incrementing version

Fix arbitrary PHP file inclusion when enabling template switching

CHANGELOG.md

@@ -1,5 +1,10 @@
 # PrivateBin version history
 
+## 2.0.3 (not yet released)
+* FIXED: Prevent arbitrary PHP file inclusion when enabling template switching
+* FIXED: Malicious filename can be used for self-XSS / HTML injection locally for users
+* FIXED: Unable to create a new paste from the cloned one when a JSON file attached (#1585)
+
 ## 2.0.2 (2025-10-28)
 * CHANGED: Upgrading libraries to: DOMpurify 3.3.0
 * CHANGED: Refactored jQuery DOM element creation into plain JavaScript
@@ -42,7 +47,7 @@
 * FIXED: Page template scripts loading order (#1579)
 
 ## 1.7.7 (2025-06-28)
-* ADDED: Switching templates using the web ui (#1501)
+* ADDED: Switching templates using the web UI (#1501)
 * ADDED: Show file name and size on download page (#603)
 * CHANGED: Passing large data structures by reference to reduce memory consumption (#858)
 * CHANGED: Removed use of ctype functions and polyfill library for ctype

Makefile

@@ -1,7 +1,7 @@
 .PHONY: all coverage coverage-js coverage-php doc doc-js doc-php increment sign test test-js test-php help
 
-CURRENT_VERSION = 2.0.2
-VERSION ?= 2.0.2
+CURRENT_VERSION = 2.0.3
+VERSION ?= 2.0.3
 VERSION_FILES = README.md SECURITY.md doc/Installation.md js/package.json lib/Controller.php Makefile
 REGEX_CURRENT_VERSION := $(shell echo $(CURRENT_VERSION) | sed "s/\./\\\./g")
 REGEX_VERSION := $(shell echo $(VERSION) | sed "s/\./\\\./g")

README.md

@@ -1,6 +1,6 @@
 # [![PrivateBin](https://cdn.rawgit.com/PrivateBin/assets/master/images/preview/logoSmall.png)](https://privatebin.info/)
 
-*Current version: 2.0.2*
+*Current version: 2.0.3*
 
 **PrivateBin** is a minimalist, open source online
 [pastebin](https://en.wikipedia.org/wiki/Pastebin)

SECURITY.md

@@ -4,8 +4,8 @@
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 2.0.2   | :heavy_check_mark: |
-| < 2.0.2 | :x:                |
+| 2.0.3   | :heavy_check_mark: |
+| < 2.0.3 | :x:                |
 
 ## Reporting a Vulnerability
 

cfg/conf.sample.php

@@ -280,7 +280,7 @@ dir = PATH "data"
 ;   "urlshortener" needs to point to the base URL of your PrivateBin
 ;   instance with "?shortenviashlink&link=" appended. For example:
 ;   urlshortener = "${basepath}?shortenviashlink&link="
-;   This URL will in turn call YOURLS on the server side, using the URL from
+;   This URL will in turn call Shlink on the server side, using the URL from
 ;   "apiurl" and the API Key from the "apikey" parameters below.
 ; apiurl = "https://shlink.example.com/rest/v3/short-urls"
 ; apikey = "your_api_key"

