Skip to content
This repository has been archived by the owner on Nov 11, 2023. It is now read-only.

Commit

Permalink
burn after reading messages are only deleted after callback by JS when
Browse files Browse the repository at this point in the history
successfully decrypted, resolves #11
  • Loading branch information
elrido committed Aug 31, 2015
1 parent 9fdbba7 commit 802a0b2
Show file tree
Hide file tree
Showing 3 changed files with 94 additions and 22 deletions.
13 changes: 8 additions & 5 deletions js/zerobin.js
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,10 @@ function displayMessages(key, comments) {
// Display paste expiration.
if (comments[0].meta.expire_date) $('#remainingtime').removeClass('foryoureyesonly').text('This document will expire in '+secondsToHuman(comments[0].meta.remaining_time)+'.').removeClass('hidden');
if (comments[0].meta.burnafterreading) {
$.get(scriptLocation() + "?pasteid=" + pasteID() + '&deletetoken=burnafterreading', 'json')
.fail(function() {
showError('Could not delete the paste, it was not stored in burn after reading mode.');
});
$('#remainingtime').addClass('foryoureyesonly').text('FOR YOUR EYES ONLY. Don\'t close this window, this message can\'t be displayed again.').removeClass('hidden');
$('#clonebutton').addClass('hidden'); // Discourage cloning (as it can't really be prevented).
}
Expand Down Expand Up @@ -382,11 +386,7 @@ function send_data() {
burnafterreading: $('#burnafterreading').is(':checked') ? 1 : 0,
opendiscussion: $('#opendiscussion').is(':checked') ? 1 : 0
};
$.post(scriptLocation(), data_to_send, 'json')
.error(function() {
showError('Data could not be sent (serveur error or not responding).');
})
.success(function(data) {
$.post(scriptLocation(), data_to_send, function(data) {
if (data.status == 0) {
stateExistingPaste();
var url = scriptLocation() + "?" + data.id + '#' + randomkey;
Expand All @@ -412,6 +412,9 @@ function send_data() {
else {
showError('Could not create paste.');
}
}, 'json')
.fail(function() {
showError('Data could not be sent (server error or not responding).');
});
}

Expand Down
65 changes: 48 additions & 17 deletions lib/zerobin.php
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,13 @@ class zerobin
*/
const VERSION = 'Alpha 0.19';

/**
* show the same error message if the paste expired or does not exist
*
* @const string
*/
const GENERIC_ERROR = 'Paste does not exist, has expired or has been deleted.';

/**
* configuration array
*
Expand Down Expand Up @@ -99,7 +106,11 @@ public function __construct()
// delete an existing paste
elseif (!empty($_GET['deletetoken']) && !empty($_GET['pasteid']))
{
$this->_delete($_GET['pasteid'], $_GET['deletetoken']);
$result = $this->_delete($_GET['pasteid'], $_GET['deletetoken']);
if (strlen($result)) {
echo $result;
return;
}
}
// display an existing paste
elseif (!empty($_SERVER['QUERY_STRING']))
Expand Down Expand Up @@ -355,35 +366,64 @@ private function _create($data)
* @access private
* @param string $dataid
* @param string $deletetoken
* @return void
* @return string
*/
private function _delete($dataid, $deletetoken)
{
// Is this a valid paste identifier?
if (!filter::is_valid_paste_id($dataid))
{
$this->_error = 'Invalid paste ID.';
return;
return '';
}

// Check that paste exists.
if (!$this->_model()->exists($dataid))
{
$this->_error = 'Paste does not exist, has expired or has been deleted.';
return;
$this->_error = self::GENERIC_ERROR;
return '';
}

// Get the paste itself.
$paste = $this->_model()->read($dataid);

// See if paste has expired.
if (
isset($paste->meta->expire_date) &&
$paste->meta->expire_date < time()
)
{
// Delete the paste
$this->_model()->delete($dataid);
$this->_error = self::GENERIC_ERROR;
}

if ($deletetoken == 'burnafterreading') {
header('Content-type: application/json');
if (
isset($paste->meta->burnafterreading) &&
$paste->meta->burnafterreading
)
{
// Delete the paste
$this->_model()->delete($dataid);
return $this->_return_message(0, 'Paste was properly deleted.');
}
return $this->_return_message(1, 'Paste is not of burn-after-reading type.');
}

// Make sure token is valid.
serversalt::setPath($this->_conf['traffic']['dir']);
if (!filter::slow_equals($deletetoken, hash_hmac('sha1', $dataid, serversalt::get())))
{
$this->_error = 'Wrong deletion token. Paste was not deleted.';
return;
return '';
}

// Paste exists and deletion token is valid: Delete the paste.
$this->_model()->delete($dataid);
$this->_status = 'Paste was properly deleted.';
return '';
}

/**
Expand All @@ -402,9 +442,6 @@ private function _read($dataid)
return;
}

// show the same error message if the paste expired or does not exist
$genericError = 'Paste does not exist, has expired or has been deleted.';

// Check that paste exists.
if ($this->_model()->exists($dataid))
{
Expand All @@ -419,7 +456,7 @@ private function _read($dataid)
{
// Delete the paste
$this->_model()->delete($dataid);
$this->_error = $genericError;
$this->_error = self::GENERIC_ERROR;
}
// If no error, return the paste.
else
Expand All @@ -444,17 +481,11 @@ private function _read($dataid)
);
}
$this->_data = json_encode($messages);

// If the paste was meant to be read only once, delete it.
if (
property_exists($paste->meta, 'burnafterreading') &&
$paste->meta->burnafterreading
) $this->_model()->delete($dataid);
}
}
else
{
$this->_error = $genericError;
$this->_error = self::GENERIC_ERROR;
}
}

Expand Down
38 changes: 38 additions & 0 deletions tst/zerobin.php
Original file line number Diff line number Diff line change
Expand Up @@ -527,4 +527,42 @@ public function testDeleteInvalidToken()
);
$this->assertTrue($this->_model->exists(self::$pasteid), 'paste exists after failing to delete data');
}

/**
* @runInSeparateProcess
*/
public function testDeleteBurnAfterReading()
{
$this->reset();
$burnPaste = self::$paste;
$burnPaste['meta']['burnafterreading'] = true;
$this->_model->create(self::$pasteid, $burnPaste);
$this->assertTrue($this->_model->exists(self::$pasteid), 'paste exists before deleting data');
$_GET['pasteid'] = self::$pasteid;
$_GET['deletetoken'] = 'burnafterreading';
ob_start();
new zerobin;
$content = ob_get_contents();
$response = json_decode($content, true);
$this->assertEquals(0, $response['status'], 'outputs status');
$this->assertFalse($this->_model->exists(self::$pasteid), 'paste successfully deleted');
}

/**
* @runInSeparateProcess
*/
public function testDeleteInvalidBurnAfterReading()
{
$this->reset();
$this->_model->create(self::$pasteid, self::$paste);
$this->assertTrue($this->_model->exists(self::$pasteid), 'paste exists before deleting data');
$_GET['pasteid'] = self::$pasteid;
$_GET['deletetoken'] = 'burnafterreading';
ob_start();
new zerobin;
$content = ob_get_contents();
$response = json_decode($content, true);
$this->assertEquals(1, $response['status'], 'outputs status');
$this->assertTrue($this->_model->exists(self::$pasteid), 'paste successfully deleted');
}
}

0 comments on commit 802a0b2

Please sign in to comment.