PrivateBin

• CHANGED: Saving markdown pastes uses .md extension instead of .txt (#1293)
• CHANGED: Enable strict type checking in PHP (#1350)
• CHANGED: Various tweaks of the bootstrap5 template, suggested by the community
• FIXED: Reset password input field on creation of new paste (#1194)
• FIXED: Allow database schema upgrade to skip versions (#1343)
• FIXED: bootstrap5 dark mode toggle unset on dark browser preference (#1340)
• FIXED: Prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs

This release addresses an issue with the YOURLS proxy's filter that allowed it to shorten other URLs then the configured PrivateBin instance. This issue only affects instances that use the YOURLS URL-shortener proxy. More details on this issue can be found in the security advisory.

• CHANGED: Various tweaks of the bootstrap5 template, suggested by the community
• CHANGED: Upgrading libraries to: DOMpurify 3.1.3
• FIXED: Selected expiration not being applied, when using bootstrap template (#1309)

• ADDED: Allow use of shortenviayourls in query parameters (#1267)
• ADDED: Input sanitation to some not yet filtered query and server parameters
• ADDED: Optional Bootstrap CSS 5.3.3 based template, use configuration template = "bootstrap5" to switch to it (#728)
• CHANGED: "Send" button now labeled "Create" (#946)
• CHANGED: Drop some PHP < 5.6 fallbacks, minimum version is PHP 7.3 as of release 1.6.0
• CHANGED: Set lang cookie with lax SameSite property
• CHANGED: Upgrading libraries to: DOMpurify 3.1.2 (#1299) & jQuery 3.7.1
• CHANGED: create attribute is no longer returned in API for pastes & can be disabled for comments using discussiondatedisplay as well (#1290)
• FIXED: Add cache control headers also to API calls (#1263)
• FIXED: Shortened paste URL does not appear in email (#606)

Note regarding the new template "bootstrap5", that if you want the button icons (SVG) to display, you have to relax the CSP rule slightly and change default-src from 'none' to 'self'. You configure it as follows:

template = "bootstrap5"
cspheader = "default-src 'self'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"

The new theme comes in only one flavour, but does include a dark-mode switch and attempts detecting the currently set browser preference.

We don't yet enable this new template by default. Please report any issues you find with it or submit pull requests with your improvements. Should no major issues get detected, we intend to make it the new default later this year and eventually deprecate and remove the old bootstrap 3 templates, as well as the page (classic ZereBin) one. It would be appreciated if additional templates would get submitted and shared with the community, so we get some more variety to choose from.

• FIXED: zlib 1.3.1 wasm file reference

• ADDED: Translations for Romanian
• ADDED: Detect and report on damaged pastes (#1218)
• CHANGED: Ask for confirmation, before loading burn after reading pastes (#1237)
• CHANGED: Focus on password input in modal dialog
• CHANGED: Upgrading libraries to: DOMpurify 3.0.8 & zlib 1.3.1
• FIXED: Support more types of valid URLs for shorteners, incl. IDN ones (#1224)
• FIXED: Email timezone buttons overlapping in some languages (#1039)
• FIXED: Changing language mangles URL (#1191)
• FIXED: Needless reload when visiting default URL

• FIXED: English not selectable when languageselection enabled (#1208)
• FIXED: SRI mismatch due to cached file having changed (#1207)

• ADDED: Right-To-Left (RTL) support for Arabic & Hebrew (#1174)
• CHANGED: Upgrading libraries to: DOMpurify 3.0.6

This release adds translations for Japanese & Arabic and increases the minimal required PHP version to 7.3.

In addition to the two new translations for the Japanese & Arabic languages, the Email-button is now a configurable option, but still enabled by default.

The minimum supported PHP version is now 7.3, due to having upgraded the PHP unit test framework which no longer supports older PHP releases. This simplifies our development (we no longer need to maintain a parallel branch that ensured PHP 8 compatibility) and let us drop a library that provided a more cryptographically secure random function to PHP 5.

Update procedure

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We also offer a container images using the nginx web server with php-fpm and one using the nginx unit application server, that include the recommended secure setup with the non-essential files and data outside of the web servers document root.

