wellicht
oh well
itsjustme
Good afternoon
dr|z3d
hi itsjustme
itsjustme
how are you dr|z3d? :)
dr|z3d
not bad, thanks, you?
itsjustme
I'm doing alright
dr|z3d
good to hear
dr|z3d
any motivation to do more cake?
itsjustme
yeah maybe. What do you think is a nice feature to have now?
dr|z3d
well, next feature, probably thumbnails for image files?
itsjustme
hmmm
dr|z3d
and better detection of filetype so you only present a view option where applicable.
dr|z3d
currently, all files have both view and download options.
itsjustme
just based on mime type?
dr|z3d
sure, mimetype should be sufficient.
itsjustme
oh right I was moving stuff to the database
itsjustme
for settings and such
dr|z3d
for view file, can we display the contents of something like zip file I wonder?
itsjustme
I'd say not safely. One of the reasons I'm hesitant to do the thumbnails
dr|z3d
so you can't create a thumbnail at upload time and then encrypt that too?
itsjustme
Right now the server doesn't process the files at all
itsjustme
The parsing is what I'm concerned about
dr|z3d
you think there could be a hostile payload in a jpeg, for example?
itsjustme
absolutely
itsjustme
The risk is lower than opening a zip file though
itsjustme
imo
term99
i think a thumbnail can be abused unless you burn it after 1 view
itsjustme
I'm aware of how to prevent it and with the current setup of the script it shouldn't be exploitable but it does add a lot to the attach surface
term99
wb not_bob
not_bob
Gtreetings. Can't stay. Need to deal with other things.
term99
roger, have a good day!
not_bob
But, one of my random "Checking messages" thigns.
itsjustme
term99: what is your opinion on thumbnails? good idea?
term99
once viewed, burn, else could be used for tmp cp storage for small files, people get their jollies off on anything
term99
well you delete after the first view anyways or x views
term99
personally im not a fan, download at your own time, view on your own time, don't need prying eyes when you just want to grab and go
term99
there thats my answer
itsjustme
I can encrypt a thumnail seperatly like I do with the normal file
itsjustme
it would be generated at the time of upload
dr|z3d
term99: you'd only see the thumbnail if you have the url for the upload.
dr|z3d
and that includes the site admin.
term99
can you make a hidden !important css of the img, so if they view link, thumbnail has a check option if checked then show box or something like that but not by default
term99
sounds like there's a plan already :)
dr|z3d
currently, the most likely use case is that the uploader gives the recipient a direct link to the file.
dr|z3d
what I'm suggesting is that the uploader could, optionally, give the user a link to the file info page instead, with a thumbnail embedded.
itsjustme
I kinda feel like it should be an admin option with a warning
itsjustme
defaultly off though
dr|z3d
sure, that's an option. and doing some pre-processing of the file to determine if it's got any malicious payload attached wouldn't hurt, either.
term99
could also run suricata on your localhost to scan http traffic, it has a great scanner and it could just kill the conn if it finds something halting the upload
dr|z3d
lol
dr|z3d
that's a different ball game altogether.
dr|z3d
cake itself should be self-contained, aside from required php libs.
term99
whats wrong with IDS/IPS layer tho?
dr|z3d
nothing per se, except the overhead.
itsjustme
yeah I want to keep it simple
dr|z3d
but you definitely don't want that as a dependency.
term99
oh no, you could stack it without even touching cake
term99
anyways understandable
dr|z3d
definitely want to mitigate this threat, itsjustme, given the thumbnails would likely be generated with gd, no? github.com/dlegs/php-jpeg-injector
itsjustme
yeah that one shouldn't be an issue
itsjustme
but I don't want to open the door to an unknown vulnerability either
dr|z3d
indeed not.
dr|z3d
gobiasinfosec.blog/2019/12/24/file-upload-attacks-php-reverse-shell also worth reviewing.