Merge pull request #75 from cese/master

sebsauvage · sebsauvage · commit 8cae64d6eab9 · 2014-02-06T22:58:23.000+01:00
Fix security issue (arbitrary file unlink)
diff --git a/index.php b/index.php
@@ -321,6 +321,10 @@ function processPasteDelete($pasteid,$deletetoken)
             return array('','Paste does not exist, has expired or has been deleted.','');
         }
     }
+    else
+    {
+        return array('','Invalid data','');
+    }
 
     if (!slow_equals($deletetoken, hash_hmac('sha1', $pasteid , getServerSalt()))) // Make sure token is valid.
     {

Original file line number	Diff line number	Diff line change
`@@ -321,6 +321,10 @@ function processPasteDelete($pasteid,$deletetoken)`
`321`	`321`	`return array('','Paste does not exist, has expired or has been deleted.','');`
`322`	`322`	`}`
`323`	`323`	`}`
	`324`	`+ else`
	`325`	`+ {`
	`326`	`+ return array('','Invalid data','');`
	`327`	`+ }`
`324`	`328`
`325`	`329`	`if (!slow_equals($deletetoken, hash_hmac('sha1', $pasteid , getServerSalt()))) // Make sure token is valid.`
`326`	`330`	`{`