the1024club
/
the1024.club
mirror of https://github.com/the1024club/the1024.club.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixed issues with base64 length limit.

This commit is contained in:
deepend 2025-09-16 10:05:07 -06:00
parent f8f07abc2c
commit 32fd5afc65
6 changed files with 312 additions and 243 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
composer.json
View File

@ -1,5 +1,6 @@
{ {
"require": { "require": {
"paragonie/sodium_compat": "^2.1" "paragonie/sodium_compat": "^2.1",
} "ext-curl": "*"
} }
}

521
index.php
View File

@ -1,237 +1,286 @@
<?php <?php
// Load dependencies // Load dependencies
require 'vendor/autoload.php'; require 'vendor/autoload.php';
use ParagonIE\Sodium\CryptoSign; use ParagonIE\Sodium\CryptoSign;
// Enable or disable debugging/logging // Enable or disable debugging/logging
$debug = isset($_GET['debug']) ? (bool)$_GET['debug'] : true; $debug = isset($_GET['debug']) ? (bool)$_GET['debug'] : true;
if ($debug) { if ($debug) {
error_reporting(E_ALL); error_reporting(E_ALL);
ini_set('display_errors', 1); ini_set('display_errors', 1);
} else { } else {
error_reporting(0); error_reporting(0);
ini_set('display_errors', 0); ini_set('display_errors', 0);
} }
// Database setup function // Database setup function
function initializeDatabase($db) { function initializeDatabase($db) {
$query = " $query = "
CREATE TABLE IF NOT EXISTS storage ( CREATE TABLE IF NOT EXISTS storage (
pubkey_hash CHAR(64) PRIMARY KEY, pubkey_hash CHAR(64) PRIMARY KEY,
data TEXT NOT NULL, data TEXT NOT NULL,
mime_type VARCHAR(50) NOT NULL, mime_type VARCHAR(50) NOT NULL,
public_key BLOB NOT NULL public_key BLOB NOT NULL
)"; )";
$db->exec($query); $db->exec($query);
// Check if the 'public_key' column already exists; if not, add it. // Check if the 'public_key' column already exists; if not, add it.
$columns = $db->query("PRAGMA table_info(storage)")->fetchAll(PDO::FETCH_ASSOC); $columns = $db->query("PRAGMA table_info(storage)")->fetchAll(PDO::FETCH_ASSOC);
$hasPublicKeyColumn = false; $hasPublicKeyColumn = false;
foreach ($columns as $column) { foreach ($columns as $column) {
if ($column['name'] === 'public_key') { if ($column['name'] === 'public_key') {
$hasPublicKeyColumn = true; $hasPublicKeyColumn = true;
break; break;
} }
} }
if (!$hasPublicKeyColumn) { if (!$hasPublicKeyColumn) {
$db->exec("ALTER TABLE storage ADD COLUMN public_key BLOB NOT NULL"); $db->exec("ALTER TABLE storage ADD COLUMN public_key BLOB NOT NULL");
} }
} }
// Initialize SQLite and auto-create the database and table if they don't exist // Initialize SQLite and auto-create the database and table if they don't exist
$db = new PDO('sqlite:/home/retrodig/1024clubdb/storage.db'); $db = new PDO('sqlite:/home/retrodig/1024clubdb/storage.db');
initializeDatabase($db); initializeDatabase($db);
// Helper function to respond with JSON // Helper function to respond with JSON
function respond($status, $message, $data = []) { function respond($status, $message, $data = []) {
http_response_code($status); http_response_code($status);
echo json_encode(['message' => $message, 'data' => $data]); echo json_encode(['message' => $message, 'data' => $data]);
exit; exit;
} }
// Enhance Base64 decoding to handle both raw and URL-safe inputs
function safeBase64Decode($input) {
// First, attempt a direct Base64 decode
$decoded = base64_decode($input, true); /**
if ($decoded !== false && strlen($decoded) === 32) { * Try to decode a Base64 or URL-safe Base64 string (or data: URI).
return $decoded; * Returns decoded bytes on success, or false on failure.
} */
function maybeDecodeBase64($input) {
// If the direct decode fails, attempt a URL-safe decode if ($input === null) return false;
$urlSafeInput = str_replace(['-', '_'], ['+', '/'], $input); $trim = preg_replace('/\s+/', '', $input);
return base64_decode($urlSafeInput, true); if (stripos($trim, 'data:') === 0 && ($pos = stripos($trim, ';base64,')) !== false) {
} $payload = substr($trim, $pos + 8);
} else {
// Handle Base64 encoding safely $payload = $trim;
function safeBase64Encode($input) { }
return str_replace(['+', '/'], ['-', '_'], base64_encode($input)); $payload = strtr($payload, '-_', '+/');
} $pad = strlen($payload) % 4;
