Date Sunday, 22. July 2018 Tags PrivateBin / Release

This release adds QR code generation, inline display of video, audio, PDF and new translations to PrivateBin and a large refactoring of the JavaScript code.

A new button lets you generate a QR code of your newly created pastes URL. This allows for easy transfer of a pasted data from one mobile device to another.

When the optional file upload is enabled, uploaded videos, audio files and PDFs are displayed inline, like we did with images, as long as the visitors browser supports it. By default the file and paste upload is limited to a 2 MiB size.

Translations for Spanish, Occitan, Norwegian, Portuguese, Dutch and Hungarian have also been added since the last release.

The main change of this release, and the reason it took us so long since doing the last one, was the large refactoring and cleanup of the JavaScript logic of PrivateBin. The refactoring itself was done in early 2017. In parallel we introced mocha and JSverify running on nodeJS as a property based unit testing framework for the logic (à la QuickCheck). Many months were spent to cover more and more pieces of the logic.

In the end we covered all of the modular parts of the logic (879 of 1273 lines of code for a 69% code coverage), including the encryption wrapper functions for backward compatibility with older paste formats. The UI related parts of the code proved difficult to test, partly because in nodeJS the browsers document object model (DOM) is emulated using the JSdom library, the lack of an actual view port being present (so no scrolling, for example) and also due the event driven nature which contradicts the modular approach of unit testing. For many UI interfaces, large parts of the DOM has to be present, since emitting a single click event may trigger changes in many different parts of the UI. This is a shortcoming of the current structure of the UI logic, which we may need to improve further.

Still, the unit testing found many regressions and some issues that have been in the code for a long time without having been reported. It lays the necessary ground work for the future changes, especially the major changes planned for the encryption format.

Benefits of switching to the new release

Apart from the new QR code feature many new translations were added. All used libraries were upgraded, too. While no security issues were reported for any of these, they address some bugs that didn't affect us directly or improve compatibility with the latests browsers and PHP releases.

Update procedure

A new configuration option name was introduced for those admins that like to replace the "PrivateBin" moniker in the template with their own site name.

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We now also offer a Docker container that includes the recommended secure setup with the non-essential files and data outside of the web servers document root. We also started providing additional tools in Docker containers.

Changes since version 1.1.1

ADDED: Translations for Spanish, Occitan, Norwegian, Portuguese, Dutch and Hungarian

ADDED: Option in configuration to change the default "PrivateBin" title of the site

ADDED: Added display of video, audio & PDF, drag & drop, preview of attachments (#182)

ADDED: QR code generation (#169)

ADDED: Introduced DOMpurify library to sanitize generated HTML before display (#183)

CHANGED: Force JSON request for getting paste data & password retry (#216)

CHANGED: Minimum required PHP version is 5.4 (#186)

CHANGED: Shipped .htaccess files were updated for Apache 2.4 (#192)

CHANGED: Cleanup of bootstrap template variants and moved icons to img directory

directory CHANGED: Removed option to hide clone button on expiring pastes, since this requires reading the paste for rendering the template, which leaks information on the pastes state

CHANGED: Upgrading libraries to: SJCL 1.0.7, jQuery 3.3.1, Base64 2.4.5, Showdown 1.8.6, DOMpurify 1.0.5 & Prettify 453bd5f

CHANGED: Refactored JavaScript code, making it modular with private and public functions, making it much easier to maintain (#178)

FIXED: To counteract regressions introduced by the refactoring, we finally introduced property based unit testing for the JavaScript code, this caught several regressions, but also some very old bugs not found so far (#32)

Help wanted & greatly appreciated

Over the last months we often had issues to motivate ourselves to move on with the rather tedious refactoring and unit testing. As an open source project every contribution small or large is greatly appreciated. Especially all the new languages that got added show the core team that this project is used and how far it already got spread.

Apart from the large tasks that require deeper insight and time, there are also smaller issues were help is wanted, topics open to debate and of course many languages that still remain to be translated. We are also still looking for additional long term maintainers among our frequent issue helpers.

If you are interested in helping with any of these points, we have prepared a development guide including design goals, code structure and tools that should get you started.

Plans for future releases

In the next major release we plan to change the paste format. This includes introducing a new version identifier, support for different encryption schemes, ideally including the browsers internal cryptography instead of the JavaScript SJCL one, switch to a correct deflate compression implementation to ensure cross-language compatibility and generally review to paste format for improvements. Of course we will keep supporting both the original ZeroBin and current formats, so that upgrades remain possible without data loss. Thanks to the JavaScript unit testing introduced with this release, the backwards compatibility gets accounted for.

We also already have quite a few user interface improvements flagged for the release after that. We want to concentrate on the paste format first, to be able build on top of it. But we would of course not say no to any earlier pull requests for any of these.

All in all, with this tedious behind the scenes cleanup finally done, we now plan to return to a more frequent release cycle and wish you all,

Good night, and good luck.