Replies: 9 comments 19 replies
-
|
Beta Was this translation helpful? Give feedback.
-
Again, I'm a big fan so far of the project. I'm definitely gonna work on it for a little and try and get it to a point where I feel comfortable releasing it to my site, adding and changing stuff to my own liking. Have you ran into any issues with having the original file names saved? Definitely a situation where you'd want to escape the name just for safety. Mainly I was wondering if you chose hashed file names for a compatibility/security reason or out of design choice. Have you considered having a "instances" section in the readme.md , able to show public instances running this software? (If people make a pull request to have their website/instance added anyway) - just a quick thought/question , I've seen it done with LibreY and I liked the concept personally. What's your preferred method of contact if you don't mind? I'd enjoy discussing certain ideas/questions as they come up in a non public space, if you're up for it. Twitter, Discord, Whatsapp? |
Beta Was this translation helpful? Give feedback.
-
For the hashing it is there to upload the same file more than once because I am generating a new file id for each upload. I am might look for a better method to handle this. For other contact channels u can try me on Discord fariscode. |
Beta Was this translation helpful? Give feedback.
-
That makes sense. I'm thinking of having the file saved as a hashed version, but saving the filename in plaintext in the database to show / download as. I also came up with this but it doesn't seem ideal for me, just functional
atm, I'm looking into just having hash_id as the file name on disk, as that would not have duplicate files (for the same user) to exist and allow file_name to be the actual file name without the issue you brought up |
Beta Was this translation helpful? Give feedback.
-
What're your thoughts on implementing this MIME/File Extension Protection is optional, change via admin dashboard (allows users to change theme without being signed in) And for now, I think I'm probably just going to privately work on my instance until I'm done. It's a headache to try and work with github, keeping my local changes up to date with my repository, the fact that I cannot make pull requests with specific commits but the entire branch of changes is also frustrating. I'd also have to suggest, in installLogic.php to add something to either move or delete install.php once installation is done. Probably moving the file, renaming it to have random characters suffixed would suffice. on download.php, could change the existing method of save qrcode to db to -- suggestion(I may work on this myself): To-Do(on my end): Currently, if I upload a file like The filter.json is to prevent that but I'm going an alternative route that allows uploading of any file type without security concern. |
Beta Was this translation helpful? Give feedback.
-
Solution: (Sorry these aren't packaged into a nice commit for you!) This does not cover the database changes, a column with the name file_name needs to exist within the files table This is also potentially crude, I'm okay with it the way it is but you may want to pretty it up a bit in your own way before implementing, or change it to your style(e.g. all that I've added isn't within a class construct yet or anything, I'll probably develop this further but I was excited to share. This isn't the latest version of changes on my end, this is rather meant to be a guide as to how you can implement such a concept. Do with it what you will! UploadHandler.php
Upload.php (inside the phpfileuploading package)
upload_file.php
download.php downloadLogic.php (at the end) myFilesLogic.php
my_files.php admin/session.php admin/logic/homeLogic.php
admin/index.php admin/files/logic/viewLogic.php
admin/files/view.php Add these function's (I made a new file called utils.php in 'src' and included it in session.php under init.php
dl.php
Now, why have the url encrypted you might ask?
To fix download count (it always stays null) dl.php add (below session.php)
downloadLogic.php, remove I'm pretty happy to have also made the download count functional! Before , downloads always stayed at NULL, now they increment with every download. (A work around is to remove file_id from the GET params but that's not a huge cause for concern, I hope) Alternatively, keep your existing method but at least fix addDownload(UploadHandler.php), change |
Beta Was this translation helpful? Give feedback.
-
Another suggestion, less storage used in the database which is essential for big operations To be able to remove qrcode/directlink/deletelink/editlink in getJSON() In my_files.php
In download.php editFilesLogic.php qrcode/directlink/deletelink/editlink are not used anywhere else in the project to my knowledge Issues to fix: Downloadlink/deletelink temporarily stays until I fix the javascript aspect, which requires it! |
Beta Was this translation helpful? Give feedback.
-
Yet another suggestion Move this snippet to before
|
Beta Was this translation helpful? Give feedback.
-
Issue: admin/users/actions/new.php
instead of
Also, I don't know if you'd be interested but I've implemented it in my own instance This function prioritizes Argon2ID over bcrypt, when it's available. Dynamically calculates memory, cost, and threads based on the current system's available resources. Overall , it's fairly good. Give me your thoughts if you can. https://github.com/dehlirious/php_argon2id/blob/main/argon2id.php Here's how it operates:
The function's adaptability makes it a solid choice for secure password hashing, providing scalability and robustness for a wide range of application scenarios.
What's left to do(maybe): On signin, run password_needs_rehash. Technically speaking, having it in the function above is pointless but I added it regardless. The correct way would be, on each signin run password_needs_rehash to determine if the stored hashed password needs to be rehashed, then rehash if necessary. I'll make a function for this later. If you wanted to implement it, you'd have to modify
|
Beta Was this translation helpful? Give feedback.
-
So, I've set SMTP settings for gmail,
No errors at all, so I made a modification in Mailer.php
Adding
error_log($th->getMessage());
aftercatch (Exception $th) {
insendMessage
"PHP message: SMTP Error: Could not authenticate"
-> weird.This issue is on my end, not the codes end but I want to point out:
This was all while reportabuse.php is showing
Your report has been submitted successfully
So, log errors in some form + why not display if there was "an internal server error" that prevented the email from sending?
There's no errors if smtp is completely disabled either, so its something to think about
Apparently the issue I was having with authentication is due to this, switching to something like this worked just fine. Sorry for jumping
Also there was an issue I fixed here where the "Add Page"(manage pages) button was not functional due to there being no
element set(even though was set)Why don't any default 'translations' exist for about/privacy/terms?
It would be kinda nice(but unnecessary ultimately) to be able to add 'allowed' file extensions beyond editing
vendor/farisc0de/phpfileuploading/src/filter.json
I know of the functionality inside /src/Upload.php but I haven't narrowed it down to find the exact piece yet
Beta Was this translation helpful? Give feedback.
All reactions