if ($pad) { $payload .= str_repeat('=', 4 - $pad); }
// Check if 'action' is set in the query parameters before proceeding $decoded = base64_decode($payload, true);
if (isset($_GET['action'])) { if ($decoded === false) { return false; }
// Create or get storage space based on pubkey hash
if ($_SERVER['REQUEST_METHOD'] === 'POST' && $_GET['action'] === 'create') { // Heuristic to reduce false positives: compare normalized encoding or check for binary-ish data
$pubkey = $_POST['pubkey'] ?? null; $re = rtrim(strtr(base64_encode($decoded), '+/', '-_'), '=');
$pa = rtrim(str_replace('=', '', $payload), '=');
if (!$pubkey) { if ($re !== $pa) {
respond(400, "Missing public key"); $nonPrintable = preg_match_all('/[^\x09\x0A\x0D\x20-\x7E]/', $decoded);
} if ($nonPrintable < max(1, (int)(strlen($decoded) * 0.1))) {
return false;
// Decode the public key, try both raw and URL-safe Base64 decodings }
$decodedPubkey = safeBase64Decode($pubkey); }
if ($decodedPubkey === false || strlen($decodedPubkey) !== 32) { return $decoded;
respond(400, "Invalid public key"); }
}
// Enhance Base64 decoding to handle both raw and URL-safe inputs
$pubkey_hash = bin2hex(sodium_crypto_generichash($decodedPubkey)); function safeBase64Decode($input) {
// First, attempt a direct Base64 decode
$stmt = $db->prepare("SELECT * FROM storage WHERE pubkey_hash = :pubkey_hash"); $decoded = base64_decode($input, true);
$stmt->execute([':pubkey_hash' => $pubkey_hash]); if ($decoded !== false && strlen($decoded) === 32) {
$existing = $stmt->fetch(PDO::FETCH_ASSOC); return $decoded;
}
if ($existing) {
respond(200, "Space already exists", ['pubkey_hash' => $pubkey_hash]); // If the direct decode fails, attempt a URL-safe decode
} $urlSafeInput = str_replace(['-', '_'], ['+', '/'], $input);
return base64_decode($urlSafeInput, true);
$stmt = $db->prepare("INSERT INTO storage (pubkey_hash, data, mime_type, public_key) VALUES (:pubkey_hash, '', 'text/plain', :public_key)"); }
$stmt->execute([':pubkey_hash' => $pubkey_hash, ':public_key' => $decodedPubkey]);
// Handle Base64 encoding safely
respond(201, "Space created", ['pubkey_hash' => $pubkey_hash]); function safeBase64Encode($input) {
} return str_replace(['+', '/'], ['-', '_'], base64_encode($input));
}
// Retrieve stored data using the public key or public key hash
if ($_SERVER['REQUEST_METHOD'] === 'GET' && $_GET['action'] === 'retrieve') { // Check if 'action' is set in the query parameters before proceeding
$pubkey = $_GET['pubkey'] ?? null; if (isset($_GET['action'])) {
$pubkey_hash = $_GET['pubkey_hash'] ?? null; // Create or get storage space based on pubkey hash
if ($_SERVER['REQUEST_METHOD'] === 'POST' && $_GET['action'] === 'create') {
if ($pubkey) { $pubkey = $_POST['pubkey'] ?? null;
// Replace spaces with '+' to account for unencoded URLs
$pubkey = str_replace(' ', '+', $pubkey); if (!$pubkey) {
respond(400, "Missing public key");
// Attempt to decode public key (try both standard and URL-safe Base64) }
$decodedPubkey = safeBase64Decode($pubkey);
// Decode the public key, try both raw and URL-safe Base64 decodings
if ($decodedPubkey === false || strlen($decodedPubkey) !== 32) { $decodedPubkey = safeBase64Decode($pubkey);
respond(400, "Failed to decode public key: " . htmlspecialchars($pubkey)); if ($decodedPubkey === false || strlen($decodedPubkey) !== 32) {
} respond(400, "Invalid public key");
}
// Hash the decoded public key
$pubkey_hash = bin2hex(sodium_crypto_generichash($decodedPubkey)); $pubkey_hash = bin2hex(sodium_crypto_generichash($decodedPubkey));
} elseif ($pubkey_hash) { $stmt = $db->prepare("SELECT * FROM storage WHERE pubkey_hash = :pubkey_hash");
// Validate the provided public key hash (must be 64 characters long, hex format) $stmt->execute([':pubkey_hash' => $pubkey_hash]);
if (!ctype_xdigit($pubkey_hash) || strlen($pubkey_hash) !== 64) { $existing = $stmt->fetch(PDO::FETCH_ASSOC);
respond(400, "Invalid public key hash: " . htmlspecialchars($pubkey_hash));
} if ($existing) {
respond(200, "Space already exists", ['pubkey_hash' => $pubkey_hash]);
} else { }
respond(400, "Missing public key or public key hash");
} $stmt = $db->prepare("INSERT INTO storage (pubkey_hash, data, mime_type, public_key) VALUES (:pubkey_hash, '', 'text/plain', :public_key)");