Changes since version 1.5.2

• ADDED: Translations for Japanese & Arabic
• ADDED: Configuration option to disable Email button (#1164)
• CHANGED: Minimum required PHP version is 7.3, due to upgrading PHPunit (#707)
• CHANGED: Removed PHP 5 polyfill for random_bytes()

This release contains an improvement for the S3 storage & updates several libraries.

This patch release allows the AWS SDK to use default credential provider chain when using the S3 storage backend, exposes the used JSON-LD types in the API, addresses PHP 8.2 deprecation warnings and includes several updated libraries, including some security fixes.

When using the S3 storage backend, you now have the option of passing the S3 credential configuration in other ways than just the PrivateBin configuration file. If the credentials are not set in configuration, the AWS SDK will use the default credentials provider chain, which will look for credentials in a few places automatically, including environment variables or instance roles. For details on these, see the SDK's documentation on the default credentials provider chain

The updated DOMpurify & jQuery libraries contain some security fixes. While we are not aware that these could be used with PrivateBin, for example to bypass DOMpurify filtering of the user provided paste contents to inject malicious code displayed to visitors, upgrading these prevents these from becoming an issue.

Finally, the administration script introduced in the last release, made use of a form of string interpolation that got deprecated in PHP 8.2, causing it to emit warning messages, when running it on that PHP version. It was the only area that needed any changes for PHP 8.2 and our container images have already been using PHP 8.2 for a few months without any issues.

Benefits of switching to the new release

We recommend to upgrade all instances, due to the security fixes in the included DOMpurify & jQuery libraries.

Update procedure

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We also offer a container images using the nginx web server with php-fpm and one using the nginx unit application server, that include the recommended secure setup with the non-essential files and data outside of the web servers document root.

Changes since version 1.5.1

• ADDED: Allow AWS SDK to use default credential provider chain for S3Storage (#1070)
• CHANGED: Upgrading libraries to: DOMpurify 3.0.4 & jQuery 3.7.0
• FIXED: Addressed PHP 8.2 deprecation warnings (#1092)
• FIXED: Expose types JSON-LD incl. configured expiration dates (#1045)

Help wanted & greatly appreciated

Apart from the large tasks that require deeper insight and time, there are also smaller issues were help is wanted, topics open to debate and of course many languages that still remain to be translated. We are also still looking for additional long term maintainers among our frequent issue helpers.

What can we offer you in return for your help?

• We can offer you our mentorship, if this is your first time participating as a maintainer of an open source software project. We can guide you through submitting your first pull requests and work with you to ensure your change fulfills the communities quality standards, gets merged and makes it into a release.
• Your work gets publicly credited. This can help you build up a resume, showing off your growing skill set, in programming as well as your soft skills.
• PrivateBin is a smaller project. If you'd like to learn how to participate and contribute in an open source git project, this should be less overwhelming then larger projects.
• We do have a decent unit test code coverage, so it is an environment forgiving of mistakes. You may still introduce logical flaws or issues in new features, not yet covered in the tests, but you can rely on the tests preventing any regressions in other areas.
• You don't have to be proficient in multiple programming languages, there are a lot of things to improve within either the JavaScript or PHP areas that don't need you to understand the other side, beyond their shared API.
• It can be an opportunity to learn about continuos integration tools to automate tasks like tests, security scans, etc.

If you are interested in helping with any of these points, we have prepared a development guide including design goals, code structure and tools to get you started. For any questions, you can chat with the maintainers in the discussion area or reach us via email.

Plans for future releases

The next minor release will focus on user interface improvements.

This release reverts a filesystem purge lookup change and adds a script for administrative tasks.

This patch release partially reverts a change to the filesystem backend's purge lookup, adds a script for administrative tasks, catches JSON errors when malformed pastes get uploaded and includes updated libraries for GCS and S3 backends.

Release 1.5.0 contained a simplification to the filesystem backend's purge logic, which could lead to very resource intensive purge cycles on instances with a large storage footprint. This release retains the glob pattern, but re-adds the limited and randomized lookup. The limit gives up searching after 10 times the purge batch size and the randomization prevents re-opening the same, non-expired pastes over and over. Without these mechanisms, eventually all expired pastes got purged, and every further purge reads all pastes from disk, without finding anything, which wastes time and resources.

