nanochan admin

1. hey /tech/ I wrote new imageboard software over the past week, can you try and hack into it to find security vulnerabilities and shit
2. http://nanochanxv2lxnqi.onion
3.  
4. ___________________________________
5.  
6. I forgot to mention that it doesn't have any javascript
7.  
8. ___________________________________
9.  
10. It does need the referer header and cookies, but only if you're logged in as moderator and using the mod tools. Normal users don't need cookies or referer.
11. Honestly I don't know why the fuck 8chan even needs the referer to post, it's super easy to implement posting without referer.
12.  
13. ___________________________________
14.  
15. Here's the source code if anyone wants it for osme reason. ~1800 lines of lua.
16. The image processing code is absolute shit
17. https://files.catbox.moe/wy7nu1.lua
18.  
19. ___________________________________
20.  
21. eh, it's fine, I didn't have any problems with it (and it's better than PHP at least). Speed is ok, I used a bot to post as fast as possible (accessing from localhost to eliminate tor latency) and I could manage about 20 posts per second or thereabouts.
22. The main problem I have is the image processing code. It takes around 5 seconds to process an 8 MiB file (which is the current limit that I've set), because I couldn't find a proper image library which wasn't outdated as fuck (as a result I had to use external imagemagick to make thumbnails).
23.  
24. ___________________________________
25.  
26. it's not, fucking retard, works perfectly fine for me on the hidden service
27.  
28. ___________________________________
29.  
30. it was possible, but I've fixed it now, thanks for pointing it out
31. regardless, I made a board owner account (board owner of /test/)
32. username: xss
33. password: 123456
34.  
35. ___________________________________
36.  
37. not the worst piece of spaghetti I've written...
38. any reccomendations on how to do it better?
39.  
40. ___________________________________
41.  
42. I know, it's horrible (but only really noticeable with files above 2mb). I'm working on optimizing that shit, I have a fairly good idea of which functions are taking a long time. The problem is basically that copying 8mb of data around is bad for performance, so I have to minimize that.
43.  
44. ___________________________________
45.  
46. everything is good - apart from image processing, which is total shit.
47. I've located the problem, hopefully image uploading will be much better by tomorrow (and then I can raise the filesize limit to 16 or 32 MiB).
48.  
49. ___________________________________
50.  
51. OP here. I'm thinking of using haserl (CGI wrapper) in my script instead of doing all the CGI parsing/conversion manually. What do you think of it? I think that it would help me reduce the amount of code, and also potentially make everything faster because haserl handles the image uploads for me in a "proper" way as opposed to the retarded method that I'm using at the moment.
52. Any issues with haserl?
53. https://manpages.ubuntu.com/manpages/xenial/man1/haserl.1.html
54.  
55. ___________________________________
56.  
57. perl is gay
58. after I've perfected the lua version, I might try and re-implement nanochan in C for shits and giggles
59.  
60. ___________________________________
61.  
62. How am I supposed to store a single value not attached to a table? Is there even a way to do that?
63.  
64. ___________________________________
65.  
66. in a fucking sqlite database, nigger
67. I can't go around creating billions of little text files for all the little variables that I need to store
68.  
69. ___________________________________
70.  
71. hey I got an idea
72. what about making the global table just be a name/value table, with the name storing a string such as "Announcement" and value storing the actual announcement itself, that way if I wanted to create more global settings it would be easy
73. then just SELECT Value FROM GlobalConfig WHERE Name = 'Announcement' etc.
74.  
75. ___________________________________
76.  
77. you do realize this is a CGI program right, I have to write all data to disk between page accesses.
78. I have, though, played with the idea of storing the nanochan.db in a memory-backed filesystem, and then have a cronjob copying it to disk every once in a while to account for crashes/power failures/whatever.
79. I just haven't gotten around to doing it yet because there's a much bigger, macroscopic problem with image uploading which causes the program to spend a few seconds processing the image when it shouldn't take that long.
80. if you make a big deal about the little announcement message I bet your head's gonna fucking blow off when you see my HTTP request handlers (which I'm in the process of fixing right now)
81.  
82. ___________________________________
83.  
84. No. The script gets re-executed from the beginning with every page request (i.e. deleting all environment variables upon restart); that's how the CGI protocol works. I have to store things to disk. There is no better way to do it.
85.  
86. ___________________________________
87.  
88. Use /meta/. Mods are supposed to watch it (although at the moment it's just me).
89. The report system on 8chan sucks ass; it'd be easier to just make a post in a meta thread telling mods exactly what the problem is. That's why /meta/ exists.
90. Also, I rolled the database back to what it was yesterday because I made a retarded mistake and deleted something. I will keep more regular backups from now on.
91. The xss test account has been removed.
92.  
93. ___________________________________
94.  
95. OP here. I just rolled an upgrade which is live at http://nanochanxv2lxnqi.onion
96. 1. A Content-Security-Policy HTTP header has been implemented. This prevents the loading of any resources outside the nanochan server. It also prevents any javascript from executing on nanochan; in other words, nanochan is now totally immune to XSS of any type.