doc/Installation.md

@@ -203,7 +203,7 @@ CREATE INDEX parent ON prefix_comment(pasteid);
 CREATE TABLE prefix_config (
     id CHAR(16) NOT NULL, value TEXT, PRIMARY KEY (id)
 );
-INSERT INTO prefix_config VALUES('VERSION', '2.0.2');
+INSERT INTO prefix_config VALUES('VERSION', '2.0.3');
 ```
 
 In **PostgreSQL**, the `data`, `attachment`, `nickname` and `vizhash` columns

i18n/fi.json

@@ -210,13 +210,13 @@
     "Encrypted note on %s": "Salattu viesti %sissä",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Vieraile tässä linkissä nähdäksesi viestin. URL:n antaminen kenellekään antaa heidänkin päästä katsomaan viestiä.",
     "URL shortener may expose your decrypt key in URL.": "URL-lyhentäjä voi paljastaa purkuavaimesi URL:ssä.",
-    "URL shortener is enabled by default.": "URL shortener is enabled by default.",
+    "URL shortener is enabled by default.": "URL-lyhennys on oletuksena käytössä.",
     "Save document": "Tallenna asiakirja",
     "Your IP is not authorized to create documents.": "IP:llesi ei ole annettu oikeutta luoda pasteja.",
     "Trying to shorten a URL that isn't pointing at our instance.": "Yritetään lyhentää URL-osoite, joka ei osoita meidän instanssiiin.",
     "Proxy error: Proxy URL is empty. This can be a configuration issue, like wrong or missing config keys.": "Virhe kutsuttaessa YOURLS. Luultavasti asetusongelma kuten väärä tai puuttuuva \"apiurl\" tai \"signature\".",
     "Proxy error: Error parsing proxy response. This can be a configuration issue, like wrong or missing config keys.": "Virhe jäsennettäessä YOURLS-vastausta.",
-    "Proxy error: Bad response. This can be a configuration issue, like wrong or missing config keys or a temporary outage.": "Proxy error: Bad response. This can be a configuration issue, like wrong or missing config keys or a temporary outage.",
+    "Proxy error: Bad response. This can be a configuration issue, like wrong or missing config keys or a temporary outage.": "Välityspalvelinvirhe: Virheellinen vastaus. Tämä voi olla asetusongelma, kuten väärä tai puuttuva asetus, tai väliaikainen katkos.",
     "This secret message can only be displayed once. Would you like to see it now?": "Tämä salainen viesti voidaan näyttää vain kerran. Haluatko nähdä sen nyt?",
     "Yes, see it": "Kyllä, näet sen",
     "Dark Mode": "Tumma tila",
@@ -229,7 +229,7 @@
     "Link copied to clipboard": "Linkki kopioitu leikepöydälle",
     "Document text": "Liitä teksti",
     "Tabulator key serves as character (Hit <kbd>Ctrl</kbd>+<kbd>m</kbd> or <kbd>Esc</kbd> to toggle)": "Tabulaattori toimii merkkinä (Paina <kbd>Ctrl</kbd>+<kbd>m</kbd> tai <kbd>Esc</kbd> vaihtaaksesi)",
-    "Show password": "Show password",
-    "Hide password": "Hide password",
+    "Show password": "Näytä salasana",
+    "Hide password": "Piilota salasana",
     "Theme": "Teema"
 }

i18n/hu.json

@@ -1,10 +1,10 @@
 {
     "PrivateBin": "PrivateBin",
-    "%s is a minimalist, open source online pastebin where the server has zero knowledge of stored data. Data is encrypted/decrypted %sin the browser%s using 256 bits AES.": "A %s egy minimalista, nyílt forráskódú adattároló szoftver, ahol a szerver semmilyen információt nem tárol a feltett adatról. Azt ugyanis a %sböngésződ%s segítségével titkosítja és oldja fel 256 bit hosszú titkosítási kulcsú AES-t használva.",
+    "%s is a minimalist, open source online pastebin where the server has zero knowledge of stored data. Data is encrypted/decrypted %sin the browser%s using 256 bits AES.": "A %s minimalista, nyílt forráskódú adattároló szoftver, ahol a szerver semmilyen információt nem tárol a rábízott adatról. Azt ugyanis a %sböngésződ%s segítségével titkosítja és oldja fel 256 bit hosszú titkosítási kulcsú AES-t használva.",
     "More information on the <a href=\"https://privatebin.info/\">project page</a>.": "További információt a <a href=\"https://privatebin.info/\">projekt oldalán</a> találsz.",
     "Because ignorance is bliss": "A titok egyfajta hatalom.",
     "Document does not exist, has expired or has been deleted.": "A bejegyzés nem létezik, lejárt vagy törölve lett.",
-    "%s requires php %s or above to work. Sorry.": "Bocs, de a %s működéséhez %s vagy ezt meghaladó verziójú php-s környezet szükséges.",
+    "%s requires php %s or above to work. Sorry.": "Sajnáljuk, de a %s működéséhez %s vagy ezt meghaladó verziójú php-s környezet szükséges.",
     "%s requires configuration section [%s] to be present in configuration file.": "A %s megfelelő működéséhez a konfigurációs fájlban a [%s] résznek léteznie kell.",
     "Please wait %d seconds between each post.": [
         "Kérlek várj %d másodpercet két beküldés között.",
@@ -92,7 +92,7 @@
         "%d év"
     ],
     "Never": "Soha",
-    "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service.": "Megjegyzés: ez egy teszt szolgáltatás, az adatok bármikor törlődhetnek. Ha visszaélsz vele, kiscicák bánhatják! :)",
+    "Note: This is a test service: Data may be deleted anytime. Kittens will die if you abuse this service.": "Megjegyzés: ezen szolgáltatás egy teszt, az adatok bármikor törlődhetnek. Ha visszaélsz vele, kiscicák bánhatják.",
     "This document will expire in %d seconds.": [
         "Ez a bejegyzés %d másodperc múlva megsemmisül.",
         "Ez a bejegyzés %d másodperc múlva megsemmisül.",
@@ -142,7 +142,7 @@
     "Anonymous": "Névtelen",
     "Avatar generated from IP address": "Avatar (az IP cím alapján generáljuk)",
     "Add comment": "Hozzászólok",
