Closed pgrungi closed 2 years ago
Thank you for reaching out. I'm very happy to hear that you enjoy using FlashPaper!
You are correct about newline and other control characters being counted against the input length limit. I ran a small test here to show the character count of the file you provided, vs one that I generated with no control characters:
$ wc -c flashpaper-test-input-long.txt
298998 flashpaper-test-input-long.txt
$ for i in {1..10240}; do printf "x" >> no_control_chars.txt; done
$ wc -c no_control_chars.txt
10240 no_control_chars.txt
As you can see in this example, the file you attached in your post has 298,998 characters in it. The max_secret_length
setting is a resource limitation so that visitors can not exhaust your server resources by making a gigantic secret POST. Knowing that, removing control characters (like newlines, spaces, tabs, etc) from the character count would defeat the intended purpose of that setting.
In regards to the error_secret_too_long
variable not being used: Good catch! I opened #63 to get that corrected.
I just re-read your post again and realize that I missed the point you were making in your second item. Let me take a look into that and see why the client-side input validation and the strlen()
function are behaving differently.
Awesome. Thank you!
First, I wanted to say thanks - this is a great little project. Being able to encrypt a message both via a simple web page and via a simple curl command is very handy.
I recently changed my
max_secret_length
in/settings.php
to 10240. When I went to test it by pasting a giant blob of text into FlashPaper, I noticed a couple things:strlen
comparison in line 70 of/index.php
?if ( strlen($_POST['secret']) > $settings['max_secret_length'] ) { throw new exception("Input length too long"); }
error_secret_too_long
in/settings.php
, it doesn't seem to be referenced anywhere, e.g. in the exception message above.In case it matters, the server environment is: FlashPaper release 2.0.0 PHP 7.4.28 Apache 2.4.6 Red Hat Enterprise Linux 7.9 on x86_64
The client environment for the test above was: Windows 10 on x86_64 Chrome 102.0.5005.115 and Firefox Nightly 103.0a1 ... so maybe some Windows line ending or UTF character encoding shenanigans are at play?
flashpaper-test-input-long.txt