This release changes configuration defaults including switching the template and removing legacy features.

The most notable change is the switch of the default template to bootstrap5. We switched to use the Jdenticons library by default for the comment creator icons, as it doesn't require the GD library. And we changed the user interface to display SI-prefixes instead of binary bytes for data sizes, to be more consistent with sizes displayed in current operating systems, i.e. 1024 bytes now will be displayed as 1.02 kB instead of 1.00 kiB and refer to "documents" instead of "pastes".

The page template and compatibility to pre-v1.3 pastes, including ZeroBin ones, got removed. The v2 paste format which is still currently used, got introduced in release 1.3 in July 2019. This allows dropping further unused database columns, as those were artifacts of the v1 pastes and not used anymore with the v2 ones.

Update procedure

The minimum required PHP version was increased from 7.3 to 7.4.

If you have created your own cfg/conf.php file, please check the following entries and update them accordingly:

• section [main], key template: If set to page replace this with bootstrap5 or one of the bootstrap variants (see cfg/conf.sample.php).
• section [main], key icon: If commented and you prefer the look of the blocky identicon over triangular jdenticon, uncomment the value and set it back to identicon.
• section [model], key class: If set to privatebin_data replace this with Filesystem and if set to privatebin_db or zerobin_db replace this with Database.

If you are using the Database model class and your database user is not privileged to perform schema changes, you have to manually drop the postdate, opendiscussion, burnafterreading, attachment and attachmentname columns of the paste table and the nickname column from the comment table. If you are using SQLite before 3.35.0, which doesn't support dropping columns, you must initialize a new empty database file and either manually migrate the data or start from scratch.

As usual, you can download the archive for a manual upgrade and can find more details in the installation instructions.

We also offer a container images using the nginx web server with php-fpm and one using the nginx unit application server, that include the recommended secure setup with the non-essential files and data outside of the web servers document root.

Optionally, you can use the bin/administration scripts' two new features to check if any v1 pastes still exist on your instance using the --statistics flag and then delete them using the --delete-v1 flag:

$ bin/administration --help
Usage:
  administration [--delete <document id> | --delete-all | --delete-v1 |
                  --empty-dirs | --help | --list-ids | --purge | --statistics]

Options:
[...]
  --delete-v1       deletes all unsupported v1 documents
[...]
  -s, --statistics  reads all stored documents and reports statistics
$ bin/administration --statistics
[... check for lines starting with "Unsupported v1 document " and the conclusion showing any "Legacy v1" ...]
$ bin/administration --delete-v1

Changes since version 1.7.8

• ADDED: Error logging in database and filesystem backend (#1554)
• ADDED: Statistics on v1 pastes in administration script and option to delete them
• CHANGED: Removed page template (#265)
• CHANGED: Removed support for ZeroBin & v1 pastes - since release 1.3 the v2 format is used (#551)
• CHANGED: Removed use of base64 & rawinflate libraries (#551)
• CHANGED: Removed support for privatebin_data, privatebin_db & zerobin_db model class configurations, must be replaced with Filesystem or Database in cfg/conf.php, if still present
• CHANGED: Removed unused columns in database schema of tables paste & comment
• CHANGED: Jdenticons are now used as the default icons
• CHANGED: Upgrading libraries to: base-x 5.0.1, bootstrap 5.3.7, jdenticon 2.0.0 & kjua 0.10.0
• CHANGED: Minimum required PHP version is 7.4, due to a change in the jdenticon library
• CHANGED: Set bootstrap5 template as default for PrivateBin (#1572)
• CHANGED: Switched from binary bytes to SI-units (#1565)
• CHANGED: Replaced the term "paste" with the more generic "document" (#397)
• FIXED: Name mismatches in attached files (#1584)
• FIXED: Unable to paste attachments from clipboard (#1589)
• FIXED: Configuration combinations test errors

Help wanted & greatly appreciated

Apart from the large tasks that require deeper insight and time, there are also smaller issues were help is wanted, topics open to debate and of course many languages that still remain to be translated. We are also still looking for additional long term maintainers among our frequent issue helpers.

What can we offer you in return for your help?

• We can offer you our mentorship, if this is your first time participating as a maintainer of an open source software project. We can guide you through submitting your first pull requests and work with you to ensure your change fulfils the communities quality standards, gets merged and makes it into a release.
• Your work gets publicly credited. This can help you build up a resume, showing off your growing skill set, in programming as well as your soft skills.
• PrivateBin is a smaller project. If you'd like to learn how to participate and contribute in an open source git project, this should be less overwhelming than larger projects.
• We do have a decent unit test code coverage, so it is an environment forgiving of mistakes. You may still introduce logical flaws or issues in new features, not yet covered in the tests, but you can rely on the tests preventing any regressions in other areas.
• You don't have to be proficient in multiple programming languages, there are a lot of things to improve within either the JavaScript or PHP areas that don't need you to understand the other side, beyond their shared API.
• It can be an opportunity to learn about continuous integration tools to automate tasks like tests, security scans, etc.

If you are interested in helping with any of these points, we have prepared a development guide including design goals, code structure and tools to get you started. For any questions, you can chat with the maintainers in the discussion area or reach us via email.

