from 0807@lemmy.world to selfhosted@lemmy.world on 18 Jun 18:28
https://lemmy.world/post/48333988
I run 0807, a small self-hosted file host. Drop a file, get a short link, and choose when it disappears.
What it does:
- No account, no ads, no trackers
- Auto-delete by time (1 hour up to 30 days, or never) or after a set number of downloads
- Optional password protection on files and on text notes
- Files up to 20 GB, with 16 TB of storage behind it
- Reachable over Tor through an onion service
- Text notes with the same self-destruct and password options
- A few file types are blocked for safety (exe, bat, scripts, and similar)
PS: there is no end-to-end encryption, and that is deliberate. The server can read what is stored.
I want to be able to take illegal uploads down when they get reported, CSAM in particular.
End-to-end encryption would make the server blind to its own contents, which is great for privacy but would also stop me from acting on those reports.
If you need real secrecy, encrypt the file before you upload it. The password option is there for casual privacy (not as protection from me or from whoever might get into the server.)
The code is open, and I host it the same way I host the files, on my own server instead of HERE .
You can read it, propose a change, or open an issue there, no account needed
Happy to answer questions about the setup or take feedback.
#selfhosted
threaded - newest
Is the name of the service a reference to anything?
What happens if you run out of space because of too many uploads that are set to never expire?
(Also it’s neat! Thanks!)
Hello, yes, the name refers to the webtoon (08/07). It’s an anthology of horror stories. www.webtoons.com/en/canvas/0807/list?title_no=848…
As for the stored files whose retention period is set to never they do indeed remain online I monitor their status rather than letting them accumulate unchecked.
There is a configurable storage limit and once it’s reached, the server blocks any new uploads instead of silently deleting or overwriting existing files.
There’s also an (optional cleanup feature) for files that haven’t been used in a long time, which I can enable if I ever run out of space.
With 16 TB, I have plenty of leeway and since I manage the server myself I can add disks or sort through the files manually if necessary. No files without an expiration date are automatically deleted.
And thanks I’m glad you like it :)
Do you mitigate potential abuse where someone deliberately tries to upload as much as they can as fast as possible?
Introducing my totally real image called calc.jpg that is totally not a pe file with a different extension! Anyway, prepare to have your file hoster be used to host malware payloads
I was thinking surely it doesn’t just look at the extension and instead uses the mime type at the backend… After looking for a minute (on mobile) I think thats what it does.
You read it right, BLOCKED_EXT is just an extension list and renaming walks straight past it. But that list was never the malware check, it only stops someone uploading payload.exe
Mime sniffing wouldn’t have caught it either, since that value rides along in the request and a renamed upload just lies about it.
The actual defense is ClamAV, same file if you grep clamScan and CLAMAV_SCAN, and it reads what’s inside the file instead of the name. I tried the calc.jpg trick for real, an EICAR test renamed to calc.jpg sent as image/jpeg, and the upload came back refused.
Clamav is woefully behind on definitions, just be aware of that.
you can install updated filters for it, though. Just check out fangfrisch.
Linux systems don’t rely on extensions to tell a file’s type afaik
never underestimate how fucked up the internet can be, and how quickly they can ruin things.
For filehosts probably at least 90% of all uploads are illegal if you ask a copyright lawyer. 🥴 But that’s mostly just people sharing culture.
Of course damn CSAM is a different (and actual) kind of issue and plain awful to deal with. If I remember correctly some organisation from the US provides a free list of checksums of known crap that’s circulating to automatically check media file signatures against, I think that’s the first thing I’d look for to have some baseline defense against those disgusting fucks. Or (depending on your jurisdiction) even be compatible with the law for public hosting services.
Better use Tor & a trustworthy search engine when looking for infos how to implement such an upload filter, I wouldn’t trust automated systems from Google to not misinterpret your intention with these topics.
I’d say that’s the most accurate comment. In life (and even more so on the Internet), people tend to destroy more than they create.
The Internet is a good thing, given all it offers us, but unfortunately there are downsides (a lot of weirdos, for example)
Hey, hey, hey! Welcome back @0807.! You’ve made some changes, polished it up a bit, made it selfhostable. Awesome! I could see this being used ‘inhouse’. I’m wouldn’t be comfortable exposing this to the general public tho, for obvious reasons. The internet can be a very beneficial tool, but at the same time be a filthy, rotten, cespool. I’d rather not get dirty. I have bookmarked the source files at src.0807.st, and dropped it in my projects folder. Thanks again for sharing your project.
Hi, first of all, thanks for the kind comment, @irmadlad
Yes, you probably saw my old post (which was incomplete) and which I ended up deleting. I’ve been able to add quite a few useful things to the project, and I’ll continue to maintain it and upload updates to the subdomain (src.0807.st)
And of course, I’ll always advise people to run this locally to minimize risk :)
That’s totally awesome dude. Is this your first project or maybe your first project you’ve released?
Thank you for making this!
Do you keep in touch with the other folks who run cool filehosts? The only other one i know like this is catbox, but it is a similar vibe.
Hi, first of all thanks for the nice comment.
And yes, I’m in touch with some people who run file-hosting services, and they’ve helped me a lot.
Catbox is a good file-hosting service, but unfortunately it doesn’t support files larger than 200MB