The above line references the variable $json, which is not defined. I believe it should be replaced with false. This results in the following warning being logged:

PHP message: PHP Warning:  Undefined variable $json in /var/www/html/index.php on line 27

I'd love a way to set a docker container variable to change the color of certain elements, or possibly even to add a logo somewhere on the page. I'd love to use this for work to request password data from clients.

Right now we are using a branded version of onetimesecret with our primary color, a favicon, and our logo, but it doesn't play very nice on a mobile phone.

If I could replicate our use case for that and set this up instead, I think that would be easier/better for us, but we'd want it branded and to have our logo in it.

Or perhaps we could just embed this via an iFrame on on our website instead?

PS - How can we edit the templates via Docker install?

Is it possible to start the container with docker-compose on ARM?

Testing it I get this error:
ERROR: no matching manifest for linux/arm64/v8 in the manifest list entries

It would be nice if we could customize the style and some basic settings with a YAML configuration file or something similar.

Some of the details I'd like to customize:

• Automatically redirect to HTTPS
• Page <title>
• Add a simple announcement message
• Stylesheet (e.g. load theme.css to customize look and feel)

Doing it this way makes software updates (without losing settings) easier.

Hi,

Thanks for this app!

I would like to know if it was possible to translate all the "bloc" of template + credentials and credit card?

Thanks in advance :)

Hello! Is there any way to get a secret from a POST request without the entire HTML page? I just want to be able to make a request and get the URL to send somewhere else.

I'm using the request curl -s -X POST -d "secret=<secret>&submit=" https://<flashpaper>/ and it returns the full view_code.php webpage.

I'm pretty sure this is where it is requested: https://github.com/AndrewPaglusch/FlashPaper/blob/master/index.php#L19-L23

Am I missing something? Or should I just fork and add the ability to add a parameter like json?

Use Case

We use FlashPaper when requesting sensitive information from clients. Even though we provide simple, stey-by-step instructions for how to use FlashPaper, many of our clients still don't send us the URLs to decrypt their messages.

As much as this is a people problem, instead of a technical problem, I'd love if it could be addressed.

Possible Solution

Allow us to enable automatically sending URLs to an email address of our choice. It could use the PHP mail() function to keep it simple or PHPMailer if something more robust is needed. This feature be disabled by default unless manually enabled in settings.php for extra security.

settings.php:

'email_secure_url' => '[email protected]',

First, I wanted to say thanks - this is a great little project. Being able to encrypt a message both via a simple web page and via a simple curl command is very handy.

I recently changed my max_secret_length in /settings.php to 10240. When I went to test it by pasting a giant blob of text into FlashPaper, I noticed a couple things:

1. The input box limits me to the first 10240 characters of pasted text, as expected. That's good.
2. Pressing the "encrypt" button afterward results in a generic "Input length too long" message. Maybe newline characters are being counted differently between the text input box validation and the strlen comparison in line 70 of /index.php?
   if ( strlen($_POST['secret']) > $settings['max_secret_length'] ) { throw new exception("Input length too long"); }
3. Although you can customize error_secret_too_long in /settings.php, it doesn't seem to be referenced anywhere, e.g. in the exception message above.

In case it matters, the server environment is:
FlashPaper release 2.0.0
PHP 7.4.28
Apache 2.4.6
Red Hat Enterprise Linux 7.9 on x86_64

The client environment for the test above was:
Windows 10 on x86_64
Chrome 102.0.5005.115 and Firefox Nightly 103.0a1
... so maybe some Windows line ending or UTF character encoding shenanigans are at play?

flashpaper-test-input-long.txt

Hey there!

I'd like to report a security issue but cannot find contact instructions on your repository.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

I think the copy could provide a more self-explanatory user experience.

Create New

• Self-Destructing Message → Create A New Self-Destructing Message
• Submit → Encrypt Message

Self-Destructing URL

• Needs some language to explain what to do next. It's not obvious to an end-user that the URL isn't automatically shared with the host.: e.g. “Share this URL via email, chat or other messaging service. It will self-destruct after being viewed once.”

I'm running the application in a docker container and had no issues getting it to work via reverse proxy, but the links that are being generated are using the hostname and mapped port instead of the full domain. So for example, the site is https://website.com/flashpaper but the URL is http://hostname:8989/?k=abcdef...

I am not seeing any information on how to configure the software to use a specific server or domain name for the generated URLs. Is this currently implemented?

Just a very small new feature: add autofocus in textarea in html/submit_secret.php just like so:

<textarea autofocus class="form-control"...

Would be a good idea to put the latest version of FlashPaper at https://flashpaper.io/

Adding an ampersand in the secret variable when using the nostyle=true argument to generate links will break the resulting message.