$stmt->execute([':pubkey_hash' => $pubkey_hash, ':public_key' => $decodedPubkey]);
// Retrieve data by public key hash
$stmt = $db->prepare("SELECT * FROM storage WHERE pubkey_hash = :pubkey_hash"); respond(201, "Space created", ['pubkey_hash' => $pubkey_hash]);
$stmt->execute([':pubkey_hash' => $pubkey_hash]); }
$result = $stmt->fetch(PDO::FETCH_ASSOC);
// Retrieve stored data using the public key or public key hash
if (!$result) { if ($_SERVER['REQUEST_METHOD'] === 'GET' && $_GET['action'] === 'retrieve') {
respond(404, "No data found for this public key"); $pubkey = $_GET['pubkey'] ?? null;
} $pubkey_hash = $_GET['pubkey_hash'] ?? null;
// Set the correct MIME type and output the data without encoding if ($pubkey) {
header('Content-Type: ' . $result['mime_type']); // Replace spaces with '+' to account for unencoded URLs
echo $result['data']; $pubkey = str_replace(' ', '+', $pubkey);
exit;
} // Attempt to decode public key (try both standard and URL-safe Base64)
$decodedPubkey = safeBase64Decode($pubkey);
// Update stored data with a signed transaction
if ($_SERVER['REQUEST_METHOD'] === 'PUT' && $_GET['action'] === 'update') { if ($decodedPubkey === false || strlen($decodedPubkey) !== 32) {
parse_str(file_get_contents("php://input"), $_PUT); respond(400, "Failed to decode public key: " . htmlspecialchars($pubkey));
}
$pubkey = $_PUT['pubkey'] ?? null;
$signature = $_PUT['signature'] ?? null; // Hash the decoded public key
$data = $_PUT['data'] ?? null; $pubkey_hash = bin2hex(sodium_crypto_generichash($decodedPubkey));
$mime_type = $_PUT['mime_type'] ?? 'text/plain';
} elseif ($pubkey_hash) {
if (!$pubkey || !$signature || !$data) { // Validate the provided public key hash (must be 64 characters long, hex format)
respond(400, "Invalid input: missing public key, signature, or data"); if (!ctype_xdigit($pubkey_hash) || strlen($pubkey_hash) !== 64) {
} respond(400, "Invalid public key hash: " . htmlspecialchars($pubkey_hash));
}
// Decode base64-encoded public key and signature using safe base64 decoding
$decodedPubkey = safeBase64Decode($pubkey); } else {
$decodedSignature = safeBase64Decode($signature); respond(400, "Missing public key or public key hash");
}
if ($decodedPubkey === false || strlen($decodedPubkey) !== 32) {
respond(400, "Invalid public key"); // Retrieve data by public key hash
} $stmt = $db->prepare("SELECT * FROM storage WHERE pubkey_hash = :pubkey_hash");
$stmt->execute([':pubkey_hash' => $pubkey_hash]);
if ($decodedSignature === false) { $result = $stmt->fetch(PDO::FETCH_ASSOC);
respond(400, "Invalid signature: not valid base64");
} if (!$result) {
respond(404, "No data found for this public key");
$pubkey_hash = bin2hex(sodium_crypto_generichash($decodedPubkey)); }
if (!sodium_crypto_sign_verify_detached($decodedSignature, $data, $decodedPubkey)) { // Set the correct MIME type and output the data without encoding
respond(400, "Invalid signature"); header('Content-Type: ' . $result['mime_type']);
} echo $result['data'];
exit;
$stmt = $db->prepare("SELECT * FROM storage WHERE pubkey_hash = :pubkey_hash"); }
$stmt->execute([':pubkey_hash' => $pubkey_hash]);
if (!$stmt->fetch(PDO::FETCH_ASSOC)) { // Update stored data with a signed transaction
respond(404, "Space not found"); if ($_SERVER['REQUEST_METHOD'] === 'PUT' && $_GET['action'] === 'update') {
} parse_str(file_get_contents("php://input"), $_PUT);
if (strlen($data) > 1024) { $pubkey = $_PUT['pubkey'] ?? null;
respond(400, "Data exceeds 1k size limit"); $signature = $_PUT['signature'] ?? null;
} $data = $_PUT['data'] ?? null;
$mime_type = $_PUT['mime_type'] ?? 'text/plain';
$stmt = $db->prepare("UPDATE storage SET data = :data, mime_type = :mime_type WHERE pubkey_hash = :pubkey_hash");
$stmt->execute([':data' => $data, ':mime_type' => $mime_type, ':pubkey_hash' => $pubkey_hash]); if (!$pubkey || !$signature || !$data) {
respond(400, "Invalid input: missing public key, signature, or data");
respond(200, "Storage updated"); }
}
// Decode base64-encoded public key and signature using safe base64 decoding
// Handle deletion (not in spec, but helpful) $decodedPubkey = safeBase64Decode($pubkey);