-    "Optional nickname…": "Becenév (már ha meg akarod adni)",
+    "Optional nickname…": "Becenév (amennyiben meg akarod adni)",
     "Post comment": "Beküld",
     "Sending comment…": "Beküldés alatt...",
     "Comment posted.": "A hozzászólás beküldve.",
@@ -154,7 +154,7 @@
     "Your document is <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Hit <kbd>Ctrl</kbd>+<kbd>c</kbd> to copy)</span>": "A bejegyzésed a <a id=\"pasteurl\" href=\"%s\">%s</a> címen elérhető. <span id=\"copyhint\"> <kbd>Ctrl</kbd>+<kbd>c</kbd>-vel tudod vágólapra másolni.</span>",
     "Delete data": "Adat törlése",
     "Could not create document: %s": "Nem tudtuk létrehozni a bejegyzést: %s",
-    "Cannot decrypt document: Decryption key missing in URL (Did you use a redirector or an URL shortener which strips part of the URL?)": "Nem tudjuk visszafejteni a bejegyzést: a dekódoláshoz szükséges kulcs hiányzik a címből. Talán URL rövidítőt használtál ami kivágta azt belőle?",
+    "Cannot decrypt document: Decryption key missing in URL (Did you use a redirector or an URL shortener which strips part of the URL?)": "Nem tudjuk visszafejteni a bejegyzést: a dekódoláshoz szükséges kulcs hiányzik a címből. Talán URL rövidítőt használtál, amely azt kivágta belőle?",
     "B": "B",
     "kB": "kB",
     "MB": "MB",
@@ -190,13 +190,13 @@
     "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.": "Abban az esetben, ha ez az üzenet mindig látható lenne, látogass el a <a href=\"%s\">Gyakran Ismételt Kérdések szekcióba a megoldásához</a>.",
     "+++ no document text +++": "+++ nincs beillesztett szöveg +++",
     "Could not get document data: %s": "Az adat megszerzése nem sikerült: %s",
-    "QR code": "QR kód",
-    "This website is using an insecure HTTP connection! Please use it only for testing.": "Ez a weboldal nem biztonságos HTTP kapcsolatot használ! Emiatt csak teszt célokra ajánljuk.",
+    "QR code": "QR-kód",
+    "This website is using an insecure HTTP connection! Please use it only for testing.": "Ez a weboldal nem biztonságos (HTTP) kapcsolatot használ! Emiatt csak teszt céljára ajánljuk.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.": "További információ <a href=\"%s\">ebben a GyIK bejegyzésben</a> található (angolul).",
     "Your browser may require an HTTPS connection to support the WebCrypto API. Try <a href=\"%s\">switching to HTTPS</a>.": "A WebCrypto API használatához a böngésződ számára esetleg HTTPS kapcsolat szükséges. Ezért próbálj meg <a href=\"%s\">HTTPS-re váltani</a>.",
-    "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.": "A böngésződ nem támogatja a WebAssemblyt, ami a zlib tömörítéshez kell. Létre tudsz hozni tömörítetlen dokumentumokat, de tömörítetteket nem tudsz olvasni.",
-    "waiting on user to provide a password": "Várakozás a felhasználóra jelszó megadása okán",
-    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.": "Nem lehetett visszafejteni az adatot. Rossz jelszót ütöttél be? Ismételd meg a fent található gombbal.",
+    "Your browser doesn't support WebAssembly, used for zlib compression. You can create uncompressed documents, but can't read compressed ones.": "A böngésződ nem támogatja a WebAssemblyt, amely zlib-tömörítéshez szükséges. Létrehozhatsz tömörítetlen bejegyzést, de tömörítetteket nem tudsz elolvasni.",
+    "waiting on user to provide a password": "Várakozás jelszó megadására",
+    "Could not decrypt data. Did you enter a wrong password? Retry with the button at the top.": "Nem sikerült visszafejteni az adatot. Rossz jelszót ütöttél be? Ismételd meg a fentebbi gombbal.",
     "Retry": "Újrapróbálkozás",
     "Showing raw text…": "Nyers szöveg mutatása…",
     "Notice:": "Megjegyzés:",
@@ -209,27 +209,27 @@
     "Close": "Bezárás",
     "Encrypted note on %s": "Titkosított jegyzet a %s",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Látogasd meg ezt a hivatkozást a bejegyzés megtekintéséhez. Ha mások számára is megadod ezt a linket, azzal hozzáférnek ők is.",
-    "URL shortener may expose your decrypt key in URL.": "URL shortener may expose your decrypt key in URL.",
-    "URL shortener is enabled by default.": "URL shortener is enabled by default.",
-    "Save document": "Save document",
+    "URL shortener may expose your decrypt key in URL.": "Az URL-rövidítő kiszolgáltathatja dekódolókulcsod.",
+    "URL shortener is enabled by default.": "Az URL-rövidítő alapértelmezetten engedélyezett.",
+    "Save document": "Bejegyzés mentése",
     "Your IP is not authorized to create documents.": "Your IP is not authorized to create documents.",
     "Trying to shorten a URL that isn't pointing at our instance.": "Trying to shorten a URL that isn't pointing at our instance.",
     "Proxy error: Proxy URL is empty. This can be a configuration issue, like wrong or missing config keys.": "Proxy error: Proxy URL is empty. This can be a configuration issue, like wrong or missing config keys.",
     "Proxy error: Error parsing proxy response. This can be a configuration issue, like wrong or missing config keys.": "Proxy error: Error parsing proxy response. This can be a configuration issue, like wrong or missing config keys.",
     "Proxy error: Bad response. This can be a configuration issue, like wrong or missing config keys or a temporary outage.": "Proxy error: Bad response. This can be a configuration issue, like wrong or missing config keys or a temporary outage.",