PrivateBin now adds another script to help perform administrative tasks. The new script, called administration, helps with deleting pastes, removing empty directories, when using the filesystem backend, purging all expired pastes at once and gathering statistics on an instance.

Deleting pastes is relatively easy to do manually with the filesystem and database backends, but more difficult on GCS or S3 storage. The new tool works the same, regardless of backend, letting server administrators delete pastes by ID.

When using the filesystem backend, the purge does not remove empty directories, as they can be reused by new pastes with IDs starting on the same first 2 bytes. These empty directories can now be removed, if desired.

The administration script also can issue a full purge cycle. Instances could disable the automatic purge on paste/comment creation in their configuration and instead use a cron job to run full purges on a schedule. Or it could be issued before a backup, to avoid archiving expired data.

Finally, the script can be used to gather and display statistical information. This includes the total number of pastes the instance hosts, as well as how many of these are expired, of the burn-after-reading type, include discussions and what formatting they use (plain text, source code or markdown).

The release includes smaller improvements to catch a JSON parsing exception when malformed pastes get uploaded to the API and updates the suggested library versions for GCS and S3 storage backends. We had gotten reports of the S3 library in 1.5.0 having emitted deprecation warnings on PHP 8.1.

Benefits of switching to the new release

We recommend to upgrade 1.5.0 instances using the (default) filesystem storage backend as well as instances using S3 storage and PHP > 8.

Update procedure

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.

Changes since version 1.5.0

• ADDED: script for administrative tasks: deleting pastes (#274), removing empty directories (#277), purging expired pastes (#276) & statistics (#319)
• FIXED: Revert Filesystem purge to limited and randomized lookup (#1030)
• FIXED: Catch JSON decode errors when invalid data gets sent to the API (#1030)
• FIXED: Support sorting v1 format in mixed version comments in Filesystem backend (#1030)

Help wanted & greatly appreciated

Apart from the large tasks that require deeper insight and time, there are also smaller issues were help is wanted, topics open to debate and of course many languages that still remain to be translated. We are also still looking for additional long term maintainers among our frequent issue helpers.

If you are interested in helping with any of these points, we have prepared a development guide including design goals, code structure and tools that should get you started. For any questions, you can also chat with the maintainers in the discussion area.

Plans for future releases

The next regular release will focus on user interface improvements.

This release adds an S3 storage backend, a storage migration script, and new translations.

This minor release adds support for Simple Storage Service (S3), a storage migration script, adds four new languages to the translations and includes updated libraries.

The new S3 storage backend can be used with Ceph, Amazon Web Services or other S3 providers. A migration script was also provided, which can migrate existing instances from one storage backend to another, including in between the same storage backend types, but with different configurations (i.e. from one directory to another or one database to another).

The release includes several smaller improvements to the MariaDB and MySQL support. It reverts to CREATE INDEX without IF NOT EXISTS clauses (introduced in 1.4.0) which are not supported in MySQL. It also avoids requiring the SUPER privilege for the sql_mode added in 1.4.0. Indexes now also make use of the table prefix, to support multiple instances sharing a single database.

Jdenticons were added as a fourth option for comment icons, in addition to identicons and vizhash (and using none). The new icon type adds a different style and they don't require the PHP GD module to be generated. They are larger in size than identicons, a bit smaller than vizhash and slower to generate than either.

If using the YOURLS URL shortener with a signature and would like to keep it hidden, as of this release a server side integration via a proxy can be used, storing the signature only in configuration.

Benefits of switching to the new release

We recommend to upgrade 1.4.x instances using MariaDB backend and any instance that would like to make use of any of the new features or translations.

Update procedure

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.