For example:

Request
curl -s -X POST -d "nostyle=true&secret=1&2&3&4&5" http://password.paglusch.com

Will return:
http://password.paglusch.com/?k=OeLX-jHAm-Wc6ijRMvScfoYFG1p9mr2dwSTSPafRoss$

Which is recovered incorrectly:
curl -s -X POST -d "nostyle=true" http://password.paglusch.com/?k=OeLX-jHAm-Wc6ijRMvScfoYFG1p9mr2dwSTSPafRoss$ 1

Requiring incoming data in the secret argument to be Base64 encoded beforehand may solve this. The "/" character, which is occasionally returned by Base64 encoding, may also cause problems. This will have to be tested.

I'd recommend adding a constant header and footer with a dynamic body. Not too complicated for a simple secret sharing app and not too simple for a potential secret management system.

Cheers!

Hi mate,

Firstly, really love your work - it's much appreciated.

When trying to update to your latest release, I'm hitting a snag trying to pull it - getting an error message:
no matching manifest for linux/amd64 in the manifest list entries

I can see that you have arm64 mentioned in the repo, but that's it - is there something I'm missing here?

Thanks!
Dave

can anyone share the proper installation process with nginx, I am trying to create a Dockerfile for it?

I installed Flashpaper on my homelab server and it comes up locally, however when I add it to my Cloudflare zero trust tunnel 'http' with :8080 and path /flashpaper (and without) I hear a tiny electronic laughter as it doesn't come up. It seems to be redirecting to http from my public hostname sub-domain link. Any help would be most grateful as I love the program

I thought everything was working (since it generated the link, etc) however when I tried to test by opening the link I'm consistently getting this error page. Sorry I failed to actually test it. Any ideas other than OE (operator error)?

Greetings from reddit :)

I added a Copy button in 2 pages (view_code and view_secret) in case you are interested.

First, in html/view_code.php, doesn't make sense to have a textarea for a URL so here it is in input text:
<input type="text" readonly class="form-control" name="secret" style="resize: vertical;" value="<?php echo $message ?>" />

html/header.html

<script>
function copyText() {
     var textToCopy = document.getElementById("copy");
     textToCopy.select();
     document.execCommand("copy");
}
</script>

html/view_secret.php

<div class="col">
<button class="btn btn-primary" type="button" onclick="copyText()">Copy</button>
</div>

Also, you need to add id="copy" in the textarea

html/view_code.php

<div class="col">
<button class="btn btn-primary" type="button" onclick="copyText()">Copy</button>
</div>

Would be a nice feature with multi-languages like with gettext. Code would automatically detects the browser language and translate the text accordingly.

Now that we have the ability to submit secrets via JSON payloads, we should be
able to also decrypt a secret via a JSON payload.

My thought is to send a payload of something like this:

{
	"key": "abcdefg1234567890",
	"message": "Foobar"
}

Hi, thanks for your awesome software, with the new update there is now dark mode. Can there be two logos one for dark mode and one for light mode?

What are the limits for input length? I've run in to the following error multiple times.

Input length too long

Can a counter (e.g. 2456/10000 characters) be added so we know when we're close to the limitation? The <textarea> could also be given a maxlength.

Hello,
thank you for this lightweight and very useful software.
I'm running it on Windows 2016 with IIS and PHP 7.x and it works perfectly so having Linux as a requirement should not be necessary.
Regards,

Red.

Now that Docker is a supported install method, we need to add some documentation on how to do that.

As this app is supposed to be exposed to the world it makes sense to make it as secure as possible. So is it possible to run it with a read-only filesystem (docker run — read-only)? By default, it fails.

Hi sorry, if this has been answered, how can I set the valid URL that I want to return? Im running nginx with proxy outside the docker, and the site works just fine, but when the URL is generated its giving me an http://127.0.0.1:8080 (which is the nginx proxy listener). Is there a setting to put the URL I want in? I tested with full url=false which didnt seem to have any effect, and also tried setting some nginx settings like proxy host and such. Not sure if there is a setting to force set the URL or if this is an nginx proxy issue.

"As with most new distro versions, it also updates lots of core components, including a swath of current programming languages, and a choice of GNOME 42, KDE 5.24, or Xfce 4.16. This version also drops Python 2 and PHP 7."

https://www.theregister.com/2022/05/26/alpine_linux_316_released/

php8 is available.

https://pkgs.alpinelinux.org/packages?name=php8&branch=v3.16

Fixes #66

@AndrewPaglusch i have this error on Synology NAS.
Is a php extension non enabled on synology?

Thanks