-    "This secret message can only be displayed once. Would you like to see it now?": "This secret message can only be displayed once. Would you like to see it now?",
-    "Yes, see it": "Yes, see it",
+    "This secret message can only be displayed once. Would you like to see it now?": "Ez az üzenet csak egyszer jeleníthető meg. Szeretnéd megnézni?",
+    "Yes, see it": "Igen",
     "Dark Mode": "Sötét mód",
-    "Error compressing document, due to missing WebAssembly support.": "Error compressing document, due to missing WebAssembly support.",
+    "Error compressing document, due to missing WebAssembly support.": "WebAssembly-támogatás hiánya miatt nem tömöríthetjük a dokumentumot.",
     "Error decompressing document, your browser does not support WebAssembly. Please use another browser to view this document.": "Error decompressing document, your browser does not support WebAssembly. Please use another browser to view this document.",
-    "Start over": "Start over",
-    "Document copied to clipboard": "Document copied to clipboard",
-    "To copy document press on the copy button or use the clipboard shortcut <kbd>Ctrl</kbd>+<kbd>c</kbd>/<kbd>Cmd</kbd>+<kbd>c</kbd>": "To copy document press on the copy button or use the clipboard shortcut <kbd>Ctrl</kbd>+<kbd>c</kbd>/<kbd>Cmd</kbd>+<kbd>c</kbd>",
-    "Copy link": "Copy link",
-    "Link copied to clipboard": "Link copied to clipboard",
-    "Document text": "Document text",
-    "Tabulator key serves as character (Hit <kbd>Ctrl</kbd>+<kbd>m</kbd> or <kbd>Esc</kbd> to toggle)": "Tabulator key serves as character (Hit <kbd>Ctrl</kbd>+<kbd>m</kbd> or <kbd>Esc</kbd> to toggle)",
-    "Show password": "Show password",
-    "Hide password": "Hide password",
-    "Theme": "Theme"
+    "Start over": "Újrakezdés",
+    "Document copied to clipboard": "Bejegyzés másolva",
+    "To copy document press on the copy button or use the clipboard shortcut <kbd>Ctrl</kbd>+<kbd>c</kbd>/<kbd>Cmd</kbd>+<kbd>c</kbd>": "Másoláshoz használd a <kbd>Ctrl</kbd>+<kbd>c</kbd>/<kbd>Cmd</kbd>+<kbd>c</kbd> billentyűkombinációt",
+    "Copy link": "Link másolása",
+    "Link copied to clipboard": "Link másolva",
+    "Document text": "Bejegyzés szövege",
+    "Tabulator key serves as character (Hit <kbd>Ctrl</kbd>+<kbd>m</kbd> or <kbd>Esc</kbd> to toggle)": "A tabulátor karakternek használható (nyomd le a <kbd>Ctrl</kbd>+<kbd>m</kbd> vagy az <kbd>Esc</kbd> to billentyűket ennek megszüntetéséhez).",
+    "Show password": "Jelszó megjelenítése",
+    "Hide password": "Jelszó elrejtése",
+    "Theme": "Téma"
 }

i18n/lt.json

@@ -3,7 +3,7 @@
     "%s is a minimalist, open source online pastebin where the server has zero knowledge of stored data. Data is encrypted/decrypted %sin the browser%s using 256 bits AES.": "%s yra minimalistinis, atvirojo kodo internetinis įdėjimų dėklas, kurį naudojant, serveris nieko nenutuokia apie įdėtus duomenis. Duomenys yra šifruojami/iššifruojami %snaršyklėje%s naudojant 256 bitų AES.",
     "More information on the <a href=\"https://privatebin.info/\">project page</a>.": "Daugiau informacijos rasite <a href=\"https://privatebin.info/\">projekto puslapyje</a>.",
     "Because ignorance is bliss": "Nes nežinojimas yra palaima",
-    "Document does not exist, has expired or has been deleted.": "Įdėjimo nėra, jis nebegalioja arba buvo ištrintas.",
+    "Document does not exist, has expired or has been deleted.": "Dokumento nėra, jis nebegalioja arba buvo ištrintas.",
     "%s requires php %s or above to work. Sorry.": "%s savo darbui reikalauja php %s arba naujesnės versijos. Apgailestaujame.",
     "%s requires configuration section [%s] to be present in configuration file.": "%s reikalauja, kad konfigūracijos faile būtų [%s] konfigūracijos sekcija.",
     "Please wait %d seconds between each post.": [
@@ -14,15 +14,15 @@
         "Tarp kiekvieno įrašo palaukite %d sekundžių.",
         "Tarp kiekvieno įrašo palaukite %d sekundžių."
     ],
-    "Document is limited to %s of encrypted data.": "Įdėjimas yra apribotas iki %s šifruotų duomenų.",
+    "Document is limited to %s of encrypted data.": "Dokumentas yra apribotas iki %s šifruotų duomenų.",
     "Invalid data.": "Neteisingi duomenys.",
     "You are unlucky. Try again.": "Jums nesiseka. Bandykite dar kartą.",
     "Error saving comment. Sorry.": "Klaida įrašant komentarą. Apgailestaujame.",
-    "Error saving document. Sorry.": "Klaida įrašant įdėjimą. Apgailestaujame.",
-    "Invalid document ID.": "Neteisingas įdėjimo ID.",
-    "Document is not of burn-after-reading type.": "Įdėjimo tipas nėra „Perskaičius sudeginti“.",
-    "Wrong deletion token. Document was not deleted.": "Neteisingas ištrynimo prieigos raktas. Įdėjimas nebuvo ištrintas.",
-    "Document was properly deleted.": "Įdėjimas buvo tinkamai ištrintas.",
+    "Error saving document. Sorry.": "Klaida įrašant dokumentą. Apgailestaujame.",
+    "Invalid document ID.": "Neteisingas dokumento ID.",
+    "Document is not of burn-after-reading type.": "Dokumento tipas nėra „Perskaičius sudeginti“.",
+    "Wrong deletion token. Document was not deleted.": "Neteisingas ištrynimo prieigos raktas. Dokumentas nebuvo ištrintas.",
+    "Document was properly deleted.": "Dokumentas buvo tinkamai ištrintas.",
     "JavaScript is required for %s to work. Sorry for the inconvenience.": "%s darbui reikalinga JavaScript. Atsiprašome už nepatogumus.",
     "%s requires a modern browser to work.": "%s savo darbui reikalauja šiuolaikinės naršyklės.",
     "New": "Naujas",
@@ -133,9 +133,9 @@
