url-safe Base64 encoding publication on github

CHANGELOG.md

@@ -1,3 +1,14 @@
+# 0.7b0 (2016-09-08)
+
+* version bump for url-safe Base64 encoding publication on github
+
+# 0.6b1 (2016-09-07)
+
+* implemented so-called url-safe Base64 encoding of secrets to reduce URL-encoding junk
+* checked backward-compatibility with previous standard URL-encoded URLs
+* improved line-break handling in GPG message unstripping
+* tested url-safe Base64 encoding feature within chroot environment
+
 # 0.6b0 (2016-09-02)
 
 * version bump for increased readability publication on github

actions/share.php

@@ -18,7 +18,7 @@ function share_secret($secret) {
 
           if (null !== $stripped_secret) {
             # return the secret sharing URL
-            $result = htmlentities(SECRET_SHARING_URL.urlencode($stripped_secret));
+            $result = htmlentities(SECRET_SHARING_URL.urlencode(url_base64_encode($stripped_secret)));
           }
         }
       } else {

index.php

@@ -1,6 +1,6 @@
 <?php
 
-  # Shared-Secrets v0.6b0
+  # Shared-Secrets v0.7b0
   #
   # Copyright (c) 2016, SysEleven GmbH
   # All rights reserved.
@@ -61,9 +61,14 @@
     $uri = substr($uri, 1);
   }
   # handle URL-encoded URIs
-  if (false !== strpos($uri, BASE64_MARKER)) {
+  if (false !== strpos($uri, URL_ENCODE_MARKER)) {
     $uri = urldecode($uri);
   }
+  # handle URL-Base64-encoded URIs
+  if ((false !== strpos($uri, URL_BASE64_MARKER_A)) ||
+      (false !== strpos($uri, URL_BASE64_MARKER_B))) {
+    $uri = url_base64_decode($uri);
+  }
   define("SECRET_URI", $uri);
 
   # prepare action name, show read page by default

libs/shared-secrets.def.php

@@ -4,11 +4,14 @@
   if (!defined("SYS11_SECRETS")) { die(""); }
 
   # define GPG message parts
-  define("GPG_MESSAGE_COMMENT",        "Comment:");
-  define("GPG_MESSAGE_LINE_LENGTH",    64);
-  define("GPG_MESSAGE_LINE_SEPARATOR", "\n");
-  define("GPG_MESSAGE_PREFIX",         "-----BEGIN PGP MESSAGE-----");
-  define("GPG_MESSAGE_SUFFIX",         "-----END PGP MESSAGE-----");
+  define("GPG_MESSAGE_COMMENT",         "Comment:");
+  define("GPG_MESSAGE_COMMENT_DUMMY",   "Dummy");
+  define("GPG_MESSAGE_LINE_LENGTH",     64);
+  define("GPG_MESSAGE_LINE_SEPARATOR",  "\n");
+  define("GPG_MESSAGE_PARTS_MARKER",    "=");
+  define("GPG_MESSAGE_VALUE_SEPARATOR", " ");
+  define("GPG_MESSAGE_PREFIX",          "-----BEGIN PGP MESSAGE-----");
+  define("GPG_MESSAGE_SUFFIX",          "-----END PGP MESSAGE-----");
 
   # define stream buffer size
   define("STREAM_BUFFER", 1024);
@@ -24,8 +27,14 @@
   define("SHARE_PAGE_NAME",   "share");
 
   # define parameter name
-  define("BASE64_MARKER",  "%");
-  define("MAX_PARAM_SIZE", 512);
-  define("PARAM_NAME",     "secret");
+  define("BASE64_MARKER_A",     "+");
+  define("BASE64_MARKER_B",     "/");
+  define("MAX_PARAM_SIZE",      512);
+  define("PARAM_NAME",          "secret");
+  define("URL_BASE64_MARKER_A", "-");
+  define("URL_BASE64_MARKER_B", "_");
+  define("URL_ENCODE_MARKER",   "%");
+
+  # define 
 
 ?>

libs/shared-secrets.exec.php

@@ -3,6 +3,36 @@
   # prevent direct access
   if (!defined("SYS11_SECRETS")) { die(""); }
 
+  ########## URL-ENCODING FUNCTIONS ##########
+
+  function url_base64_decode($url_base64_content) {
+    $result = null;
+
+    if (is_string($url_base64_content)) {
+      $result = str_replace(URL_BASE64_MARKER_B,
+                            BASE64_MARKER_B,
+                            str_replace(URL_BASE64_MARKER_A, 
+                                        BASE64_MARKER_A,
+                                        $url_base64_content));
+    }
+
+    return $result;
+  }
+
+  function url_base64_encode($base64_content) {
+    $result = null;
+
+    if (is_string($base64_content)) {
+      $result = str_replace(BASE64_MARKER_B,
+                            URL_BASE64_MARKER_B,
+                            str_replace(BASE64_MARKER_A,
+                                        URL_BASE64_MARKER_A,
+                                        $base64_content));
+    }
+
+    return $result;
+  }
+
   ########## SYSTEM FUNCTIONS ##########
 
   # calls $command, prints $stdin to its standard input and reads
@@ -142,23 +172,23 @@ function unstrip_message($content) {
       $left  = null;
       $right = null;
 
-      # search for double equation to fix line breaks
-      $double_equation = strrpos($content, "==");
-      if (false !== $double_equation) {
-        $left  = substr($content, 0, $double_equation+1);
-        $right = substr($content, $double_equation+1, strlen($content)-$double_equation-1);
+      # search for equation sign from the end to fix line breaks
+      $equation_pos = strrpos($content, GPG_MESSAGE_PARTS_MARKER);
+      if (false !== $equation_pos) {
+        $left  = substr($content, 0, $equation_pos);
+        $right = substr($content, $equation_pos);
       } else {
         $left  = $content;
         $right = null;
       }
 
-      $result = GPG_MESSAGE_PREFIX."\n".
-                GPG_MESSAGE_COMMENT." Dummy\n".
-                "\n".
-                trim(chunk_split($left, GPG_MESSAGE_LINE_LENGTH, "\n"))."\n";
+      $result = GPG_MESSAGE_PREFIX.GPG_MESSAGE_LINE_SEPARATOR.
+                GPG_MESSAGE_COMMENT.GPG_MESSAGE_VALUE_SEPARATOR.GPG_MESSAGE_COMMENT_DUMMY.GPG_MESSAGE_LINE_SEPARATOR.
+                GPG_MESSAGE_LINE_SEPARATOR.
+                trim(chunk_split($left, GPG_MESSAGE_LINE_LENGTH, GPG_MESSAGE_LINE_SEPARATOR)).GPG_MESSAGE_LINE_SEPARATOR;
 
       if (null !== $right) {
-        $result .= $right."\n";
+        $result .= $right.GPG_MESSAGE_LINE_SEPARATOR;
       }
 
       $result .= GPG_MESSAGE_SUFFIX;

pages/read/get.php

@@ -26,7 +26,7 @@
   <h1>Read a Secret:</h1>
   <p><pre id="secret"><?php print(htmlentities(SECRET_URI)); ?></pre></p>
 
-  <form role="form" action="/<?php print(htmlentities(urlencode(SECRET_URI))); ?>" method="post">
+  <form role="form" action="/<?php print(htmlentities(urlencode(url_base64_encode(SECRET_URI)))); ?>" method="post">
     <button type="submit" class="btn btn-default pull-right" id="read-secret-btn" name="read-secret-btn">Read the Secret!</button>
   </form>