Changes since version 1.4.0

• ADDED: script for data storage backend migrations (#1012)
• ADDED: Translations for Turkish, Slovak, Greek and Thai
• ADDED: S3 Storage backend (#994)
• ADDED: Jdenticons as an option for comment icons (#793)
• CHANGED: Avoid SUPER privilege for setting the sql_mode for MariaDB/MySQL (#919)
• CHANGED: Upgrading libraries to: DOMpurify 2.4.6, jQuery 3.6.1, Showdown 2.1.0 & zlib 1.2.13
• FIXED: Revert to CREATE INDEX without IF NOT EXISTS clauses, to support MySQL (#943)
• FIXED: Apply table prefix to indexes as well, to support multiple instances sharing a single database (#943)
• FIXED: YOURLS integration via new proxy, storing signature in configuration (#725)

Help wanted & greatly appreciated

Apart from the large tasks that require deeper insight and time, there are also smaller issues were help is wanted, topics open to debate and of course many languages that still remain to be translated. We are also still looking for additional long term maintainers among our frequent issue helpers.

If you are interested in helping with any of these points, we have prepared a development guide including design goals, code structure and tools that should get you started. For any questions, you can also chat with the maintainers in the discussion area.

Plans for future releases

The next regular release will focus on user interface improvements.

This release improves the safety of the SVG attachment preview, adds Google Cloud Storage and Oracle database support, and new translations.

This minor release addresses a security issue with the SVG attachment preview, adds support for Google Cloud Storage (GCS) and Oracle databases, adds four new languages to the translations and includes updated libraries.

The storage system got reworked as part of the new Google Cloud Storage class and when not using the default file storage, the server salt and purge and traffic limiter items are now stored as part of the selected storage backend. It is now possible to run PrivateBin with database or GCS backend without requiring any write access to the data directory - automatic migrations run the first time any of these get accessed and found to be still present in the filesystem.

Benefits of switching to the new release

We recommend to upgrade 1.3.x instances to improve the resolved security issues. At the very minimum, please update your CSP headers in the configuration file to our currently recommended settings. You can check the headers of your instance via our new instance check service.

Update procedure

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.

Changes since version 1.3.5

• ADDED: Translations for Corsican, Estonian, Finnish and Lojban
• ADDED: new HTTP headers improving security (#765)
• ADDED: Download button for paste text (#774)
• ADDED: Opt-out of federated learning of cohorts (FLoC) (#776)
• ADDED: Configuration option to exempt IPs from the rate-limiter (#787)
• ADDED: Google Cloud Storage backend support (#795)
• ADDED: Oracle database support (#868)
• ADDED: Configuration option to limit paste creation and commenting to certain IPs (#883)
• ADDED: Set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header
• ADDED: Sanitize SVG preview, preventing script execution in instance context
• CHANGED: Language selection cookie only transmitted over HTTPS (#472)
• CHANGED: Upgrading libraries to: base-x 4.0.0, bootstrap 3.4.1 (JS), DOMpurify 2.3.6, ip-lib 1.18.0, jQuery 3.6.0, random_compat 2.0.21, Showdown 2.0.3 & zlib 1.2.12
• CHANGED: Removed automatic .ini configuration file migration (#808)
• CHANGED: Removed configurable dir for traffic & purge limiters (#419)
• CHANGED: Server salt, traffic and purge limiter now stored in the storage backend (#419)
• CHANGED: Drop support for attachment download in IE
• FIXED: Error when attachments are disabled, but paste with attachment gets displayed

Help wanted & greatly appreciated

Apart from the large tasks that require deeper insight and time, there are also smaller issues were help is wanted, topics open to debate and of course many languages that still remain to be translated. We are also still looking for additional long term maintainers among our frequent issue helpers.

If you are interested in helping with any of these points, we have prepared a development guide including design goals, code structure and tools that should get you started.

Plans for future releases

The next regular release will focus on user interface improvements.

This bug fix releases addresses a number of smaller issues and regressions, adds four new translations and includes updated libraries. Links in pastes now by default open in a new browser tab or window. The project information text and link is now a configuration option.

Benefits of switching to the new release

We recommend to upgrade 1.3.x instances to address these issues.

Update procedure

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.

If you have enabled the fileupload setting and use a custom cspheader, please consider adding allow-downloads to the sandbox property. This lets users of the Google Chrome browser, version 83 or higher, download attachments - inline display of images, media or PDFs files was not affected by this change in Chrome's sandbox behaviour.