         "Šis dokumentas nustos galioti po %d mėnesių.",
         "Šis dokumentas nustos galioti po %d mėnesių."
     ],
-    "Please enter the password for this document:": "Įveskite šio įdėjimo slaptažodį:",
+    "Please enter the password for this document:": "Įveskite šio dokumento slaptažodį:",
     "Could not decrypt data (Wrong key?)": "Nepavyko iššifruoti duomenų (Neteisingas raktas?)",
-    "Could not delete the document, it was not stored in burn after reading mode.": "Nepavyko ištrinti įdėjimo, jis nebuvo saugomas „Perskaičius sudeginti“ veiksenoje.",
+    "Could not delete the document, it was not stored in burn after reading mode.": "Nepavyko ištrinti dokumento, jis nebuvo saugomas „Perskaičius sudeginti“ veiksenoje.",
     "FOR YOUR EYES ONLY. Don't close this window, this message can't be displayed again.": "SKIRTA TIK JŪSŲ AKIMS. Neužverkite šio lango, šis pranešimas negalės būti rodomas dar kartą.",
     "Could not decrypt comment; Wrong key?": "Nepavyko iššifruoti komentaro; Neteisingas raktas?",
     "Reply": "Atsakyti",
@@ -150,11 +150,11 @@
     "unknown status": "nežinoma būsena",
     "server error or not responding": "serverio klaida arba jis neatsako",
     "Could not post comment: %s": "Nepavyko paskelbti komentaro: %s",
-    "Sending document…": "Siunčiamas įdėjimas…",
-    "Your document is <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Hit <kbd>Ctrl</kbd>+<kbd>c</kbd> to copy)</span>": "Jūsų įdėjimas yra <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Paspauskite <kbd>Vald</kbd>+<kbd>c</kbd> norėdami nukopijuoti)</span>",
+    "Sending document…": "Siunčiamas dokumentas…",
+    "Your document is <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Hit <kbd>Ctrl</kbd>+<kbd>c</kbd> to copy)</span>": "Jūsų dokumentas yra <a id=\"pasteurl\" href=\"%s\">%s</a> <span id=\"copyhint\">(Paspauskite <kbd>Ctrl</kbd>+<kbd>c</kbd> norėdami nukopijuoti)</span>",
     "Delete data": "Ištrinti duomenis",
-    "Could not create document: %s": "Nepavyko sukurti įdėjimo: %s",
-    "Cannot decrypt document: Decryption key missing in URL (Did you use a redirector or an URL shortener which strips part of the URL?)": "Nepavyksta iššifruoti įdėjimo: URL adrese trūksta iššifravimo rakto (Ar naudojote peradresavimo ar URL trumpinimo įrankį, kuris pašalina URL dalį?)",
+    "Could not create document: %s": "Nepavyko sukurti dokumento: %s",
+    "Cannot decrypt document: Decryption key missing in URL (Did you use a redirector or an URL shortener which strips part of the URL?)": "Nepavyksta iššifruoti dokumento: URL adrese trūksta iššifravimo rakto (Ar naudojote peradresavimo ar URL trumpinimo įrankį, kuris pašalina URL dalį?)",
     "B": "B",
     "kB": "kB",
     "MB": "MB",
@@ -170,7 +170,7 @@
     "Markdown": "„Markdown“",
     "Download attachment": "Atsisiųsti priedą",
     "Cloned: '%s'": "Dubliuota: „%s“",
-    "The cloned file '%s' was attached to this document.": "Dubliuotas failas „%s“ buvo pridėtas į šį įdėjimą.",
+    "The cloned file '%s' was attached to this document.": "Dubliuotas failas „%s“ buvo pridėtas į šį dokumentą.",
     "Attach a file": "Pridėti failą",
     "alternatively drag & drop a file or paste an image from the clipboard": "arba kitaip - tempkite failą arba įdėkite paveikslą iš iškarpinės",
     "File too large, to display a preview. Please download the attachment.": "Failas per didelis, kad būtų rodoma peržiūra. Atsisiųskite priedą.",
@@ -185,11 +185,11 @@
     "Decrypt": "Iššifruoti",
     "Enter password": "Įveskite slaptažodį",
     "Loading…": "Įkeliama…",
-    "Decrypting document…": "Iššifruojamas įdėjimas…",
-    "Preparing new document…": "Ruošiamas naujas įdėjimas…",
+    "Decrypting document…": "Iššifruojamas dokumentas…",
+    "Preparing new document…": "Ruošiamas naujas dokumentas…",
     "In case this message never disappears please have a look at <a href=\"%s\">this FAQ for information to troubleshoot</a>.": "Jeigu šis pranešimas niekada nedingsta, pasižiūrėkite <a href=\"%s\">šį DUK skyrių, kuriame yra informacija apie nesklandumų šalinimą</a>.",
-    "+++ no document text +++": "+++ nėra įdėjimo teksto +++",
-    "Could not get document data: %s": "Nepavyko gauti įdėjimo duomenų: %s",
+    "+++ no document text +++": "+++ nėra dokumento teksto +++",
+    "Could not get document data: %s": "Nepavyko gauti dokumento duomenų: %s",
     "QR code": "QR kodas",
     "This website is using an insecure HTTP connection! Please use it only for testing.": "Ši internetinė svetainė naudoja nesaugų HTTP ryšį! Naudokite ją tik bandymams.",
     "For more information <a href=\"%s\">see this FAQ entry</a>.": "Išsamesnei informacijai, <a href=\"%s\">žiūrėkite šį DUK įrašą</a>.",
@@ -210,26 +210,26 @@
     "Encrypted note on %s": "Šifruoti užrašai ties %s",
     "Visit this link to see the note. Giving the URL to anyone allows them to access the note, too.": "Norėdami matyti užrašus, aplankykite šį tinklalapį. Pasidalinus šiuo URL adresu su kitais žmonėmis, jiems taip pat bus leidžiama prieiga prie šių užrašų.",
     "URL shortener may expose your decrypt key in URL.": "URL trumpinimo įrankis gali atskleisti URL adrese jūsų iššifravimo raktą.",
-    "URL shortener is enabled by default.": "URL shortener is enabled by default.",
-    "Save document": "Įrašyti įdėjimą",
-    "Your IP is not authorized to create documents.": "Jūsų IP adresas neturi įgaliojimų kurti įdėjimų.",
+    "URL shortener is enabled by default.": "URL trumpinimo įrankis pagal numatymą įjungtas.",