if ($_SERVER['REQUEST_METHOD'] === 'DELETE' && $_GET['action'] === 'delete') { $decodedSignature = safeBase64Decode($signature);
$pubkey = $_POST['pubkey'] ?? null;
$signature = $_POST['signature'] ?? null; if ($decodedPubkey === false || strlen($decodedPubkey) !== 32) {
respond(400, "Invalid public key");
if (!$pubkey || !$signature) { }
respond(400, "Invalid input: missing public key or signature");
} if ($decodedSignature === false) {
respond(400, "Invalid signature: not valid base64");
// Decode base64-encoded public key and signature using safe base64 decoding }
$decodedPubkey = safeBase64Decode($pubkey);
$decodedSignature = safeBase64Decode($signature); $pubkey_hash = bin2hex(sodium_crypto_generichash($decodedPubkey));
if ($decodedPubkey === false || strlen($decodedPubkey) !== 32) {
respond(400, "Invalid public key"); // If data looks like base64 (or data:...;base64,...) decode it for size check and storage.
} $decodedData = maybeDecodeBase64($data);
$isBase64Payload = ($decodedData !== false);
if ($decodedSignature === false) {
respond(400, "Invalid signature: not valid base64"); // Verify signature. First try verifying exactly what we received (backwards compatibility).
} $sigOk = sodium_crypto_sign_verify_detached($decodedSignature, $data, $decodedPubkey);
$pubkey_hash = bin2hex(sodium_crypto_generichash($decodedPubkey)); // If that fails and it looked like base64, also try verifying the decoded bytes (clients that sign raw bytes).
if (!$sigOk && $isBase64Payload) {
if (!CryptoSign::verify_detached($decodedSignature, $pubkey_hash, $decodedPubkey)) { $sigOk = sodium_crypto_sign_verify_detached($decodedSignature, $decodedData, $decodedPubkey);
respond(400, "Invalid signature"); }
} if (!$sigOk) {
respond(403, "Invalid signature");
$stmt = $db->prepare("DELETE FROM storage WHERE pubkey_hash = :pubkey_hash"); }
$stmt->execute([':pubkey_hash' => $pubkey_hash]);
// Enforce 1k limit against decoded bytes when base64 was used; otherwise against the raw payload.
respond(200, "Storage deleted"); $dataForLimit = $isBase64Payload ? $decodedData : $data;
} if (strlen($dataForLimit) > 1024) {
} else { respond(400, "Data exceeds 1k size limit");
// If no action is specified, show the contents of main.php }
if (file_exists('main.php')) {
include 'main.php'; // Choose what we store: decoded bytes when base64 was used (so retrieval returns raw), otherwise raw text.
} else { $dataToStore = $isBase64Payload ? $decodedData : $data;
respond(400, "No action specified and main.php not found"); // Normalize MIME type for common images if a data URI was provided.
} if ($isBase64Payload && isset($_PUT['mime_type']) && stripos($_PUT['mime_type'], 'image/') === 0) {
} $mime_type = $_PUT['mime_type'];
}
// Persist
$stmt = $db->prepare("UPDATE storage SET data = :data, mime_type = :mime_type WHERE pubkey_hash = :pubkey_hash");
$stmt->execute([':data' => $dataToStore, ':mime_type' => $mime_type, ':pubkey_hash' => $pubkey_hash]);
respond(200, "Storage updated");
}
// Handle deletion (not in spec, but helpful)
if ($_SERVER['REQUEST_METHOD'] === 'DELETE' && $_GET['action'] === 'delete') {
$pubkey = $_POST['pubkey'] ?? null;
$signature = $_POST['signature'] ?? null;
if (!$pubkey || !$signature) {
respond(400, "Invalid input: missing public key or signature");
}
// Decode base64-encoded public key and signature using safe base64 decoding
$decodedPubkey = safeBase64Decode($pubkey);
$decodedSignature = safeBase64Decode($signature);
if ($decodedPubkey === false || strlen($decodedPubkey) !== 32) {
respond(400, "Invalid public key");
}
if ($decodedSignature === false) {
respond(400, "Invalid signature: not valid base64");
}
$pubkey_hash = bin2hex(sodium_crypto_generichash($decodedPubkey));
if (!CryptoSign::verify_detached($decodedSignature, $pubkey_hash, $decodedPubkey)) {
respond(400, "Invalid signature");
}
$stmt = $db->prepare("DELETE FROM storage WHERE pubkey_hash = :pubkey_hash");
$stmt->execute([':pubkey_hash' => $pubkey_hash]);
respond(200, "Storage deleted");
}
} else {
// If no action is specified, show the contents of main.php
if (file_exists('main.php')) {
include 'main.php';
} else {
respond(400, "No action specified and main.php not found");
}
}
?> ?>

