· 7 years ago · Nov 04, 2018, 12:36 PM
1hey /tech/ I wrote new imageboard software over the past week, can you try and hack into it to find security vulnerabilities and shit
2http://nanochanxv2lxnqi.onion
3
4___________________________________
5
6I forgot to mention that it doesn't have any javascript
7
8___________________________________
9
10It does need the referer header and cookies, but only if you're logged in as moderator and using the mod tools. Normal users don't need cookies or referer.
11Honestly I don't know why the fuck 8chan even needs the referer to post, it's super easy to implement posting without referer.
12
13___________________________________
14
15Here's the source code if anyone wants it for osme reason. ~1800 lines of lua.
16The image processing code is absolute shit
17https://files.catbox.moe/wy7nu1.lua
18
19___________________________________
20
21eh, it's fine, I didn't have any problems with it (and it's better than PHP at least). Speed is ok, I used a bot to post as fast as possible (accessing from localhost to eliminate tor latency) and I could manage about 20 posts per second or thereabouts.
22The main problem I have is the image processing code. It takes around 5 seconds to process an 8 MiB file (which is the current limit that I've set), because I couldn't find a proper image library which wasn't outdated as fuck (as a result I had to use external imagemagick to make thumbnails).
23
24___________________________________
25
26it's not, fucking retard, works perfectly fine for me on the hidden service
27
28___________________________________
29
30it was possible, but I've fixed it now, thanks for pointing it out
31regardless, I made a board owner account (board owner of /test/)
32username: xss
33password: 123456
34
35___________________________________
36
37not the worst piece of spaghetti I've written...
38any reccomendations on how to do it better?
39
40___________________________________
41
42I know, it's horrible (but only really noticeable with files above 2mb). I'm working on optimizing that shit, I have a fairly good idea of which functions are taking a long time. The problem is basically that copying 8mb of data around is bad for performance, so I have to minimize that.
43
44___________________________________
45
46everything is good - apart from image processing, which is total shit.
47I've located the problem, hopefully image uploading will be much better by tomorrow (and then I can raise the filesize limit to 16 or 32 MiB).
48
49___________________________________
50
51OP here. I'm thinking of using haserl (CGI wrapper) in my script instead of doing all the CGI parsing/conversion manually. What do you think of it? I think that it would help me reduce the amount of code, and also potentially make everything faster because haserl handles the image uploads for me in a "proper" way as opposed to the retarded method that I'm using at the moment.
52Any issues with haserl?
53https://manpages.ubuntu.com/manpages/xenial/man1/haserl.1.html
54
55___________________________________
56
57perl is gay
58after I've perfected the lua version, I might try and re-implement nanochan in C for shits and giggles
59
60___________________________________
61
62How am I supposed to store a single value not attached to a table? Is there even a way to do that?
63
64___________________________________
65
66in a fucking sqlite database, nigger
67I can't go around creating billions of little text files for all the little variables that I need to store
68
69___________________________________
70
71hey I got an idea
72what about making the global table just be a name/value table, with the name storing a string such as "Announcement" and value storing the actual announcement itself, that way if I wanted to create more global settings it would be easy
73then just SELECT Value FROM GlobalConfig WHERE Name = 'Announcement' etc.
74
75___________________________________
76
77you do realize this is a CGI program right, I have to write all data to disk between page accesses.
78I have, though, played with the idea of storing the nanochan.db in a memory-backed filesystem, and then have a cronjob copying it to disk every once in a while to account for crashes/power failures/whatever.
79I just haven't gotten around to doing it yet because there's a much bigger, macroscopic problem with image uploading which causes the program to spend a few seconds processing the image when it shouldn't take that long.
80if you make a big deal about the little announcement message I bet your head's gonna fucking blow off when you see my HTTP request handlers (which I'm in the process of fixing right now)
81
82___________________________________
83
84No. The script gets re-executed from the beginning with every page request (i.e. deleting all environment variables upon restart); that's how the CGI protocol works. I have to store things to disk. There is no better way to do it.
85
86___________________________________
87
88Use /meta/. Mods are supposed to watch it (although at the moment it's just me).
89The report system on 8chan sucks ass; it'd be easier to just make a post in a meta thread telling mods exactly what the problem is. That's why /meta/ exists.
90Also, I rolled the database back to what it was yesterday because I made a retarded mistake and deleted something. I will keep more regular backups from now on.
91The xss test account has been removed.
92
93___________________________________
94
95OP here. I just rolled an upgrade which is live at http://nanochanxv2lxnqi.onion
961. A Content-Security-Policy HTTP header has been implemented. This prevents the loading of any resources outside the nanochan server. It also prevents any javascript from executing on nanochan; in other words, nanochan is now totally immune to XSS of any type.
