[IMG]http://i.imgur.com/9P8la.png[/IMG]
I just finished rewriting and redesigning the frontend for this. It's supposed to be a simple, ad-free, fairly open file uploading service. Don't ask me about our business model, we've got it under control. I decided to go with flash for a couple of reasons: inconsistencies and limits with the file input element, and clipboard limits imposed by both the browser, and Adobe. I just skipped the bullshit and, I believe, made the best of the situation.
I invite you to try it out, provide some feedback on the usability/design of both the front and backend, make suggestions and heck, go ahead and try to break it.
I've also had reports of wacky behaviour with the progress bar, but was unable to reproduce it - is that happening to you?
[URL]http://up.dafk.net/[/URL]
For the curious, dafk.net is written in PHP (I'm more of a python guy, but dafk is made of micro-applications that didn't warrant the complications of deploying a python framework on a shared server, under Apache), with a very simple homegrown framework. It runs on Site5 servers, and gets around 80,000 hits per month. We've seen a very steady increase in the last 15 days, with as much as a 200% increase over a 24-hour period.
Information on the API can be found in the [B]info[/B] page. Enjoy!
That looked really nice with the progress bar and everything, transitions are smooth, just looks awesome
Everything looks neat, keep up the good work.
Also: [url]http://room.dafk.net[/url]
I'll just leave this here.
This would be good, except the fact you are incorporating old and unfunny memes.
[QUOTE=:awesome:;25407549]This would be good, except the fact you are incorporating old and unfunny memes.[/QUOTE]
That rickroll thing?
That single-handedly pays for our fairly expensive servers.
[editline]15th October 2010[/editline]
Small update, not sure why I didn't do this earlier. [b]Upload percentage is displayed in the title bar.[/b] Looks great when you're uploading a large file with various tabs open.
I love how smooth it is.
Very nice. I notice you're using Flash for the uploader interface; which might explain in part why it's so very smooth. I'm sure something similar could be achieved without flash, but still, looks pretty nice and works well. Good job.
Very nice, I love having a smooth percent bar :D
[QUOTE=BrettJay;25410093]Very nice. I notice you're using Flash for the uploader interface; which might explain in part why it's so very smooth. I'm sure something similar could be achieved without flash, but still, looks pretty nice and works well. Good job.[/QUOTE]
It can certainly be done without flash, but there's so many inconsistencies and limits it's ridiculous, and the hacks just start to pile up and slowly make the whole thing very ugly.
File extension restrictions?
[QUOTE=rampageturke;25415670]File extension restrictions?[/QUOTE]
We have a blacklist of about 20/30 file extensions, that seriously needs some pruning. I'm still torn between flat-out disallowing certain types (.php, .html, etc...), or forcing them to be downloaded. It's something I've got little experience with and I'm not aware of possible exploits that may come from it (Can the forced download be ignored by the client, and say, a .php file run on the server?).
There's also a few extensions there that don't really make sense to be blocked, and I'll be removing from the blacklist still today, such as .exe files.
Why bother blocking any file types at all?
That's just a general pain in the ass for the user.
[QUOTE=StinkyJoe;25415696]We have a blacklist of about 20/30 file extensions, that seriously needs some pruning. I'm still torn between flat-out disallowing certain types (.php, .html, etc...), or forcing them to be downloaded. It's something I've got little experience with and I'm not aware of possibly exploits that may come from it (Can the forced download be ignored by the client, and say, a .php file run on the server?)[/QUOTE]
If you make sure the files have the right permissions (chmod to be world-readable, with the executable bit disabled), you shouldn't have any problems with people running CGI scripts. You can prevent PHP running in your upload dir in [url=http://stackoverflow.com/questions/1271899/disable-php-in-directory-including-all-sub-directories-with-htaccess/1272068#1272068]Apache with this[/url], [url=http://redmine.lighttpd.net/wiki/1/TutorialLighttpdAndPHP]in Lighttpd with this[/url] (scroll down to the bottom - 'Per directory PHP config' and nginx... well, nginx has a way too :v:
You could also try setting the mimetype of PHP scripts in your upload dir to be text/plain or something, I don't know if that will stop them being executed though.
