
435	* @param string $type
436	*/
437	private function _jsonld($type)
438	{
439	if (
440	$type !== 'paste' && $type !== 'comment' &&
441	$type !== 'pastemeta' && $type !== 'commentmeta'
442	) {
443	$type = '';
444	}
445	$content = '{}';
446	$file = PUBLIC_PATH . DIRECTORY_SEPARATOR . 'js' . DIRECTORY_SEPARATOR . $type . '.jsonld';
447	if (is_readable($file)) {
448	$content = str_replace(
449	'?jsonld=',
450	$this->_urlBase . '?jsonld=',
451	file_get_contents($file)
452	);
453	}
454
455	header('Content-type: application/ld+json');
456	header('Access-Control-Allow-Origin: *');
457	header('Access-Control-Allow-Methods: GET');
458	echo $content;
459	}
460
461	/**
462	* prepares JSON encoded status message
463	*
464	* @access private
465	* @param int $status
466	* @param string $message
467	* @param array $other
468	*/
469	private function _return_message($status, $message, $other = array())
470	{
471	$result = array('status' => $status);
472	if ($status) {
473	$result['message'] = I18n::_($message);
474	} else {
475	$result['id'] = $message;
476	$result['url'] = $this->_urlBase . '?' . $message;
477	}
478	$result += $other;
479	$this->_json = json_encode($result);
480	}
481	}