Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- hey /tech/ I wrote new imageboard software over the past week, can you try and hack into it to find security vulnerabilities and shit
- http://nanochanxv2lxnqi.onion
- ___________________________________
- I forgot to mention that it doesn't have any javascript
- ___________________________________
- It does need the referer header and cookies, but only if you're logged in as moderator and using the mod tools. Normal users don't need cookies or referer.
- Honestly I don't know why the fuck 8chan even needs the referer to post, it's super easy to implement posting without referer.
- ___________________________________
- Here's the source code if anyone wants it for osme reason. ~1800 lines of lua.
- The image processing code is absolute shit
- https://files.catbox.moe/wy7nu1.lua
- ___________________________________
- eh, it's fine, I didn't have any problems with it (and it's better than PHP at least). Speed is ok, I used a bot to post as fast as possible (accessing from localhost to eliminate tor latency) and I could manage about 20 posts per second or thereabouts.
- The main problem I have is the image processing code. It takes around 5 seconds to process an 8 MiB file (which is the current limit that I've set), because I couldn't find a proper image library which wasn't outdated as fuck (as a result I had to use external imagemagick to make thumbnails).
- ___________________________________
- it's not, fucking retard, works perfectly fine for me on the hidden service
- ___________________________________
- it was possible, but I've fixed it now, thanks for pointing it out
- regardless, I made a board owner account (board owner of /test/)
- username: xss
- password: 123456
- ___________________________________
- not the worst piece of spaghetti I've written...
- any reccomendations on how to do it better?
- ___________________________________
- I know, it's horrible (but only really noticeable with files above 2mb). I'm working on optimizing that shit, I have a fairly good idea of which functions are taking a long time. The problem is basically that copying 8mb of data around is bad for performance, so I have to minimize that.
- ___________________________________
- everything is good - apart from image processing, which is total shit.
- I've located the problem, hopefully image uploading will be much better by tomorrow (and then I can raise the filesize limit to 16 or 32 MiB).
- ___________________________________
- OP here. I'm thinking of using haserl (CGI wrapper) in my script instead of doing all the CGI parsing/conversion manually. What do you think of it? I think that it would help me reduce the amount of code, and also potentially make everything faster because haserl handles the image uploads for me in a "proper" way as opposed to the retarded method that I'm using at the moment.
- Any issues with haserl?
- https://manpages.ubuntu.com/manpages/xenial/man1/haserl.1.html
- ___________________________________
- perl is gay
- after I've perfected the lua version, I might try and re-implement nanochan in C for shits and giggles
- ___________________________________
- How am I supposed to store a single value not attached to a table? Is there even a way to do that?
- ___________________________________
- in a fucking sqlite database, nigger
- I can't go around creating billions of little text files for all the little variables that I need to store
- ___________________________________
- hey I got an idea
- what about making the global table just be a name/value table, with the name storing a string such as "Announcement" and value storing the actual announcement itself, that way if I wanted to create more global settings it would be easy
- then just SELECT Value FROM GlobalConfig WHERE Name = 'Announcement' etc.
- ___________________________________
- you do realize this is a CGI program right, I have to write all data to disk between page accesses.
- I have, though, played with the idea of storing the nanochan.db in a memory-backed filesystem, and then have a cronjob copying it to disk every once in a while to account for crashes/power failures/whatever.
- I just haven't gotten around to doing it yet because there's a much bigger, macroscopic problem with image uploading which causes the program to spend a few seconds processing the image when it shouldn't take that long.
- if you make a big deal about the little announcement message I bet your head's gonna fucking blow off when you see my HTTP request handlers (which I'm in the process of fixing right now)
- ___________________________________
- No. The script gets re-executed from the beginning with every page request (i.e. deleting all environment variables upon restart); that's how the CGI protocol works. I have to store things to disk. There is no better way to do it.
- ___________________________________
- Use /meta/. Mods are supposed to watch it (although at the moment it's just me).
- The report system on 8chan sucks ass; it'd be easier to just make a post in a meta thread telling mods exactly what the problem is. That's why /meta/ exists.
- Also, I rolled the database back to what it was yesterday because I made a retarded mistake and deleted something. I will keep more regular backups from now on.
- The xss test account has been removed.
- ___________________________________
- OP here. I just rolled an upgrade which is live at http://nanochanxv2lxnqi.onion
- 1. A Content-Security-Policy HTTP header has been implemented. This prevents the loading of any resources outside the nanochan server. It also prevents any javascript from executing on nanochan; in other words, nanochan is now totally immune to XSS of any type.