Changes since version 1.3.4

• ADDED: Translation for Hebrew, Lithuanian, Indonesian and Catalan
• ADDED: Make the project info configurable (#681)
• CHANGED: Upgrading libraries to: DOMpurify 2.2.7, kjua 0.9.0 & random_compat 2.0.18
• CHANGED: Open all links in new window (#630)
• FIXED: PDF display in Firefox (#630)
• FIXED: Allow pasting into password input dialog (#630)
• FIXED: Display of expiration date in email (#630)
• FIXED: Allow display of durations in weeks (#630)
• FIXED: Avoid exposing burn-after-reading messages from cache (#630)
• FIXED: Only display the dropzone when it should (#630)
• FIXED: Detect delete token properly (#630)
• FIXED: Sanitize output from Helper.urls2links() (#630)
• FIXED: Avoid recreation of existing pasteurl element when calling URL shortener (#630)
• FIXED: Downloads in Chrome >= 83 (#634)
• FIXED: Display of empty files (#663)
• FIXED: Improve OpenGraph attributes (#651)
• FIXED: Reset to configured burn-after-reading, discussion and expiration settings (#682)
• FIXED: Italic segment of project information (#756)

More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.5 release announcements.

This bug fix releases resolves further HTML entity encoding issues, the use of custom expiration options in the email function, pasting into the password dialog on pastes with attachments and also updates the identicon library to 2.0.0, which increases the minimum required PHP version to 5.6.

Benefits of switching to the new release

We recommend to upgrade 1.3.x instances to address these issues.

Update procedure

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.

Changes since version 1.3.3

• CHANGED: Minimum required PHP version is 5.6, due to a change in the identicon library and to use php's native hash_equals()
• CHANGED: Upgrading libraries to: identicon 2.0.0
• FIXED: Support custom expiration options in email function (#586)
• FIXED: Regression with encoding of HTML entities (#588)
• FIXED: Unable to paste password on paste with attachment (#565 & #595)

More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.4 release announcements.

This release fixes HTML entity double encoding issues introduced in version 1.3.2 of PrivateBin.

In the efforts to prevent the unencoded strings to cause XSS issues down the line in releases 1.3.2 and 1.2.2, we had some strings getting their HTML entities encoded twice. This caused some display glitches as well as preventing the URLs in paste texts to get converted to links.

This bug fix releases resolves these encoding issues, expands the XSS protection to the server side templating, updates some missing translation strings for the mailing feature (in 1.3.3 only) and also updates the DOMpurify library to 2.0.8.

Benefits of switching to the new release

We recommend to upgrade 1.3, 1.3.1, 1.3.2, 1.2, 1.2.1 and 1.2.2 instances to address these issues.

We do offer a backport of these fixes for the 1.2.x versions of PrivateBin. You may choose to use version 1.2.3 over 1.3.3, if you do need to support legacy browsers with incomplete or missing Webcrypto API, like IE, non-Chromium based Edge or some ESR releases.

Update procedure

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.

Changes since version 1.3.2

• CHANGED: Upgrading libraries to: DOMpurify 2.0.8
• CHANGED: Several translations got updated with missing messages
• CHANGED: Introduce HTML entity encoding on server side (#581)
• FIXED: HTML entity double encoding issues introduced in 1.3.2 (#560)

More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.3 & 1.2.3 release announcements.

This release fixes HTML entity double encoding issues introduced in version 1.2.2 of PrivateBin.

In the efforts to prevent the unencoded strings to cause XSS issues down the line in releases 1.3.2 and 1.2.2, we had some strings getting their HTML entities encoded twice. This caused some display glitches as well as preventing the URLs in paste texts to get converted to links.

This bug fix releases resolves these encoding issues, expands the XSS protection to the server side templating and updates the DOMpurify library to 2.0.8.

Benefits of switching to the new release

We recommend to upgrade 1.2, 1.2.1 and 1.2.2 instances to address these issues.

We do offer a backport of these fixes for the 1.2.x versions of PrivateBin. You may choose to use version 1.2.3 over 1.3.3, if you do need to support legacy browsers with incomplete or missing Webcrypto API, like IE, non-Chromium based Edge or some ESR releases.

Update procedure

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.

Changes since version 1.2.2

• CHANGED: Upgrading libraries to: DOMpurify 2.0.8
• CHANGED: Introduce HTML entity encoding on server side (#581)
• FIXED: HTML entity double encoding issues introduced in 1.3.2 (#560)

More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.3 & 1.2.3 release announcements.