+    "Save document": "Įrašyti dokumentą",
+    "Your IP is not authorized to create documents.": "Jūsų IP adresas neturi įgaliojimų kurti dokumentus.",
     "Trying to shorten a URL that isn't pointing at our instance.": "Bandoma sutrumpinti URL adresą, kuris nenurodo į mūsų egzempliorių.",
-    "Proxy error: Proxy URL is empty. This can be a configuration issue, like wrong or missing config keys.": "Klaida iškviečiant YOURLS. Tikriausiai, konfigūracijos klaida, pavyzdžiui, neteisingi „apiurl“ ar „signature“, arba jų nėra.",
-    "Proxy error: Error parsing proxy response. This can be a configuration issue, like wrong or missing config keys.": "Klaida nagrinėjant YOURLS atsaką.",
-    "Proxy error: Bad response. This can be a configuration issue, like wrong or missing config keys or a temporary outage.": "Proxy error: Bad response. This can be a configuration issue, like wrong or missing config keys or a temporary outage.",
+    "Proxy error: Proxy URL is empty. This can be a configuration issue, like wrong or missing config keys.": "Įgaliotojo serverio klaida: Įgaliotojo serverio URL yra tuščias. Tai gali būti konfigūracijos sukelta problema, pavyzdžiui, neteisingi arba trūkstami konfigūracijos raktai.",
+    "Proxy error: Error parsing proxy response. This can be a configuration issue, like wrong or missing config keys.": "Įgaliotojo serverio klaida: Klaida nagrinėjant įgaliotojo serverio atsaką. Tai gali būti konfigūracijos sukelta problema, pavyzdžiui, neteisingi arba trūkstami konfigūracijos raktai.",
+    "Proxy error: Bad response. This can be a configuration issue, like wrong or missing config keys or a temporary outage.": "Įgaliotojo serverio klaida: Blogas atsakas. Tai gali būti konfigūracijos sukelta problema, pavyzdžiui, neteisingi arba trūkstami konfigūracijos raktai, arba laikinas avarinis atjungimas.",
     "This secret message can only be displayed once. Would you like to see it now?": "Ši slapta žinutė gali būti parodyta tik vieną kartą. Ar norėtumėte ją dabar pamatyti?",
     "Yes, see it": "Taip, pamatyti",
     "Dark Mode": "Tamsi veiksena",
-    "Error compressing document, due to missing WebAssembly support.": "Klaida glaudinant įdėjimą, nes trūksta WebAssembly palaikymo.",
-    "Error decompressing document, your browser does not support WebAssembly. Please use another browser to view this document.": "Klaida išglaudinant įdėjimą, jūsų naršyklė nepalaiko WebAssembly. Norėdami peržiūrėti šį įdėjimą, naudokite kitą naršyklę.",
-    "Start over": "Start over",
-    "Document copied to clipboard": "Document copied to clipboard",
-    "To copy document press on the copy button or use the clipboard shortcut <kbd>Ctrl</kbd>+<kbd>c</kbd>/<kbd>Cmd</kbd>+<kbd>c</kbd>": "To copy document press on the copy button or use the clipboard shortcut <kbd>Ctrl</kbd>+<kbd>c</kbd>/<kbd>Cmd</kbd>+<kbd>c</kbd>",
-    "Copy link": "Copy link",
-    "Link copied to clipboard": "Link copied to clipboard",
-    "Document text": "Document text",
-    "Tabulator key serves as character (Hit <kbd>Ctrl</kbd>+<kbd>m</kbd> or <kbd>Esc</kbd> to toggle)": "Tabulator key serves as character (Hit <kbd>Ctrl</kbd>+<kbd>m</kbd> or <kbd>Esc</kbd> to toggle)",
-    "Show password": "Show password",
-    "Hide password": "Hide password",
-    "Theme": "Theme"
+    "Error compressing document, due to missing WebAssembly support.": "Klaida glaudinant dokumentą, nes trūksta „WebAssembly“ palaikymo.",
+    "Error decompressing document, your browser does not support WebAssembly. Please use another browser to view this document.": "Klaida išglaudinant dokumentą, jūsų naršyklė nepalaiko „WebAssembly“. Norėdami peržiūrėti šį dokumentą, naudokite kitą naršyklę.",
+    "Start over": "Pradėti iš naujo",
+    "Document copied to clipboard": "Dokumentas nukopijuotas į iškarpinę",
+    "To copy document press on the copy button or use the clipboard shortcut <kbd>Ctrl</kbd>+<kbd>c</kbd>/<kbd>Cmd</kbd>+<kbd>c</kbd>": "Norėdami nukopijuoti dokumentą paspauskite kopijavimo mygtuką arba naudokite iškarpinės sparčiuosius klavišus <kbd>Ctrl</kbd>+<kbd>c</kbd>/<kbd>Cmd</kbd>+<kbd>c</kbd>",
+    "Copy link": "Kopijuoti nuorodą",
+    "Link copied to clipboard": "Nuoroda nukopijuota į iškarpinę",
+    "Document text": "Dokumento tekstas",
+    "Tabulator key serves as character (Hit <kbd>Ctrl</kbd>+<kbd>m</kbd> or <kbd>Esc</kbd> to toggle)": "Tabuliatoriaus klavišas tarnauja kaip simbolis (Paspauskite <kbd>Ctrl</kbd>+<kbd>m</kbd> arba <kbd>Esc</kbd> norėdami perjungti)",
+    "Show password": "Rodyti slaptažodį",
+    "Hide password": "Slėpti slaptažodį",
+    "Theme": "Apipavidalinimas"
 }

js/package.json

@@ -1,6 +1,6 @@
 {
   "name": "privatebin",
-  "version": "2.0.2",
+  "version": "2.0.3",
   "description": "PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of stored data. Data is encrypted/decrypted in the browser using 256 bit AES in Galois Counter mode (GCM).",
   "main": "privatebin.js",
   "directories": {

js/privatebin.js

@@ -3086,10 +3086,15 @@ jQuery.PrivateBin = (function($) {
          * @name AttachmentViewer.printDragAndDropFileNames
          * @private
          * @function
-         * @param {array} fileNames
+         * @param {string[]} fileNames
          */
         function printDragAndDropFileNames(fileNames) {
-            $dragAndDropFileNames.html(fileNames.join('<br>'));
+            $dragAndDropFileNames.empty();
+            fileNames.forEach(fileName => {
