search

ptpb / pb

pb is a formerly-lightweight pastebin and url shortener
Other
549 stars 52 forks source link

Behaviour when re-creating a paste after sunset #217

Closed kwaaak closed 6 years ago

kwaaak commented 6 years ago
  1. Create a paste with a specified sunset time
  2. This time passes and the paste is deleted
  3. Exactly the same thing is pasted again, resulting in the same link
  4. Paste is not accessible because it stays deleted

The paste should probably be re-created with the new sunset time

buhman commented 6 years ago

I agree, the current behavior is borderline invalid.

Fixed in https://github.com/ptpb/pb/pull/218; also updates tests to measure this new behavior.

buhman commented 6 years ago

Minimum reproduction of the new behavior looks something like this:

# curl -F c=@- http://localhost:10002/ -F sunset=1 <<< asdf12342 
date: 2018-05-22T05:37:02.248643+00:00
digest: 5831a13b9427a65bab12f9688923da4e27d2e722
long: AFgxoTuUJ6ZbqxL5aIkj2k4n0uci
short: 0uci
size: 10
status: created
sunset: 2018-05-22T05:37:03.246537+00:00
url: http://localhost:10002/0uci
uuid: 448b9d54-d090-4c3b-bbcf-ead94c060833
# sleep 1                                                        
# curl -F c=@- http://localhost:10002/ -F sunset=1 <<< asdf12342
date: 2018-05-22T05:37:08.337401+00:00
digest: 5831a13b9427a65bab12f9688923da4e27d2e722
long: AFgxoTuUJ6ZbqxL5aIkj2k4n0uci
short: 0uci
size: 10
status: created
sunset: 2018-05-22T05:37:09.335082+00:00
url: http://localhost:10002/0uci
uuid: 53d4c5f1-c4cf-4cb6-8fba-8bcbdb1b427f
# curl -F c=@- http://localhost:10002/ -F sunset=10 <<< asdf12342
date: 2018-05-22T05:37:15.188436+00:00
digest: 5831a13b9427a65bab12f9688923da4e27d2e722
long: AFgxoTuUJ6ZbqxL5aIkj2k4n0uci
short: 0uci
size: 10
status: created
sunset: 2018-05-22T05:37:25.183167+00:00
url: http://localhost:10002/0uci
uuid: 0a74fba4-c61e-434b-bd2e-17d63d035068
# sleep 1                                                        
# curl -F c=@- http://localhost:10002/ -F sunset=10 <<< asdf12342
status: label already exists.

This also replaces the previous concept of an expired response with what will now be a not found response.

buhman commented 6 years ago

deployed.

buhman commented 6 years ago

The old behavior was:

# curl -F c=@- https://ptpb.pw/ -F sunset=1 <<< asdf123423
date: 2018-05-22T06:11:11.417000+00:00
digest: 777d0146c2b6a114a425c42200b368c385808f3f
long: AHd9AUbCtqEUpCXEIgCzaMOFgI8_
short: gI8_
size: 11
status: already exists
sunset: 2018-05-22T06:11:12.409000+00:00
url: https://ptpb.pw/gI8_
# sleep 1
# curl -F c=@- https://ptpb.pw/ -F sunset=1 <<< asdf123423
date: 2018-05-22T06:11:11.417000+00:00
digest: 777d0146c2b6a114a425c42200b368c385808f3f
long: AHd9AUbCtqEUpCXEIgCzaMOFgI8_
short: gI8_
size: 11
status: already exists
sunset: 2018-05-22T06:11:12.409000+00:00
url: https://ptpb.pw/gI8_

In this particular example, 2018-05-22T06:11:11.417000+00:00 had long passed, but POST did not evaluate this.

One might heavy-handedly classify this as a mild information leakage bug (paste should be deleted, but is instead reported as already existing), and I might agree, except that , you would have to know the paste content ahead of time, and as a result the only data you wouldn't possibly already know is the creation date.

BurhanDanger commented 5 years ago

@HalosGhost I'm facing this issue in pbpst. any fix ?

HalosGhost commented 5 years ago

Please open an issue on the pbpst issue tracker so I can make sure it stays on my to-do list! I will try to take a look at it this weekend.

buhman commented 5 years ago

I'm facing this issue in pbpst

In what way?

The issue described here should be totally nonexistent now.

BurhanDanger commented 5 years ago

@buhman, my bad. Check issue posted in pbpst