This release fixes a persistent XSS vulnerability in filenames of attached files in PrivateBin.

On 25th of December 2019, an issue was discovered and fixed, which allowed the user provided attachment file name to inject HTML under certain conditions, leading to a persistent Cross-site scripting (XSS) vulnerability. This release includes an improved solution, which addresses the issue on a broader scope, avoiding this to reoccur in other areas of the code in the future.

Further details on this is an issue and its implications can be found in our report on the vulnerability. It also describes methods to check if your browser is currently affected by the issue. If it is, please consider updating your browser.

Benefits of switching to the new release

We recommend to upgrade 1.3, 1.3.1, 1.2 and 1.2.1 instances to address this issue, even if the instance doesn't have fileuploads enabled and uses the recommended CSP header to mitigate XSS attacks.

Due to the seriousness of the issue, we do offer a backport of the fix for the 1.2.1 version of PrivateBin, that also includes updated JavaScript libraries. You may choose to use that version over 1.3.2, if you do need to support legacy browsers with incomplete or missing Webcrypto API, like IE, non-Chromium based Edge or some ESR releases.

Update procedure

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.

Changes since version 1.3.1

• ADDED: Translation for Ukrainian (#533)
• ADDED: Option to send a mail with the link, when creating a paste (#398)
• ADDED: Add support for CONFIG_PATH environment variable (#552)
• CHANGED: Upgrading libraries to: base-x 3.0.7, DOMpurify 2.0.7 & Showdown 1.9.1
• FIXED: HTML injection via unescaped attachment filename (#554)
• FIXED: Password disabling option (#527)

More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.2 & 1.2.2 release announcements.

This release fixes a persistent XSS vulnerability in filenames of attached files in PrivateBin.

On 25th of December 2019, an issue was discovered and fixed, which allowed the user provided attachment file name to inject HTML under certain conditions, leading to a persistent Cross-site scripting (XSS) vulnerability. This release includes an improved solution, which addresses the issue on a broader scope, avoiding this to reoccur in other areas of the code in the future.

Further details on this is an issue and its implications can be found in our report on the vulnerability. It also describes methods to check if your browser is currently affected by the issue. If it is, please consider updating your browser.

Benefits of switching to the new release

We recommend to upgrade 1.3, 1.3.1, 1.2 and 1.2.1 instances to address this issue, even if the instance doesn't have fileuploads enabled and uses the recommended CSP header to mitigate XSS attacks.

Due to the seriousness of the issue, we do offer a backport of the fix for the 1.2.1 version of PrivateBin, that also includes updated JavaScript libraries. You may choose to use that version over 1.3.2, if you do need to support legacy browsers with incomplete or missing Webcrypto API, like IE, non-Chromium based Edge or some ESR releases.

Update procedure

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.

Changes since version 1.2.1

• CHANGED: Upgrading libraries to: bootstrap 3.4.1, DOMpurify 2.0.7, jQuery 3.4.1, kjua 0.6.0, Showdown 1.9.1 & SJCL 1.0.8
• FIXED: HTML injection via unescaped attachment filename (#554)

More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.2 & 1.2.2 release announcements.

This release improves the display of appropriate errors for unsupported browsers/configurations.

Since the release of version 1.3 only two months ago we received reports on a surprising number of corner cases with certain browser versions and protocols in which the new release didn't work, while 1.2.1 still did. The release addresses most of these or at least aims to provide a meaningful error message with hints what the user may do to avoid these (switching to HTTPS, using a different browser or being limited to partial functionality).

We also have been provided with a Bulgarian translation and several improvements to the bootstrap template, cloning pastes and the drap & drop file upload. The URL shortener now also supports JSON APIs and the default size limit was increased to 10 MiB.

Before the 1.3 release we had tested mainly in Firefox and Chrome, but none of the core developers had easy access to Windows based browsers (Edge, IE) or Mac (Safari). We also missed that Chrome disables the webcrypto API used in 1.3 to replace the SJCL cryptographic library, when accessing the site via HTTP. It didn't do this in our local testing environments, as localhost is considered safe by it, even when not accessed via HTTPS. Other quirks discovered were issues when accessing PrivateBin via Tor and i2p networks. The Torbrowser disables webassembly due to security concerns, which prevented these clients to create or read pastes.