5
main.php
View File

@ -16,7 +16,8 @@
<nav> <nav>
<ul> <ul>
<li><a href="/">Home</a></li> <li><a href="https://github.com/the1024club/the1024.club" target="_blank">Source Code</a></li>
</ul> </ul>
</nav> </nav>
@ -168,7 +169,7 @@ php 1kb_client.php retrieve public_key.pem
<footer> <footer>
<p class="license-title">The MIT License (MIT)</p> <p class="license-title">The MIT License (MIT)</p>
<p class="license-copyright">©2020 The 1024 Club Developers (see AUTHORS.txt)</p> <p class="license-copyright">©2024 The 1024 Club Developers <a href="https://github.com/the1024club/the1024.club" target="_blank">Source Code</a></p>
<p>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:</p> <p>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:</p>
<p>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.</p> <p>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.</p>
<p>THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p> <p>THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p>

BIN
utils.zip Normal file
View File

Binary file not shown.

2
utils/1kb_client.php
View File

@ -141,4 +141,4 @@ elseif ($operation === 'retrieve') {
else { else {
showUsage(); showUsage();
} }
?> ?>

18
utils/verify_keys.php Normal file
View File

@ -0,0 +1,18 @@
<?php
// Load Sodium extension
require __DIR__ . '/../vendor/autoload.php'; // Adjust the path to the autoload file
// Base64 decode the public and private keys
$publicKey = base64_decode('0HCO9Tm3JvvbK+J93PStb4/23HSxEZS9WUrWSjmLIz4=');
$privateKey = base64_decode('s1cAUQfbxa6Q8lJxn90N6aKER17Ng9tD/gHpX+8x6drQcI71Obcm+9sr4n3c9K1vj/bcdLERlL1ZStZKOYsjPg==');
// Derive the public key from the private key to check if they match
$derivedPublicKey = sodium_crypto_sign_publickey_from_secretkey($privateKey);
// Compare the derived public key with the provided public key
if (hash_equals($publicKey, $derivedPublicKey)) {
echo "The public and private key pair match!" . PHP_EOL;
} else {
echo "The public and private key pair do NOT match!" . PHP_EOL;
}
?>