Fix plaintext POST pastes rendering without encryption key

2026-03-26 21:27:52 +00:00 · 2026-03-26 21:27:52 +00:00 · 89a7c33adb
parent 14be14e437
commit 89a7c33adb
2 changed files with 21 additions and 5 deletions
--- a/app.py
+++ b/app.py
@ -4,7 +4,7 @@ import re
 import sqlite3
 import uuid
 import datetime
-from flask import Flask, render_template, request, jsonify, abort
+from flask import Flask, render_template, request, jsonify, abort, Response

 # ── Load configuration ────────────────────────────────────────────────────────

@ -162,9 +162,20 @@ def view_paste(paste_id):
@app.route('/<paste_id>/raw')
 def view_paste_raw(paste_id):
    paste = _get_paste_or_abort(paste_id)
+    stored = paste['encrypted_data']
+
+    # Plaintext pastes are stored as a JSON object; return the content directly.
+    if not re.match(r'^[A-Za-z0-9_-]+:[A-Za-z0-9_-]+$', stored):
+        try:
+            data = json.loads(stored)
+            return Response(data.get('content', ''), mimetype='text/plain; charset=utf-8')
+        except (json.JSONDecodeError, TypeError):
+            pass
+
+    # Encrypted paste — return the raw ciphertext blob for API consumers.
    return jsonify({
        'id':             paste['id'],
-        'encrypted_data': paste['encrypted_data'],
+        'encrypted_data': stored,
        'created_at':     paste['created_at'],
        'expires_at':     paste['expires_at'],
        'views':          paste['views'],
--- a/templates/view.html
+++ b/templates/view.html
@ -27,7 +27,6 @@
 {% block scripts %}
 <script>
 let _decryptedPaste = null;
-const E2E = {{ cfg.features.encrypt_pastes | tojson }};

 (async function () {
    let rawPayload;
@ -38,7 +37,12 @@ const E2E = {{ cfg.features.encrypt_pastes | tojson }};
        return;
    }

-    if (E2E) {
+    // Detect format from the data itself, not from the config flag.
+    // Encrypted pastes are stored as "base64url:base64url"; plaintext pastes
+    // are stored as a JSON object string.
+    const isEncrypted = typeof rawPayload === 'string' && /^[A-Za-z0-9_-]+:[A-Za-z0-9_-]+$/.test(rawPayload);
+
+    if (isEncrypted) {
        const keyBase64 = window.location.hash.slice(1);
        if (!keyBase64) {
            showError('No Key', 'The decryption key is missing from the URL. Use the full link including the # part.');
@ -53,8 +57,9 @@ const E2E = {{ cfg.features.encrypt_pastes | tojson }};
            return;
        }
    } else {
+        // Plaintext paste — rawPayload is already the parsed JSON object.
        try {
-            _decryptedPaste = JSON.parse(rawPayload);
+            _decryptedPaste = typeof rawPayload === 'object' ? rawPayload : JSON.parse(rawPayload);
        } catch (e) {
            showError('Bad Data', 'Could not parse paste data.');
            return;