This release addresses issues with arbitrary PHP file inclusion when enabling template switching and lacking sanitation of file names when drag-&-dropping files into PrivateBin with malicious filenames.
This has been mitigated in PrivateBin 2.0.3, so we strongly urge users to update.
More details of the vulnerabilties, mitigation etc. can be found in the vulnerability reports:
- Template-switching feature allowing arbitrary local file inclusion through path traversal
- Malicious filename can be used for self-XSS / HTML injection locally for users
Changes since v2.0.2
- FIXED: Prevent arbitrary PHP file inclusion when enabling template switching
- FIXED: Malicious filename can be used for self-XSS / HTML injection locally for users
- FIXED: Unable to create a new paste from the cloned one when a JSON file attached (#1585)
Help wanted & greatly appreciated
Apart from the large tasks that require deeper insight and time, there are also smaller issues were help is wanted, topics open to debate and of course many languages that still remain to be translated. We are also still looking for additional long term maintainers among our frequent issue helpers.
What can we offer you in return for your help?
- We can offer you our mentorship, if this is your first time participating as a maintainer of an open source software project. We can guide you through submitting your first pull requests and work with you to ensure your change fulfils the communities quality standards, gets merged and makes it into a release.
- Your work gets publicly credited. This can help you build up a resume, showing off your growing skill set, in programming as well as your soft skills.
- PrivateBin is a smaller project. If you'd like to learn how to participate and contribute in an open source git project, this should be less overwhelming than larger projects.
- We do have a decent unit test code coverage, so it is an environment forgiving of mistakes. You may still introduce logical flaws or issues in new features, not yet covered in the tests, but you can rely on the tests preventing any regressions in other areas.
- You don't have to be proficient in multiple programming languages, there are a lot of things to improve within either the JavaScript or PHP areas that don't need you to understand the other side, beyond their shared API.
- It can be an opportunity to learn about continuous integration tools to automate tasks like tests, security scans, etc.
If you are interested in helping with any of these points, we have prepared a development guide including design goals, code structure and tools to get you started. For any questions, you can chat with the maintainers in the discussion area or reach us via email.