972. Links to external websites no longer send a referrer, even if the browser has referrers enabled. This is NOT the case on 8chan.
983. File uploading speeds have been increased greatly. As such, the filesize limit has been raised to 16MiB.
994. Minor CSS improvements to the file upload form.
100Here's a link to the new source code: https://files.catbox.moe/9drdth.lua Still around 1800 lines of code since I managed to cut out a lot of the useless bloat while adding features.
101What new features do you guys want to see next?
102>webm/mp4/pdf uploading
103>overboard
104>recent posts list on the front page
105etc.
106Code improvements/suggestions are also welcome, I'll be putting some of the duplicated code into functions when I get more free time.
107
108___________________________________
109
110And for clearnet niggers, you can use https://nanochanxv2lxnqi.onion.sh although it is a bit slower than using the normal onion address.
111
112___________________________________
113
114maybe. I originally made it because I didn't like chodekikey's mismanagement of /pol/ but I will wait until after the midterms before shilling over there.
115Nothing special about it, just the first one that actually worked and didn't time out or give some sort of error.
116
117___________________________________
118
119the real reason I originally chose for nanochan to be a tor HS was because of the following advantages it gives:
120>semi-immunity to DDoS
121>doesn't need (((certificate authorities))), but is still an encrypted connection
122>doesn't need DNS and (((ICANN))) but still has a semi-memorable name
123>anonymity for both the server owner (me) and the users
124now regarding whether /pol/ users will move, idk. Depends on whether chodemonkey does anything else retarded over the next few weeks/months, or whether the spam/pajeet/cuckchan posting gets worse. It's pretty easy to estimate the number of tor users based on the number of posts with id 000000, there aren't that many but there are some - and most people know about the existence of tor at least, which is better than e.g. mewch where people asked me "HURR WHAT KIND OF LINK IS DAT" when they saw the .onion at the end.
125
126___________________________________
127
128Some nigger faggot was spamming nanochan, so I've implemented a per-board-configurable limit on the number of threads per hour. It's set to 6 at the moment, should be enough for a whole day of spam without me watching - legitimate thread creation doesn't happen that fast anyway.
129
130___________________________________
131
132and splinter the userbase into 10,000 different tiny little shitboards? no thanks
133people naturally gravitate to the legacy board names anyway
134
135___________________________________
136
137The image processing problem has been fixed. The time for uploading an image is now only around 5% more than the time it takes to simply hash the data and run imagemagick to generate the thumbnails.
138I'm sure I could optimize it further and I will do so, though.
139
140___________________________________
141
142Overboard has been implemented.
143
144___________________________________
145
146Unfortunately, I chose to use lua 5.3 for this project because muh new features n'shiiiieet. It's probably not hard to convert to lua 5.1 (which is what luajit can use), though. If speed ever becomes a problem I will keep luajit in mind.
147
148___________________________________
149
150On this ~16mb file (which I can't upload here because my VPN is too slow and 8chan would crap out), generating a 200x200 thumbnail takes 7.9 seconds with GM while taking 8.6 seconds with IM. Similar results with other large images. I'm sold on that one.
151but fucking OUCH that 8-second waiting time to upload an image... nice to know it's not my fault though. At least subsequent uploads are way faster because no thumbnail or catalog icon needs to be generated.
152
153___________________________________
154
155PDF uploads are now working.
156WEBM and MP4 soon, that will involve the use of ffmpeg I'm sure.
157
158___________________________________
159
160They didn't do it again today. Must have been some skiddie who couldn't get past the spam protection.
161
162___________________________________
163
164pfff I spoke too soon
165Luckily it's easy to delete because there isn't much of it and there is a limit on the number of threads he can create.
166>this level of butthurt
167
168___________________________________
169
170Tell me the OS and the hostname. I'm pretty sure you're bullshitting, but I need to make sure.
171
172___________________________________
173
174Wouldn't be hard to do, considering the existence of libraries like lua-cjson. However, for the next one or two days I will focus on minor improvements and code cleanup. Then, I will implement webm/mp4 support, and after that comes the features like the JSON API.
175I won't make it compatible with vichan but I will make sure to provide all the necessary information for people to write their own clients, if anyone wants to.
176___________________________________
177
178After a week I have come to the conclusion that it is impossible to prevent the bot spam without doing one or more of the following:
179>removing anonymity (i.e. reddit style account creation)
180>adding javashit (proof of work function)
181>removing compatibility with text browsers (image captcha)
182>getting off tor (removing more anonymity)
183>adding prohibitive posting restrictions
184Since the solution to the problem requires the addition of one or another cancer to the software, all boards on Nanochan will be locked indefinitely.
185It was a good run. Kind of.