97. 2. Links to external websites no longer send a referrer, even if the browser has referrers enabled. This is NOT the case on 8chan.
98. 3. File uploading speeds have been increased greatly. As such, the filesize limit has been raised to 16MiB.
99. 4. Minor CSS improvements to the file upload form.
100. Here's a link to the new source code: https://files.catbox.moe/9drdth.lua Still around 1800 lines of code since I managed to cut out a lot of the useless bloat while adding features.
101. What new features do you guys want to see next?
102. >webm/mp4/pdf uploading
103. >overboard
104. >recent posts list on the front page
105. etc.
106. Code improvements/suggestions are also welcome, I'll be putting some of the duplicated code into functions when I get more free time.
107.  
108. ___________________________________
109.  
110. And for clearnet niggers, you can use https://nanochanxv2lxnqi.onion.sh although it is a bit slower than using the normal onion address.
111.  
112. ___________________________________
113.  
114. maybe. I originally made it because I didn't like chodekikey's mismanagement of /pol/ but I will wait until after the midterms before shilling over there.
115. Nothing special about it, just the first one that actually worked and didn't time out or give some sort of error.
116.  
117. ___________________________________
118.  
119. the real reason I originally chose for nanochan to be a tor HS was because of the following advantages it gives:
120. >semi-immunity to DDoS
121. >doesn't need (((certificate authorities))), but is still an encrypted connection
122. >doesn't need DNS and (((ICANN))) but still has a semi-memorable name
123. >anonymity for both the server owner (me) and the users
124. now regarding whether /pol/ users will move, idk. Depends on whether chodemonkey does anything else retarded over the next few weeks/months, or whether the spam/pajeet/cuckchan posting gets worse. It's pretty easy to estimate the number of tor users based on the number of posts with id 000000, there aren't that many but there are some - and most people know about the existence of tor at least, which is better than e.g. mewch where people asked me "HURR WHAT KIND OF LINK IS DAT" when they saw the .onion at the end.
125.  
126. ___________________________________
127.  
128. Some nigger faggot was spamming nanochan, so I've implemented a per-board-configurable limit on the number of threads per hour. It's set to 6 at the moment, should be enough for a whole day of spam without me watching - legitimate thread creation doesn't happen that fast anyway.
129.  
130. ___________________________________
131.  
132. and splinter the userbase into 10,000 different tiny little shitboards? no thanks
133. people naturally gravitate to the legacy board names anyway
134.  
135. ___________________________________
136.  
137. The image processing problem has been fixed. The time for uploading an image is now only around 5% more than the time it takes to simply hash the data and run imagemagick to generate the thumbnails.
138. I'm sure I could optimize it further and I will do so, though.
139.  
140. ___________________________________
141.  
142. Overboard has been implemented.
143.  
144. ___________________________________
145.  
146. Unfortunately, I chose to use lua 5.3 for this project because muh new features n'shiiiieet. It's probably not hard to convert to lua 5.1 (which is what luajit can use), though. If speed ever becomes a problem I will keep luajit in mind.
147.  
148. ___________________________________
149.  
150. On this ~16mb file (which I can't upload here because my VPN is too slow and 8chan would crap out), generating a 200x200 thumbnail takes 7.9 seconds with GM while taking 8.6 seconds with IM. Similar results with other large images. I'm sold on that one.
151. but fucking OUCH that 8-second waiting time to upload an image... nice to know it's not my fault though. At least subsequent uploads are way faster because no thumbnail or catalog icon needs to be generated.
152.  
153. ___________________________________
154.  
155. PDF uploads are now working.
156. WEBM and MP4 soon, that will involve the use of ffmpeg I'm sure.
157.  
158. ___________________________________
159.  
160. They didn't do it again today. Must have been some skiddie who couldn't get past the spam protection.
161.  
162. ___________________________________
163.  
164. pfff I spoke too soon
165. Luckily it's easy to delete because there isn't much of it and there is a limit on the number of threads he can create.
166. >this level of butthurt
167.  
168. ___________________________________
169.  
170. Tell me the OS and the hostname. I'm pretty sure you're bullshitting, but I need to make sure.
171.  
172. ___________________________________
173.  
174. Wouldn't be hard to do, considering the existence of libraries like lua-cjson. However, for the next one or two days I will focus on minor improvements and code cleanup. Then, I will implement webm/mp4 support, and after that comes the features like the JSON API.
175. I won't make it compatible with vichan but I will make sure to provide all the necessary information for people to write their own clients, if anyone wants to.
176. ___________________________________
177.  
178. After a week I have come to the conclusion that it is impossible to prevent the bot spam without doing one or more of the following:
179. >removing anonymity (i.e. reddit style account creation)
180. >adding javashit (proof of work function)
181. >removing compatibility with text browsers (image captcha)
182. >getting off tor (removing more anonymity)
183. >adding prohibitive posting restrictions
184. Since the solution to the problem requires the addition of one or another cancer to the software, all boards on Nanochan will be locked indefinitely.
185. It was a good run. Kind of.