[URL]http://up.dafk.net/files/fff94/index.stm[/URL]
[editline]15th October 2010[/editline]
Nevermind, the browser doesn't think it's an SHTML file.
[editline]15th October 2010[/editline]
Only works in IE:
[URL]http://up.dafk.net/files/fff94/thisisthefiletypenooneremembers.mht[/URL]
[url]http://up.dafk.net/files/fff94/index.mht[/url]
[QUOTE=supersnail11;25421616][URL]http://up.dafk.net/files/fff94/index.stm[/URL]
[editline]15th October 2010[/editline]
Nevermind, the browser doesn't think it's an SHTML file.
[editline]15th October 2010[/editline]
Only works in IE:
[URL]http://up.dafk.net/files/fff94/thisisthefiletypenooneremembers.mht[/URL]
[url]http://up.dafk.net/files/fff94/index.mht[/url][/QUOTE]
Oopsie. Noted, will be blocked soon, thanks for the heads up!
[QUOTE=StinkyJoe;25415696]There's also a few extensions there that don't really make sense to be blocked, and I'll be removing from the blacklist still today, such as .exe files.[/QUOTE]
In rare cases some botnet owners or malware distributors need a host for their .exe(s) to either do installs for other botnet owners (infected computers download new .exe via cmd from current botnet owner) or for some sort of drive-by, like a java embedded drive-by that requires a URL to the .exe to be downloaded onto a victim's computer. To my knowledge not a lot of file hosting sites that offer direct downloading to free users allow .exe uploads (and only direct would work for the situation I've explained above) - however, if a guy does need a host for an exe and built a botnet, he can probably root a box or two and just throw the .exe on there, but hey if dafk is like "yo host your exe's here fuckers!" then I don't see why someone would waste their time elsewhere. But like I said, this is fairly rare for an upload host even though it happens every day (but perhaps if dafk became popular and the hacking community became aware, dafk might end up hosting some naughty stuff).
[QUOTE=SauceHelmet;25423031]In rare cases some botnet owners or malware distributors need a host for their .exe(s) to either do installs for other botnet owners (infected computers download new .exe via cmd from current botnet owner) or for some sort of drive-by, like a java embedded drive-by that requires a URL to the .exe to be downloaded onto a victim's computer. To my knowledge not a lot of file hosting sites that offer direct downloading to free users allow .exe uploads (and only direct would work for the situation I've explained above) - however, if a guy does need a host for an exe and built a botnet, he can probably root a box or two and just throw the .exe on there, but hey if dafk is like "yo host your exe's here fuckers!" then I don't see why someone would waste their time elsewhere. But like I said, this is fairly rare for an upload host even though it happens every day (but perhaps if dafk became popular and the hacking community became aware, dafk might end up hosting some naughty stuff).[/QUOTE]
You better not be getting stoned again tonight. So yeah, if you want to host a .exe on dafk, .rar it first.
That settles it.
[QUOTE=StinkyJoe;25423181]You better not be getting stoned again tonight. So yeah, if you want to host a .exe on dafk, .rar it first.
That settles it.[/QUOTE]
Wasn't trying to steer you in a different direction, feel free to allow exe's if you want, and I get stoned every night and why aren't you on Steam or MSN? Also the progress bar is broken for me on some file types, like ".r00" (or any .r##) however, I just uploaded a .nfo and the progress bar worked perfect. Not sure what's going on.
edit: nfo seems to be the only file where the progress bar worked, probably because it's so small the progress bar just jumped to 100% immediately... but at least it was full width and didn't stop 1/4th the way.
Because helmets, thousands of them! I'll be there in a couple of hours, going to watch a movie and get something to eat.
Added .mht to the blacklist, thanks once again, [B][URL="http://www.facepunch.com/member.php?174990-supersnail11"]supersnail11[/URL][/B].
Once again, [I]why[/I] are you blacklisting?
Just force the mimetype.
[QUOTE=X'Trapolis;25424458]Once again, [I]why[/I] are you blacklisting?
Just force the mimetype.[/QUOTE]
Mimetype is no better than extension as it can be faked. The only thing he could use is pattern recognition. PHP has some functions that enable you to look at the binary file and determine what it is and as far as I know, you can't bypass it. It uses signatures to identify the file types and returns a VALID mimetype that you can guarantee is 100% accurate. If this is what you meant then you're right on the money (or perhaps you should clarify what you mean, such as using application/force-download or whatever). Or he could whitelist mimetypes he wishes to allow but that can be quite limiting on which file types get to be uploaded, as there are ones such as .rns, .cpr, etc that are completely safe to have hosted. What I'm unsure about is unknown mimetypes, perhaps they're interpreted as generic and downloaded like an octet-stream. I guess I just don't trust mimetypes unless they're verified, don't want users taking x.php and renaming it to x.jpg, etc.
[url]http://up.dafk.net/files/73afb/Cicada_molting_animated.gif[/url]
5MB File, if anyone wants any speed tests or anything.
I love your choice of flash, but the overall design is a little too simple for my taste.
I personally love something like imgkk had, with lots of features and gadgets thrown at you, that you don't even need 99% of the time.
Things such as image resizing would deffinitely be a plus.
[QUOTE=StinkyJoe;25415696]We have a blacklist of about 20/30 file extensions, that seriously needs some pruning. I'm still torn between flat-out disallowing certain types (.php, .html, etc...), or forcing them to be downloaded. It's something I've got little experience with and I'm not aware of possible exploits that may come from it (Can the forced download be ignored by the client, and say, a .php file run on the server?).
There's also a few extensions there that don't really make sense to be blocked, and I'll be removing from the blacklist still today, such as .exe files.[/QUOTE]
You could, using .htaccess, open all .html and .php files as a text document, and force download it without executing any malicious code.
The issue is that if .htaccess is, for any reason, disabled, the site would be vulnerable.
[b]Edit:[/b] Nice avatar, by the way.
clicking the box takes me to meatspin lol what
[QUOTE=SauceHelmet;25426684]Mimetype is no better than extension as it can be faked. The only thing he could use is pattern recognition. PHP has some functions that enable you to look at the binary file and determine what it is and as far as I know, you can't bypass it. It uses signatures to identify the file types and returns a VALID mimetype that you can guarantee is 100% accurate. If this is what you meant then you're right on the money (or perhaps you should clarify what you mean, such as using application/force-download or whatever). Or he could whitelist mimetypes he wishes to allow but that can be quite limiting on which file types get to be uploaded, as there are ones such as .rns, .cpr, etc that are completely safe to have hosted. What I'm unsure about is unknown mimetypes, perhaps they're interpreted as generic and downloaded like an octet-stream. I guess I just don't trust mimetypes unless they're verified, don't want users taking x.php and renaming it to x.jpg, etc.[/QUOTE]
Here's what I do:
When a file is uploaded, I look at the mimetype the browser sends and stick it in the database along with the file. If no mimetype is specified, I set application/x-octet-stream.
Then when I'm serving up the file, I do this:
[code]
Response.ContentType = f.Mimetype.Contains("text/") ? "text/plain" : f.Mimetype;
[/code]
[QUOTE=X'Trapolis;25429703]Here's what I do:
When a file is uploaded, I look at the mimetype the browser sends and stick it in the database along with the file. If no mimetype is specified, I set application/x-octet-stream.
Then when I'm serving up the file, I do this:
[code]
Response.ContentType = f.Mimetype.Contains("text/") ? "text/plain" : f.Mimetype;
[/code][/QUOTE]
And the point of doing so is?
[QUOTE=itsbth;25429979]And the point of doing so is?[/QUOTE]
To allow any file to be uploaded and to respect the mimetype the client provides without opening an XSS hole.
What XSS hole?
[QUOTE=itsbth;25430014]What XSS hole?[/QUOTE]
If someone can upload an HTML file that has a script in it, that script will still be able to access any sensitive cookies your site has set (eg. auth cookies), as it's on the same domain.
Sorry, you need to Log In to post a reply to this thread.
