IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#saltr
/2022/03/07
wellicht oh well
itsjustme Good afternoon
dr|z3d hi itsjustme
itsjustme how are you dr|z3d? :)
dr|z3d not bad, thanks, you?
itsjustme I'm doing alright
dr|z3d good to hear
dr|z3d any motivation to do more cake?
itsjustme yeah maybe. What do you think is a nice feature to have now?
dr|z3d well, next feature, probably thumbnails for image files?
dr|z3d and better detection of filetype so you only present a view option where applicable.
dr|z3d currently, all files have both view and download options.
itsjustme just based on mime type?
dr|z3d sure, mimetype should be sufficient.
itsjustme oh right I was moving stuff to the database
itsjustme for settings and such
dr|z3d for view file, can we display the contents of something like zip file I wonder?
itsjustme I'd say not safely. One of the reasons I'm hesitant to do the thumbnails
dr|z3d so you can't create a thumbnail at upload time and then encrypt that too?
itsjustme Right now the server doesn't process the files at all
itsjustme The parsing is what I'm concerned about
dr|z3d you think there could be a hostile payload in a jpeg, for example?
itsjustme absolutely
itsjustme The risk is lower than opening a zip file though
term99 i think a thumbnail can be abused unless you burn it after 1 view
itsjustme I'm aware of how to prevent it and with the current setup of the script it shouldn't be exploitable but it does add a lot to the attach surface
term99 wb not_bob
not_bob Gtreetings. Can't stay. Need to deal with other things.
term99 roger, have a good day!
not_bob But, one of my random "Checking messages" thigns.
itsjustme term99: what is your opinion on thumbnails? good idea?
term99 once viewed, burn, else could be used for tmp cp storage for small files, people get their jollies off on anything
term99 well you delete after the first view anyways or x views
term99 personally im not a fan, download at your own time, view on your own time, don't need prying eyes when you just want to grab and go
term99 there thats my answer
itsjustme I can encrypt a thumnail seperatly like I do with the normal file
itsjustme it would be generated at the time of upload
dr|z3d term99: you'd only see the thumbnail if you have the url for the upload.
dr|z3d and that includes the site admin.
term99 can you make a hidden !important css of the img, so if they view link, thumbnail has a check option if checked then show box or something like that but not by default
term99 sounds like there's a plan already :)
dr|z3d currently, the most likely use case is that the uploader gives the recipient a direct link to the file.
dr|z3d what I'm suggesting is that the uploader could, optionally, give the user a link to the file info page instead, with a thumbnail embedded.
itsjustme I kinda feel like it should be an admin option with a warning
itsjustme defaultly off though
dr|z3d sure, that's an option. and doing some pre-processing of the file to determine if it's got any malicious payload attached wouldn't hurt, either.
term99 could also run suricata on your localhost to scan http traffic, it has a great scanner and it could just kill the conn if it finds something halting the upload
dr|z3d that's a different ball game altogether.
dr|z3d cake itself should be self-contained, aside from required php libs.
term99 whats wrong with IDS/IPS layer tho?
dr|z3d nothing per se, except the overhead.
itsjustme yeah I want to keep it simple
dr|z3d but you definitely don't want that as a dependency.
term99 oh no, you could stack it without even touching cake
term99 anyways understandable
dr|z3d definitely want to mitigate this threat, itsjustme, given the thumbnails would likely be generated with gd, no? github.com/dlegs/php-jpeg-injector
itsjustme yeah that one shouldn't be an issue
itsjustme but I don't want to open the door to an unknown vulnerability either
dr|z3d indeed not.