• FIXED: Duplicate attachment for every comment (#1577)
• FIXED: Attachments with empty file names (#1577)
• FIXED: Page template scripts loading order (#1579)

• ADDED: Switching templates using the web ui (#1501)
• ADDED: Show file name and size on download page (#603)
• CHANGED: Passing large data structures by reference to reduce memory consumption (#858)
• CHANGED: Removed use of ctype functions and polyfill library for ctype
• CHANGED: Upgrading libraries to: DOMpurify 3.2.6, ip-lib 1.20.0
• CHANGED: Support for multiple file uploads (#1060)
• CHANGED: Documented CSP change necessary to allow PDF attachment preview (#1552)
• FIXED: Hide Reply button in the discussions once clicked to avoid losing the text input (#1508)
• FIXED: Bump zlib library suffix, ensuring cache refresh for WASM streaming change
• FIXED: Handle undefined globals in file based persisted values (#1544)

• ADDED: Ability to copy the paste by clicking the copy icon button or using the keyboard shortcut ctrl+c/cmd+c (#1390 & #12)
• CHANGED: Allow toggling tab-key-support using [Ctrl]+[m] or [Esc] in textarea for keyboard navigation (#1386)
• CHANGED: Switched to WASM streaming and replace unsafe-eval with wasm-unsafe-eval CSP declaration (#1464), requires webserver to have application/wasm MIME type configured.
• CHANGED: Replaced usage of strpos with str_starts_with & str_contains (#1373)
• CHANGED: Added polyfill libraries for ctype, str_starts_with & str_contains functions (#1476)
• CHANGED: Turned paste delete link into a button (#266)
• CHANGED: Upgrading libraries to: DOMpurify 3.2.4, cloud-storage 1.45.0, aws-sdk-php 3.336.2
• CHANGED: bootstrap5 template UI improvements
• FIXED: Redirect to the home page after changing the language (#92)

• ADDED: Allow non persistent SQL connections, if configured (#1394)
• ADDED: Show a button (that redirects to the basepath URL) inside the alert after a paste is deleted
• CHANGED: Tweaked page footer of the bootstrap5 template (#1392)
• CHANGED: Simpler PostgreSQL table lookup query (#1361)
• CHANGED: SRI hashes are now configurable, no longer hardcoded in templates (#1365)
• CHANGED: Upgrading libraries to: DOMpurify 3.1.7, ip-lib 1.18.1, cloud-storage 1.43.0, aws-sdk-php 3.325.0
• FIXED: Numeric array keys being cast to integer causing failures under strict type checking (#1435)

• CHANGED: Saving markdown pastes uses .md extension instead of .txt (#1293)
• CHANGED: Enable strict type checking in PHP (#1350)
• CHANGED: Various tweaks of the bootstrap5 template, suggested by the community
• FIXED: Reset password input field on creation of new paste (#1194)
• FIXED: Allow database schema upgrade to skip versions (#1343)
• FIXED: bootstrap5 dark mode toggle unset on dark browser preference (#1340)
• FIXED: Prevent bypassing YOURLS proxy URL filter, allowing to shorten non-self URLs

This release addresses an issue with the YOURLS proxy's filter that allowed it to shorten other URLs then the configured PrivateBin instance. This issue only affects instances that use the YOURLS URL-shortener proxy. More details on this issue can be found in the security advisory.

• CHANGED: Various tweaks of the bootstrap5 template, suggested by the community
• CHANGED: Upgrading libraries to: DOMpurify 3.1.3
• FIXED: Selected expiration not being applied, when using bootstrap template (#1309)

Important: Please don't update to this release, it contains a critical bug! See #1309 for details.

• ADDED: Allow use of shortenviayourls in query parameters (#1267)
• ADDED: Input sanitation to some not yet filtered query and server parameters
• ADDED: Optional Bootstrap CSS 5.3.3 based template, use configuration template = "bootstrap5" to switch to it (#728)
• CHANGED: "Send" button now labeled "Create" (#946)
• CHANGED: Drop some PHP < 5.6 fallbacks, minimum version is PHP 7.3 as of release 1.6.0
• CHANGED: Set lang cookie with lax SameSite property
• CHANGED: Upgrading libraries to: DOMpurify 3.1.2 (#1299) & jQuery 3.7.1
• CHANGED: create attribute is no longer returned in API for pastes & can be disabled for comments using discussiondatedisplay as well (#1290)
• FIXED: Add cache control headers also to API calls (#1263)
• FIXED: Shortened paste URL does not appear in email (#606)

Note regarding the new template "bootstrap5", that if you want the button icons (SVG) to display, you have to relax the CSP rule slightly and change default-src from 'none' to 'self'. You configure it as follows:

template = "bootstrap5"
cspheader = "default-src 'self'; base-uri 'self'; form-action 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval'; style-src 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads"

The new theme comes in only one flavour, but does include a dark-mode switch and attempts detecting the currently set browser preference.

We don't yet enable this new template by default. Please report any issues you find with it or submit pull requests with your improvements. Should no major issues get detected, we intend to make it the new default later this year and eventually deprecate and remove the old bootstrap 3 templates, as well as the page (classic ZereBin) one. It would be appreciated if additional templates would get submitted and shared with the community, so we get some more variety to choose from.

• FIXED: zlib 1.3.1 wasm file reference

• ADDED: Translations for Romanian
• ADDED: Detect and report on damaged pastes (#1218)
• CHANGED: Ask for confirmation, before loading burn after reading pastes (#1237)
• CHANGED: Focus on password input in modal dialog
• CHANGED: Upgrading libraries to: DOMpurify 3.0.8 & zlib 1.3.1
• FIXED: Support more types of valid URLs for shorteners, incl. IDN ones (#1224)
• FIXED: Email timezone buttons overlapping in some languages (#1039)
• FIXED: Changing language mangles URL (#1191)
• FIXED: Needless reload when visiting default URL