Privatebin: Change link URLS

Created on 18 Nov 2016  路  6Comments  路  Source: PrivateBin/PrivateBin

Hello,

I would like to know if it's actually possible to change generated links URLs, for example :

pastebin url : http://server.com/paste
link url : http://server.com/paste/links/fnfhhafaififijafjiazjifajf

The aim is prevent some users to have access to link generation using htaccess and apache configuration.

Thank You !

question

All 6 comments

You can set up a second URL that uses the same database as long as both run on the same server or use the same database backend. Using the database would then also allow you to set up different users for both URLs so that only one can write to the database. But the link generation would not be automatic and it sounds like a quite complex setup.

As per the API docs I would rather suggest that you use a single URL, but set up a webserver configuration that restricts anonymous access to your index.php (the only entry point for both storing and retrieving pastes) to GET requests only, as the paste creation involves a PUT or POST request.

This will also prevent paste deletion with the link or the "burn after reading" pastes. The latter might be allowed if you can set up a rule not restricting access for POST requests that include the GET parameter "deletetoken=burnafterreading".

Possibly these instructions in the Apache doc might help you do that.

Thank You for your advices elrido. I tried not restricting access for POST requests that include the GET parameter "deletetoken=burnafterreading" (in htaccess).

This is not working :

SetEnvIf QUERY_STRING "deletetoken=burnafterreading" burn

AuthType Basic
AuthName "My Protected Area"
AuthUserFile /path/to/htpasswd/file

<Limit PUT POST>
        Allow from env=burn
        Require valid-user
</Limit>

The only value i'm able to catch in the header is the Content-Length, it's not a very good trick, but it's working :

SetEnvIf Content-Length 28 burn

AuthType Basic
AuthName "My Protected Area"
AuthUserFile /path/to/htpasswd/file

<Limit PUT POST>
        Allow from env=burn
        Require valid-user
</Limit>

I'm not really familiar with all these things. I Think i can't catch the content of the query itself because it's not visible in the URL.

We found a workaround based on IP filtering, using nginx :

If the remote adress is not our public IP and if the requested url is smaller than 2 caracters, the user is redirected to another page
(this avoid access to URLs like http://privatebin.domain.com/ and http://privatebin.domain.com/?)

If the remote adress is not our public IP and if the requested url contain "//", the user is redirected to another page
(this avoid access to URLs like http://privatebin.domain.com// or http://privatebin.domain.com///////)

So the external user can only see shared links and cannot submit links himself

set $tmp 0;

if ($remote_addr !~ "<OUR IP>"){
    set $tmp 10;
}

if ($request_uri ~ "^.{0,2}$"){
    set $tmp "${tmp}1";
}

if ($request_uri ~ .*//.*){
    set $tmp "${tmp}2";
}

if ($tmp ~ (101|102|1012)) {
    return 301 <SOME WEBSITE>;
}

Not sure it's the best practices, and match all cases but this did the trick.

Has anyone done this with a htaccess file?

Apache >= 2.4
auth only for POST method

enable module mod_allowmethods

vhost.conf (Location / or /whatever)

<Location /privatebin>
    Require method GET OPTIONS
    Require valid-user
</Location>

.htaccess

AuthUserFile /path_to/.htpasswd
AuthName "POST PASS"
AuthType Basic
Was this page helpful?
0 / 5 - 0 ratings