To facilitate testing of such quirks and having access to more browsers versions, we applied for a sponsored browserstack account. This helped us improving the browser feature detection. In particular the following cases got covered:

• When a modern browser has webassembly disabled (i.e. for security), it displays a warning, but still can create and read uncompressed pastes, just not open compressed ones.
• Browsers with a lack for webcrypto API on an HTTP site get suggested to switch to HTTPS (requires support by the server).
• Browsers with a lack for webcrypto API, async or ES6 support get an error requesting to switch to a modern browser.
• Internet Explorer remains unsupported, but now get an appropriate error requesting to switch to a modern browser.

Benefits of switching to the new release

We recommend to upgrade 1.3 instances to improve the support for Chrome and older browsers get more appropriate error messages.

Update procedure

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root.

The default size limit got increased from 2 to 10 MiB. If you didn't configure a custom size, you may have to adjust your PHP and webserver settings to be able to use the new limit to the full extent.

If you use the MySQL database backend and don't allow the PrivateBin use to ALTER TABLES, you have to manually change one columns type and UPDATE the database version (replace "prefix_" with your own table prefix, if used):

ALTER TABLE prefix_paste MODIFY COLUMN data MEDIUMBLOB;
UPDATE prefix_config SET value = "1.3.1" WHERE id = "VERSION";

PostgreSQL and SQLite don't require this change.

Changes since version 1.3

• ADDED: Translation for Bulgarian (#455)
• CHANGED: Improved mobile UI - obscured send button and hard to click shortener button (#477)
• CHANGED: Enhanced URL shortener integration (#479)
• CHANGED: Improved file upload drag & drop UI (#317)
• CHANGED: Increased default size limit from 2 to 10 MiB, switch data from BLOB to MEDIUMBLOB in MySQL (#458)
• CHANGED: Upgrading libraries to: DOMpurify 2.0.1
• FIXED: Enabling browsers without WASM to create pastes and read uncompressed ones (#454)
• FIXED: Cloning related issues (#489, #491, #493, #494)
• FIXED: Enable file operation only when editing (#497)
• FIXED: Clicking 'New' on a previously submitted paste does not blank address bar (#354)
• FIXED: Clear address bar when create new paste from existing paste (#479)
• FIXED: Discussion section not hiding when new/clone paste is clicked on (#484)
• FIXED: Showdown.js error when posting svg qrcode (#485)
• FIXED: Failed to handle the case where user cancelled attachment selection properly (#487)
• FIXED: Displaying the appropriate errors in older browsers (#508)

More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3.1 release announcements.

This release switches the used encryption and compression libraries and addresses several problems with mangled URLs and pastes.

We fixed several issues in this release. We now tell Chrome not to send the whole page, including the decrypted text, to it's translation services. Thanks to the use of blob instead of data URI's, Chrome can now deal with attachments larger then 2 MiB. The raw text mode escapes HTML correctly again (a regression introduced in 1.2). PrivateBin can now handle URLs mangled by Facebook.

Translations for Czech has been added since the last release.

We threat modeled the application in preparation for the changes in the API, JSON format and encryption.

The main change of this release was the switch from the SJCL and rawdeflate JavaScript libraries to the browser integrated WebCrypto API and zlib C library (via WebAssembly) as well as various modernizations of our use of JavaScript. We still fully support reading older pastes and comments, but newly generated pastes use a different, more efficient and flexible format. Some of these changes lead to us dropping the support for Internet Explorer and we suggest to use Edge instead, if no other modern browser is available (see Appendix A in the release announcements).

The change to WebCrypto API means that the cryptographic functions are now handled by the browser integrated libraries instead of code that has to be transferred from the webserver to the client. While this can't prevent a malicious party to inject logic to extract the key or decrypted contents, it does increase the trust users can have in the cryptographic functionality of PrivateBin as well as speed up both initial page load as well as the en/decryption itself.

