diff --git a/conf/app.src b/conf/app.src index 5f9e014..a9d2c32 100644 --- a/conf/app.src +++ b/conf/app.src @@ -4,3 +4,4 @@ SOURCE_SUM_PRG=sha256sum SOURCE_FORMAT=tar.gz SOURCE_IN_SUBDIR=true SOURCE_FILENAME= +SOURCE_EXTRACT=true diff --git a/conf/nginx.conf b/conf/nginx.conf index af017c4..d9fdc4e 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -6,6 +6,9 @@ location __PATH__/ { index index.php; + # Common parameter to increase upload size limit in conjunction with dedicated php-fpm file + #client_max_body_size 50M; + try_files $uri $uri/ index.php; location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index 37344f6..b4c2372 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -419,8 +419,8 @@ chdir = __FINALPATH__ ;php_admin_value[memory_limit] = 32M ; Common values to change to increase file upload limit -php_admin_value[upload_max_filesize] = 30M -php_admin_value[post_max_size] = 30M +php_admin_value[upload_max_filesize] = 50M +php_admin_value[post_max_size] = 50M ; php_admin_flag[mail.add_x_header] = Off ; Other common parameters diff --git a/doc/DESCRIPTION.md b/doc/DESCRIPTION.md index 050689a..4d0a7a2 100644 --- a/doc/DESCRIPTION.md +++ b/doc/DESCRIPTION.md @@ -1 +1,5 @@ Minimalist pastebin where the server has zero knowledge of pasted data + +Data is encrypted/decrypted in the browser using 256bit AES in Galois Counter mode. + +This is a fork of ZeroBin, originally developed by Sébastien Sauvage. It was refactored to allow easier and cleaner extensions and has now much more features than the original. It is however still fully compatible to the original ZeroBin 0.19 data storage scheme. Therefore such installations can be upgraded to this fork without loosing any data. diff --git a/doc/DESCRIPTION_fr.md b/doc/DESCRIPTION_fr.md index d9aa879..b7cbe6b 100644 --- a/doc/DESCRIPTION_fr.md +++ b/doc/DESCRIPTION_fr.md @@ -1 +1,5 @@ Pastebin minimaliste où le serveur n'a aucune connaissance des données copiées + +Les données sont chiffrées et déchiffrées dans le navigateur en utilisant la technologie AES 256bits en mode Galois Counter (GCM). + +Ce projet est un fork de ZeroBin, développé à l'origine par Sébastien Sauvage. Il a été ré-écrit pour accepter plus facilement des extensions en rajoutant plus de fonctionnalités. Il reste cependant compatible avec le schéma original de stockage des données Zerobin 0.19. Ainsi toutes les installations peuvent être mises à jour vers ce projet, sans perte de données. diff --git a/doc/DISCLAIMER.md b/doc/DISCLAIMER.md index 04dad56..239536a 100755 --- a/doc/DISCLAIMER.md +++ b/doc/DISCLAIMER.md @@ -1,10 +1,6 @@ ## Additional information -Data is encrypted/decrypted in the browser using 256bit AES in Galois Counter mode. - -This is a fork of ZeroBin, originally developed by Sébastien Sauvage. It was refactored to allow easier and cleaner extensions and has now much more features than the original. It is however still fully compatible to the original ZeroBin 0.19 data storage scheme. Therefore such installations can be upgraded to this fork without loosing any data. - -In the [update documentation](https://github.com/PrivateBin/PrivateBin/wiki/Configuration#zerobincompatibility) of ParsteBin, it is specified that: +In the [update documentation](https://github.com/PrivateBin/PrivateBin/wiki/Configuration#zerobincompatibility) of PrivateBin, it is specified that: For full compatibility with ZeroBin and to be able to decrypt old pastes, you would enable this option. However this is not recommend for new installations as it weakens the security of your PrivateBin instance. diff --git a/doc/DISCLAIMER_fr.md b/doc/DISCLAIMER_fr.md index 829bc77..230205f 100755 --- a/doc/DISCLAIMER_fr.md +++ b/doc/DISCLAIMER_fr.md @@ -1,9 +1,5 @@ ## Informations additionnelles -Les données sont chiffrées et déchiffrées dans le navigateur en utilisant la technologie AES 256bits en mode Galois Counter (GCM). - -Ce projet est un fork de ZeroBin, développé à l'origine par Sébastien Sauvage. Il a été ré-écrit pour accepter plus facilement des extensions en rajoutant plus de fonctionnalités. Il reste cependant compatible avec le schéma original de stockage des données Zerobin 0.19. Ainsi toutes les installations peuvent être mises à jour vers ce projet, sans perte de données. - Dans la [documentation de mise à jour](https://github.com/PrivateBin/PrivateBin/wiki/Configuration#zerobincompatibility) de PrivateBin, il est précisé que : Pour une compatibilité complète avec Zerobin et le déchiffrement de tous les vieux "paste", vous devriez activer cette option. Cependant, ce n'est pas recommandé pour les nouvelles installations car cela affaiblit la sécurité de votre instance PrivateBin. diff --git a/scripts/change_url b/scripts/change_url index e69e0b0..f7a7f11 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -24,14 +24,11 @@ app=$YNH_APP_INSTANCE_NAME #================================================= # LOAD SETTINGS #================================================= -ynh_script_progression --message="Loading installation settings..." +ynh_script_progression --message="Loading installation settings..." --weight=1 # Needed for helper "ynh_add_nginx_config" final_path=$(ynh_app_setting_get --app=$app --key=final_path) -# Add settings here as needed by your application -is_public=$(ynh_app_setting_get --app=$app --key=is_public) - #================================================= # BACKUP BEFORE CHANGE URL THEN ACTIVE TRAP #================================================= @@ -96,32 +93,12 @@ then ynh_store_file_checksum --file="/etc/nginx/conf.d/$new_domain.d/$app.conf" fi -#================================================= -# SPECIFIC MODIFICATIONS -#================================================= -# UPDATE SSOWAT -#================================================= -ynh_script_progression --message="Reconfiguring permissions..." - -if [ $is_public -eq 0 ] -then - # If the app is private, viewing images stays publicly accessible. - if [ "$new_path" == "/" ]; then - # If the path is /, clear it to prevent any error with the regex. - new_path="" - fi - # Modify the domain to be used in a regex - domain_regex=$(echo "$new_domain" | sed 's@-@.@g') - ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$new_path/$" - ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$new_path/.*$" -fi - #================================================= # GENERIC FINALISATION #================================================= # RELOAD NGINX #================================================= -ynh_script_progression --message="Reloading NGINX web server..." +ynh_script_progression --message="Reloading NGINX web server..." --weight=1 ynh_systemd_action --service_name=nginx --action=reload diff --git a/scripts/install b/scripts/install index b59ec42..2dfdbd3 100644 --- a/scripts/install +++ b/scripts/install @@ -76,6 +76,7 @@ ynh_script_progression --message="Configuring PHP-FPM..." --weight=2 # Create a dedicated PHP-FPM config ynh_add_fpm_config +phpversion=$(ynh_app_setting_get --app=$app --key=phpversion) #================================================= # NGINX CONFIGURATION @@ -98,12 +99,6 @@ then # Everyone can access the app. # The "main" permission is automatically created before the install script. ynh_permission_update --permission="main" --add="visitors" -else - # If the app is private, viewing paste stays publicly accessible. - # Modify the domain to be used in a regex - domain_regex=$(echo "$domain" | sed 's@-@.@g') - ynh_app_setting_set --app=$app --key=protected_regex --value="$domain_regex$path_url/$" - ynh_app_setting_set --app=$app --key=unprotected_regex --value="$domain_regex$path_url/.*$" fi #================================================= diff --git a/scripts/restore b/scripts/restore index 43bfbed..bfa9784 100644 --- a/scripts/restore +++ b/scripts/restore @@ -54,19 +54,21 @@ ynh_script_progression --message="Restoring the app main directory..." --weight= ynh_restore_file --origin_path="$final_path" -chown -R $app:root $final_path/{data,tmp} +chmod 750 "$final_path" +chmod -R o-rwx "$final_path" +chown -R $app:www-data "$final_path" #================================================= # RESTORE THE PHP-FPM CONFIGURATION #================================================= -ynh_script_progression --message="Restoring the PHP-FPM configuration..." +ynh_script_progression --message="Restoring the PHP-FPM configuration..." --weight=1 ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" #================================================= # RESTORE THE NGINX CONFIGURATION #================================================= -ynh_script_progression --message="Restoring the NGINX web server configuration..." +ynh_script_progression --message="Restoring the NGINX web server configuration..." --weight=1 ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" diff --git a/scripts/upgrade b/scripts/upgrade index 6689f6b..7036b61 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -31,12 +31,12 @@ upgrade_type=$(ynh_check_app_version_changed) #================================================= # BACKUP BEFORE UPGRADE THEN ACTIVE TRAP #================================================= -ynh_script_progression --message="Backing up PrivateBin before upgrading (may take a while)..." --weight=3 +ynh_script_progression --message="Backing up the app before upgrading (may take a while)..." --weight=3 # Backup the current version of the app ynh_backup_before_upgrade ynh_clean_setup () { - # restore it if the upgrade fails + # Restore it if the upgrade fails ynh_restore_upgradebackup } # Exit if an error occurs during the execution of the script @@ -82,6 +82,10 @@ then ynh_setup_source --dest_dir="$final_path" fi +chmod 750 "$final_path" +chmod -R o-rwx "$final_path" +chown -R $app:www-data "$final_path" + #================================================= # PHP-FPM CONFIGURATION #================================================= @@ -98,21 +102,6 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..." - # Create a dedicated NGINX config ynh_add_nginx_config -#================================================= -# SECURE FILES AND DIRECTORIES -#================================================= - -# Set permissions to app files -chown -R root: $final_path -# Files owned by user specific can just read -find $final_path -type f | xargs chmod 644 -find $final_path -type d | xargs chmod 755 - -# except for data and tmp subdir, where the user must have write permissions -mkdir -p $final_path/{data,tmp} -chown -R $app:root $final_path/{data,tmp} -chmod 700 $final_path/{data,tmp} - #================================================= # GENERIC FINALIZATION #=================================================