+                const name = document.createTextNode(fileName);
+                $dragAndDropFileNames[0].appendChild(name);
+                $dragAndDropFileNames[0].appendChild(document.createElement('br'));
+            });
         }
 
         /**
@@ -5214,22 +5219,23 @@ jQuery.PrivateBin = (function($) {
                 cipherMessage['attachment'] = attachments.map(attachment => attachment[0]);
                 cipherMessage['attachment_name'] = attachments.map(attachment => attachment[1]);
 
-                cipherMessage['attachment'] = await Promise.all(cipherMessage['attachment'].map(async (attachment) => {
+                cipherMessage['attachment'] = await Promise.all(cipherMessage['attachment'].map(async (attachment, i) => {
                     // we need to retrieve data from blob if browser already parsed it in memory
                     if (typeof attachment === 'string' && attachment.startsWith('blob:')) {
                         Alert.showStatus(
                             [
                                 'Retrieving cloned file \'%s\' from memory...',
-                                attachment[1]
+                                cipherMessage['attachment_name'][i]
                             ],
                             'copy'
                         );
                         try {
                             const blobData = await $.ajax({
                                 type: 'GET',
-                                url: `${attachment}`,
+                                url: attachment,
                                 processData: false,
                                 timeout: 10000,
+                                dataType: 'binary',
                                 xhrFields: {
                                     withCredentials: false,
                                     responseType: 'blob'

lib/Configuration.php

@@ -121,7 +121,7 @@ class Configuration
             'js/kjua-0.10.0.js'      => 'sha512-BYj4xggowR7QD150VLSTRlzH62YPfhpIM+b/1EUEr7RQpdWAGKulxWnOvjFx1FUlba4m6ihpNYuQab51H6XlYg==',
             'js/legacy.js'           => 'sha512-rGXYUpIqbFoHAgBXZ0UlJBdNAIMOC9EQ67MG0X46D5uRB8LvwzgKirbSQRGdYfk8I2jsUcm+tvHXYboUnC6DUg==',
             'js/prettify.js'         => 'sha512-puO0Ogy++IoA2Pb9IjSxV1n4+kQkKXYAEUtVzfZpQepyDPyXk8hokiYDS7ybMogYlyyEIwMLpZqVhCkARQWLMg==',
-            'js/privatebin.js'       => 'sha512-C9Mc6qgEHhaMKC+VzN7Hp8C77HVm8cD5N/AMlP6qkaYj/QLZ0HdtYfOMWrXNn9i83MbqkRD//DnM7bHHEixzIg==',
+            'js/privatebin.js'       => 'sha512-ZwoUDxBdEE+zNoGqr9o7X7CJYS4JStEeNvcOnhz69YVbXjiibNoYSY7i3vc6MLI3M/K1K6sIUmSFm8sjoUdF5Q==',
             'js/purify-3.3.0.js'     => 'sha512-lsHD5zxs4lu/NDzaaibe27Vd2t7Cy9JQ3qDHUvDfb4oZvKoWDNEhwUY+4bT3R68cGgpgCYp8U1x2ifeVxqurdQ==',
             'js/showdown-2.1.0.js'   => 'sha512-WYXZgkTR0u/Y9SVIA4nTTOih0kXMEd8RRV6MLFdL6YU8ymhR528NLlYQt1nlJQbYz4EW+ZsS0fx1awhiQJme1Q==',
             'js/zlib-1.3.1-1.js'     => 'sha512-5bU9IIP4PgBrOKLZvGWJD4kgfQrkTz8Z3Iqeu058mbQzW3mCumOU6M3UVbVZU9rrVoVwaW4cZK8U8h5xjF88eQ==',

lib/Controller.php

@@ -30,7 +30,7 @@ class Controller
      *
      * @const string
      */
-    const VERSION = '2.0.2';
+    const VERSION = '2.0.3';
 
     /**
      * minimal required PHP version
@@ -216,13 +216,17 @@ class Controller
     {
         $templates = $this->_conf->getKey('availabletemplates');
         $template  = $this->_conf->getKey('template');
+        if (!in_array($template, $templates, true)) {
+            $templates[] = $template;
+        }
         TemplateSwitcher::setAvailableTemplates($templates);
         TemplateSwitcher::setTemplateFallback($template);
 
-        // force default template, if template selection is disabled and a default is set
-        if (!$this->_conf->getKey('templateselection') && !empty($template)) {
-            $_COOKIE['template'] = $template;
-            setcookie('template', $template, array('SameSite' => 'Lax', 'Secure' => true));
+        // force default template, if template selection is disabled
+        if (!$this->_conf->getKey('templateselection') && array_key_exists('template', $_COOKIE)) {
+            unset($_COOKIE['template']); // ensure value is not re-used in template switcher
+            $expiredInAllTimezones = time() - 86400;
+            setcookie('template', '', array('expires' => $expiredInAllTimezones, 'SameSite' => 'Lax', 'Secure' => true));
         }
     }
 

lib/TemplateSwitcher.php

@@ -59,16 +59,13 @@ class TemplateSwitcher
     {
         if (self::isTemplateAvailable($template)) {
             self::$_templateFallback = $template;
-
-            if (!in_array($template, self::getAvailableTemplates())) {
-                // Add custom template to the available templates list
-                self::$_availableTemplates[] = $template;
-            }
+        } else {
+            error_log('failed to set "' . $template . '" as a fallback, it needs to be added to the list of `availabletemplates` in the configuration file');
         }
     }
 
     /**
-     * get currently loaded template
+     * get user selected template or fallback
      *
      * @access public
      * @static
@@ -76,8 +73,13 @@ class TemplateSwitcher
      */
     public static function getTemplate(): string
     {
-        $selectedTemplate = self::getSelectedByUserTemplate();
-        return $selectedTemplate ?? self::$_templateFallback;
+        if (array_key_exists('template', $_COOKIE)) {
+            $template = basename($_COOKIE['template']);