Over the years we encountered several cases where the deflate implementation used in the rawdeflate JavaScript library produced results that couldn't be decompressed by itself or other deflate implementation. While the latter mainly affected third-party CLI clients, the first lead to pastes that couldn't be read even by PrivateBin itself. We had initially planned to use the pako JavaScript library, but during implementation of the new format found that the zlib C library used in most other languages for deflate support can be used in JavaScript as well, via compilation into WebAssembly. This is a very stable library with no currently known bugs and even performs better then pako.

Server operators now have an additional configuration option that lets them disable compression. While the compression before encryption reduces the size of most text, source code, markdown pastes and text comments drastically, when having file upload enabled and mostly using an instance to share already compressed files (office documents, PNG or JPG images, etc.) this slows down the creation of the pastes unnecessarily and without gain. Furthermore some security minded administrators may wish to disable compression to avoid potential security risks that would make brute forcing keys easier for shorter, compressed pastes.

As usual we have also upgraded all used libraries to their latest releases. The identicon library now requires PHP 5.5, so this is the new minimum required PHP version.

Finally the newly used JSON format and API was taken as an opportunity to implement some, otherwise breaking, changes like the use of base58 for the hash key encoding instead of base64, which addresses the Outlook mail client stripping trailing equal signs from URLs. The number of iterations in the PBKDF2 key derivation got increased from 10k to 100k to make it more costly to brute force the password of a paste. The server now uses Fowler–Noll–Vo checksums instead of md5 to generate unique paste IDs.

Benefits of switching to the new release

Due to some rather annoying bugs in the raw paste view and with URLs mangled by Facebook and Outlook, we do recommend an upgrade on instances that are more widely used. While most users never encountered cases where the pastes got mangled in the deflate compression, users that frequently upload office documents and certain source code and compiler outputs would trigger this rather reliably. There are also several improvements that increase the security of the encryption.

Update procedure

Two new configuration options, compression and httpwarning got introduced.

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root. Note that the latest docker containers use different user IDs then the older ones, so you will have to change the ownership of the attached data volume.

If you do have to use the new release on a PHP 5.4 environment, you can attempt to change the icon option to vizhash or none and decrease the MIN_PHP_VERSION in the lib/Controller.php file.

Changes since version 1.2.1

• ADDED: Translation for Czech (#424)
• ADDED: Threat modeled the application (#177)
• ADDED: Made compression configurable (#38)
• CHANGED: Minimum required PHP version is 5.5, due to a change in the identicon library
• CHANGED: Minimum required browser versions are Firefox 54, Chrome 57, Opera 44, Safari 11, Edge 16, due to use of WebCrypto API, async/await, ES6 & WebAssembly features - all Internet Explorer versions are incompatible
• CHANGED: JSON and encryption formats were changed to replace SJCL library by browser integrated WebCrypto API (#28, #74)
• CHANGED: Replaced rawdeflate.js with zlib.wasm to resolve decompression failures and gain compatibility with standard deflate implementations (#193, #260, #328, #434, #440)
• CHANGED: Increase PBKDF2 iterations to 100k (#350)
• CHANGED: Replaced last use of MD5 with Fowler–Noll–Vo checksum which produces the exact length we need for the paste ID (#49)
• CHANGED: Simplified some PHP code & renamed PrivateBin class into Controller, to make MVC pattern use more obvious (#342)
• CHANGED: Upgrading libraries to: identicon 1.2.0, random_compat 2.0.18, jQuery 3.4.1, Showdown 1.9.0, DOMpurify 1.0.11 & kjua 0.6.0
• FIXED: Prevent Chrome from sending content of paste to Google for translation (#378)
• FIXED: To support attachments larger then 2 MiB in newer Chrome versions, we switched to blob instead of data URIs (#432)
• FIXED: Since Outlook strips trailing equal signs in links, the key in URL hash is now base58 encoded, instead of base64 (#377)
• FIXED: Facebooks started injecting parameters into shared URLs for tracking that lead to inaccessible pastes (#396)
• FIXED: Properly escaped HTML in raw text mode (#358)
• FIXED: Made download links better readable in the dark bootstrap theme (#364)
• FIXED: Allow Letsencrypt bot to access on apache servers (#413)

More details about the plans for future releases and on how you can help the project achieve them, can be found in the PrivateBin version 1.3 release announcements.