WingNews logo WingNews
top | item 26466971

X0.at: upload files from cURL

151 points| mpsq | 5 years ago |x0.at

89 comments

order

uploaderwin|5 years ago

Yeah this is asking for trouble. We only had a small demo on our homepage where users could upload media files and they were deleted after 24 hours and still some people managed to abuse it and nearly got our site killed, domain blacklisted in Google with a big red screen of death.

I don't want to spam any links here but if you are interested please do look at my last post about the dangers of doing this and lessons I learned from my mistake.

Please do not keep the files for 10 days. Even 24 hours is a deal-breaker. From what I've learned, anything more than 30 minutes can get you into trouble.

dheera|5 years ago

I once had a location-based file sharing service that also got blacklisted by Google with no recourse. I hate Google trying to police the internet with no timely appeals process.

I wonder though if you could simply just block the Google crawler and bypass it. Or use a JavaScript to auto-POST something before the file gets sent for download. The Google crawler doesn't issue POST requests as far as I know.

mwambua|5 years ago

Can you remedy this problem by making it so that anyone can delete the file? That way anyone can take it down if they have a problem with it? It's supposed to be ephemeral storage anyway... people might not mind having files disappear.

Naac|5 years ago

Similar sites like http://ix.io/ have been up for many years with no issues. I assume spam can be a problem, but these sites must have figured something out.

the_arun|5 years ago

Uploading files without auth layer - is asking for trouble IMHO. Change without audit trail will encourage wrong doers. But I get the idea, this is an example for a file upload in a simple way using Curl or other tools.

ju-st|5 years ago

The website is already blocked because of "Malicious Sources/Malnets" in the firewall of the company I work at.

southerntofu|5 years ago

> Uploading files without auth layer - is asking for trouble IMHO.

If you make it super user-friendly and advertise it as the next Megaupload, sure. But if you keep a small audience of good-faith users it's not asking for problems.

If you can teach me to make my file upload as hacker-friendly as this service while implementing auth, i'd be glad. Here the entire point is you don't need further configuration/credentials for example to upload log/config from a server.

banana_giraffe|5 years ago

Agreed.

I use a little python script that creates a curl command to upload to S3 for cases where I don't have the AWS toolchain on a remote box.

Not as easy as a single command, but at least I'm less likely to be sending files off to some random site for everyone to see.

naturalpb|5 years ago

One can upload a file to their Dropbox via a cURL post, provided they have created an app and have an access token, which just takes a few minutes to set up.

curl -X POST https://content.dropboxapi.com/2/files/upload --header "Authorization: Bearer ACCESSTOKEN" --header "Dropbox-API-Arg: {\"path\": \"/DROPBOXFILEPATH/DROPBOXFILENAME\"}" --header "Content-Type: application/octet-stream" --data-binary @/LOCALFILEPATH/LOCALFILENAME

umvi|5 years ago

These are always nice little sites to have around, but they can't really grow much in popularity before users start abusing them to distribute illegal things at which point the site has to start doing more and more content moderation or be shut down.

geek_at|5 years ago

Can confirm. I had a public demo of my open source image hosting solution [1] (where you can resize images and videos by just entering a different URL) up for years without problems, until idiots started uploading CSAM (Children sexual abuse material).

Luckily I found out before law enforcement did [2] so I proactively talked to my federal bureau for months generating Excel sheets of IPs and access times and devices and countries. I didn't see many of the images myself, basically just looked at one upload per IP which was like three in total and forwarded all uploads of that IP to the police but man.. what the hell is wrong with people. 4 digit number of uploads of CSAM.

[1] https://github.com/HaschekSolutions/pictshare [2] https://blog.haschek.at/2018/fight-child-pornography-with-ra...

jtokoph|5 years ago

Came to say this. OP: If this is your site it will be used for piracy, underage porn and phishing within hours.

tobylane|5 years ago

Agreed. I was using it* for TravisCI, and having moved to Github Actions I'm glad they have uploads stored per run.

*this one and another few before it.

anderspitman|5 years ago

Sad but true. One reason why easy self hosting is important for these types of projects.

apayan|5 years ago

If you like the convenience of transferring a file temporarily into the cloud to download it elsewhere (great for getting stuff out of a rancher environment), check out patchbay[0]. It uses what it calls 'HTTP channels' so if you start a POST request to a patchbay URL, it will block until a corresponding GET is made to the same endpoint which will receive the data from your POST. The operation can be done in reverse as well, with the GET blocking until the POST begins.

[0] https://patchbay.pub/

rogual|5 years ago

This is brilliant, thank you!

exikyut|5 years ago

Huh, WebRTC for the Web 2.0 2010 era. Nice.

40four|5 years ago

I like the simplicity of it. One PHP file, throw it on a server with Apache and rock and roll.

Other comments are right to point out that this site is setting itself up to be abused. My feeling is that this is intended to be a demo. I doubt the creator is trying to provide a real service here. And they might be in for a rude awakening if it gains traction.

But, it looks like they intend this to be open source. Anyone can clone the repo and run this on their own server! Unfortunately, the repo does not have a license file, which makes me a little uneasy.

Edit: I didn’t say that very well. With no license file, technically we cannot actually use this code since it defaults to ‘All rights reserved’. I think the author might not realize that though. It seems they intend it to be ‘open’ based on line 334.

Also, it is not particularly good PHP code, a little rough around the edges. But hey, it's a cool demonstration on a very straight forward way to upload & share files! Could be a good starting point to develop further.

s_dev|5 years ago

>the repo does not have a license file, which makes me a little uneasy.

Surely the author is bearing the liability of getting burned by not specifying a licence.

southerntofu|5 years ago

Another alternative: the famous nullpointer https://github.com/mia-0/0x0

A small script i use very regularly:

    #!/usr/bin/env bash
    if [ ! -f $1 ]; then echo "MISSING: $1"; exit 1; fi
    torify curl -F"file=@$1" https://YOURSERVER || echo "UPLOAD FAILED (code: $?)"

SeriousM|5 years ago

Because this is an austrian domain you need to put an Impressum on it with details about the hosters name and address. Sorry to spoil the fun :(

georgewsinger|5 years ago

Wolfram also allows this with with

   CopyFile["/path/to/file",CloudObject["your.file"]]
I use it all of the time.

mlang23|5 years ago

Perfect. a replacement for transfer.sh. I use it to make small audio snippets (synthesized speech) available as URL for Sonos to play. With a decent turnaround time, it works to create your own spoken announcements with something like espeak as the synthesizer. I hope this service will survive the spam it will atract...

calvinmorrison|5 years ago

The longest running one that I've used for a long time is

ix.io

hprotagonist|5 years ago

i’ve been using 0x0.st pretty happily.

koeng|5 years ago

This is kinda similar to ix.io. Cool!