+            if (self::isTemplateAvailable($template)) {
+                return $template;
+            }
+        }
+        return self::$_templateFallback;
     }
 
     /**
@@ -101,32 +103,10 @@ class TemplateSwitcher
      */
     public static function isTemplateAvailable(string $template): bool
     {
-        $available = in_array($template, self::getAvailableTemplates());
-
-        if (!$available && !View::isBootstrapTemplate($template)) {
-            $path      = View::getTemplateFilePath($template);
-            $available = file_exists($path);
+        if (in_array($template, self::getAvailableTemplates(), true)) {
+            return true;
         }
-
-        return $available;
-    }
-
-    /**
-     * get the template selected by user
-     *
-     * @access private
-     * @static
-     * @return string|null
-     */
-    private static function getSelectedByUserTemplate(): ?string
-    {
-        $selectedTemplate    = null;
-        $templateCookieValue = $_COOKIE['template'] ?? '';
-
-        if (self::isTemplateAvailable($templateCookieValue)) {
-            $selectedTemplate = $templateCookieValue;
-        }
-
-        return $selectedTemplate;
+        error_log('template "' . $template . '" is not in the list of `availabletemplates` in the configuration file');
+        return false;
     }
 }

lib/View.php

@@ -49,39 +49,19 @@ class View
      */
     public function draw($template)
     {
-        $path = self::getTemplateFilePath($template);
-        if (!file_exists($path)) {
-            throw new Exception('Template ' . $template . ' not found!', 80);
+        $dir  = PATH . 'tpl' . DIRECTORY_SEPARATOR;
+        $file = substr($template, 0, 10) === 'bootstrap-' ? 'bootstrap' : $template;
+        $path = $dir . $file . '.php';
+        if (!is_file($path)) {
+            throw new Exception('Template ' . $template . ' not found in file ' . $path . '!', 80);
+        }
+        if (!in_array($path, glob($dir . '*.php', GLOB_NOSORT | GLOB_ERR), true)) {
+            throw new Exception('Template ' . $file . '.php not found in ' . $dir . '!', 81);
         }
         extract($this->_variables);
         include $path;
     }
 
-    /**
-     * Get template file path
-     *
-     * @access public
-     * @param  string $template
-     * @return string
-     */
-    public static function getTemplateFilePath(string $template): string
-    {
-        $file = self::isBootstrapTemplate($template) ? 'bootstrap' : $template;
-        return PATH . 'tpl' . DIRECTORY_SEPARATOR . $file . '.php';
-    }
-
-    /**
-     * Is the template a variation of the bootstrap template
-     *
-     * @access public
-     * @param  string $template
-     * @return bool
-     */
-    public static function isBootstrapTemplate(string $template): bool
-    {
-        return substr($template, 0, 10) === 'bootstrap-';
-    }
-
     /**
      * echo script tag incl. SRI hash for given script file
      *

tst/Bootstrap.php

@@ -6,7 +6,9 @@ use Google\Cloud\Storage\Bucket;
 use Google\Cloud\Storage\Connection\ConnectionInterface;
 use Google\Cloud\Storage\StorageClient;
 use Google\Cloud\Storage\StorageObject;
+use PrivateBin\Configuration;
 use PrivateBin\Persistence\ServerSalt;
+use PrivateBin\TemplateSwitcher;
 
 error_reporting(E_ALL | E_STRICT);
 
@@ -26,6 +28,7 @@ if (!defined('CONF_SAMPLE')) {
 
 require PATH . 'vendor/autoload.php';
 Helper::updateSubresourceIntegrity();
+TemplateSwitcher::setAvailableTemplates(Configuration::getDefaults()['main']['availabletemplates']);
 
 /**
  * Class Helper provides unit tests pastes and comments of various formats

tst/TemplateSwitcherTest.php

@@ -41,6 +41,7 @@ class TemplateSwitcherTest extends TestCase
         $defaultTemplateFallback = 'bootstrap5';
         $customTemplate          = 'bootstrap-dark';
         $customWrongTemplate     = 'bootstrap-wrong';
+        $escapeTemplateDirectory = '../index';
 
         TemplateSwitcher::setTemplateFallback($defaultTemplateFallback);
 
@@ -49,6 +50,9 @@ class TemplateSwitcherTest extends TestCase
 
         $_COOKIE['template'] = $customTemplate;
         $this->assertEquals($customTemplate, TemplateSwitcher::getTemplate(), 'Custom template');
+
+        $_COOKIE['template'] = $escapeTemplateDirectory;
+        $this->assertEquals($defaultTemplateFallback, TemplateSwitcher::getTemplate(), 'Fallback on escaping template directory');
     }
 
     public function testGetAvailableTemplates()

tst/ViewTest.php

@@ -142,19 +142,11 @@ class ViewTest extends TestCase
         $test->draw('123456789 does not exist!');
     }
 
-    public function testTemplateFilePath()
+    public function testInvalidTemplate()
     {
-        $template     = 'bootstrap';
-        $templatePath = PATH . 'tpl' . DIRECTORY_SEPARATOR . $template . '.php';
-        $path         = View::getTemplateFilePath($template);
-        $this->assertEquals($templatePath, $path, 'Template file path');
-    }
-
-    public function testIsBootstrapTemplate()
-    {
-        $bootstrapTemplate    = 'bootstrap-dark';
-        $nonBootstrapTemplate = 'bootstrap5';
-        $this->assertTrue(View::isBootstrapTemplate($bootstrapTemplate), 'Is bootstrap template');
-        $this->assertFalse(View::isBootstrapTemplate($nonBootstrapTemplate), 'Is not bootstrap template');
+        $test = new View;
+        $this->expectException(Exception::class);
+        $this->expectExceptionCode(81);
+        $test->draw('../index');
     }
 }