- 2. Links to external websites no longer send a referrer, even if the browser has referrers enabled. This is NOT the case on 8chan.
- 3. File uploading speeds have been increased greatly. As such, the filesize limit has been raised to 16MiB.
- 4. Minor CSS improvements to the file upload form.
- Here's a link to the new source code: https://files.catbox.moe/9drdth.lua Still around 1800 lines of code since I managed to cut out a lot of the useless bloat while adding features.
- What new features do you guys want to see next?
- >webm/mp4/pdf uploading
- >overboard
- >recent posts list on the front page
- etc.
- Code improvements/suggestions are also welcome, I'll be putting some of the duplicated code into functions when I get more free time.
- ___________________________________
- And for clearnet niggers, you can use https://nanochanxv2lxnqi.onion.sh although it is a bit slower than using the normal onion address.
- ___________________________________
- maybe. I originally made it because I didn't like chodekikey's mismanagement of /pol/ but I will wait until after the midterms before shilling over there.
- Nothing special about it, just the first one that actually worked and didn't time out or give some sort of error.
- ___________________________________
- the real reason I originally chose for nanochan to be a tor HS was because of the following advantages it gives:
- >semi-immunity to DDoS
- >doesn't need (((certificate authorities))), but is still an encrypted connection
- >doesn't need DNS and (((ICANN))) but still has a semi-memorable name
- >anonymity for both the server owner (me) and the users
- now regarding whether /pol/ users will move, idk. Depends on whether chodemonkey does anything else retarded over the next few weeks/months, or whether the spam/pajeet/cuckchan posting gets worse. It's pretty easy to estimate the number of tor users based on the number of posts with id 000000, there aren't that many but there are some - and most people know about the existence of tor at least, which is better than e.g. mewch where people asked me "HURR WHAT KIND OF LINK IS DAT" when they saw the .onion at the end.
- ___________________________________
- Some nigger faggot was spamming nanochan, so I've implemented a per-board-configurable limit on the number of threads per hour. It's set to 6 at the moment, should be enough for a whole day of spam without me watching - legitimate thread creation doesn't happen that fast anyway.
- ___________________________________
- and splinter the userbase into 10,000 different tiny little shitboards? no thanks
- people naturally gravitate to the legacy board names anyway
- ___________________________________
- The image processing problem has been fixed. The time for uploading an image is now only around 5% more than the time it takes to simply hash the data and run imagemagick to generate the thumbnails.
- I'm sure I could optimize it further and I will do so, though.
- ___________________________________
- Overboard has been implemented.
- ___________________________________
- Unfortunately, I chose to use lua 5.3 for this project because muh new features n'shiiiieet. It's probably not hard to convert to lua 5.1 (which is what luajit can use), though. If speed ever becomes a problem I will keep luajit in mind.
- ___________________________________
- On this ~16mb file (which I can't upload here because my VPN is too slow and 8chan would crap out), generating a 200x200 thumbnail takes 7.9 seconds with GM while taking 8.6 seconds with IM. Similar results with other large images. I'm sold on that one.
- but fucking OUCH that 8-second waiting time to upload an image... nice to know it's not my fault though. At least subsequent uploads are way faster because no thumbnail or catalog icon needs to be generated.
- ___________________________________
- PDF uploads are now working.
- WEBM and MP4 soon, that will involve the use of ffmpeg I'm sure.
- ___________________________________
- They didn't do it again today. Must have been some skiddie who couldn't get past the spam protection.
- ___________________________________
- pfff I spoke too soon
- Luckily it's easy to delete because there isn't much of it and there is a limit on the number of threads he can create.
- >this level of butthurt
- ___________________________________
- Tell me the OS and the hostname. I'm pretty sure you're bullshitting, but I need to make sure.
- ___________________________________
- Wouldn't be hard to do, considering the existence of libraries like lua-cjson. However, for the next one or two days I will focus on minor improvements and code cleanup. Then, I will implement webm/mp4 support, and after that comes the features like the JSON API.
- I won't make it compatible with vichan but I will make sure to provide all the necessary information for people to write their own clients, if anyone wants to.
- ___________________________________
- After a week I have come to the conclusion that it is impossible to prevent the bot spam without doing one or more of the following:
- >removing anonymity (i.e. reddit style account creation)
- >adding javashit (proof of work function)
- >removing compatibility with text browsers (image captcha)
- >getting off tor (removing more anonymity)
- >adding prohibitive posting restrictions
- Since the solution to the problem requires the addition of one or another cancer to the software, all boards on Nanochan will be locked indefinitely.
- It was a good run. Kind of.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement