\[Kickstart\] Link - The File Sharing Blockchain Protocol
-
I actually wished there would be a high level discussion going on on Reddit about Link. None did actually understood it so this wasn’t possible (from hearing saying, not really getting it myself either).
-
Things are going well.
The round of testing has revealed a number of changes I need to make before we go at this again, so the site is down for the next 8 hours while I finish my work day. Hopefully I’ll have time for it tonight and will get the site back up.
Number 1 thing that needs to change is a I need to sanitize magnet links. Tuck seems to have found a problem with really long links, and really half the data in there doesn’t belong anyway. Also I can probably pre-populate the name field.
After that, xss sanitation. I’ll keep you updated here. :)
-
[quote name=“Kevlar” post=“47713” timestamp=“1388094370”]
Things are going well.The round of testing has revealed a number of changes I need to make before we go at this again, so the site is down for the next 8 hours while I finish my work day. Hopefully I’ll have time for it tonight and will get the site back up.
Number 1 thing that needs to change is a I need to sanitize magnet links. Tuck seems to have found a problem with really long links, and really half the data in there doesn’t belong anyway. Also I can probably pre-populate the name field.
After that, xss sanitation. I’ll keep you updated here. :)
[/quote]Sweet. I posted the 3rd quarter of the FLUX model in the tech thread. Working on the last quarter. I’ll redo the proposal considering updated ideas. Would like to see ELI5 walkthroughs. We’re going to kick so much ass.
-
[quote name=“Kevlar” post=“47713” timestamp=“1388094370”]
Number 1 thing that needs to change is a I need to sanitize magnet links. Tuck seems to have found a problem with really long links, and really half the data in there doesn’t belong anyway.
[/quote]Thanks for turning, “I’m a moron”, into you needing to sanitize magnet links. ;)
-
Pretty soon, we’ll need to add [b]mRep[/b] to the forum code for Kevlar and zerodrama.
-
We’re back online.
For those of you that have the link, you’ll notice a new feature when publishing: Auto-meta-data extraction.
When you put a magnet link in the box, it will do the following:
[list]
[*]Strip the trackers
[*]Extract the name and populate the text box
[*]Try and generate some good keywords from the name
[/list]It also sanitizes any bad html. Although I think it may screw with magnet links. I’m not sure… see if you can click on what you publish in the search results. Someone please test this? I’m out of FTC from a long night of bug fixing.
The reasoning behind stripping the trackers is that they’re temporal, but the data is forever. There’s no guarantee that in 5 years those trackers will still be around, but in 5 years, that hash will still be that data. That means you must use DHT in your torrent client to find the initial list of trackers. This is, in my opinion, as it should be. Now trackers can come and go, but Link data is forever.
If you don’t yet have the link, we’re getting closer. Hopefully by January I will have something we can share with the world and be proud of.
Thank you everyone for your continued support. We’re nearing the end of the second milestone: A production service with a UI.
-
Shameless bump.
Keep it going guys.
Looks like we only have x amount of weeks left before the next major influx of users.
I think this will make some serious waves once people know and understand what this is all about.
Would also be really kewl to see other coins implement this into their own code.
So let’s say doge coin or another high unit low price coin adopts this, would you think people will publish using the other alt-coins considering it would cost less if that’s the case?
-
[quote name=“Kevlar” post=“47775” timestamp=“1388123758”]
We’re back online.For those of you that have the link, you’ll notice a new feature when publishing: Auto-meta-data extraction.
When you put a magnet link in the box, it will do the following:
[list]
[*]Strip the trackers
[*]Extract the name and populate the text box
[*]Try and generate some good keywords from the name
[/list]It also sanitizes any bad html. Although I think it may screw with magnet links. I’m not sure… see if you can click on what you publish in the search results. Someone please test this? I’m out of FTC from a long night of bug fixing.
The reasoning behind stripping the trackers is that they’re temporal, but the data is forever. There’s no guarantee that in 5 years those trackers will still be around, but in 5 years, that hash will still be that data. That means you must use DHT in your torrent client to find the initial list of trackers. This is, in my opinion, as it should be. Now trackers can come and go, but Link data is forever.
If you don’t yet have the link, we’re getting closer. Hopefully by January I will have something we can share with the world and be proud of.
Thank you everyone for your continued support. We’re nearing the end of the second milestone: A production service with a UI.
[/quote]Kev, I’m sending you the last of what’s in my wallet (it’s not much, 10 or so) at home so you can test it. If you need more when I’m at my set up tomorrow let me know.
-
It is screwing with Magnet links. :(
That’s unfortunate. I’ll fix it tonight. Until then publishing is broken, so please don’t use it.
-
I can’t believe user input wasn’t sanitised. It’s kindergarten coding. :-\
-
[quote name=“UKMark” post=“47895” timestamp=“1388179885”]
I can’t believe user input wasn’t sanitised. It’s kindergarten coding. :-\
[/quote]It is. That’s what’s screwing with magnet links. Because I’m using the browser’s built in loveliness, it’s converting & to & when it shouldn’t. I’ve not decided what approach is best to take with regards to this yet, but I’ll figure something out.
-
[quote name=“Kevlar” post=“47897” timestamp=“1388180076”]
[quote author=UKMark link=topic=5663.msg47895#msg47895 date=1388179885]
I can’t believe user input wasn’t sanitised. It’s kindergarten coding. :-\
[/quote]It is. That’s what’s screwing with magnet links. Because I’m using the browser’s built in loveliness, it’s converting & to & when it shouldn’t. I’ve not decided what approach is best to take with regards to this yet, but I’ll figure something out.
[/quote]ctype_alnum, It’s all I trust tbh.
-
Nah, the browser has this built into it. It’s cross platform (not PHP specific), it’s future proof without ever updating the code, and it’s 4 lines of code (in coffeescript):
[code]
escapeHtml = (str) ->
div = document.createElement(“div”)
div.appendChild document.createTextNode(str)
div.innerHTML
[/code]Since anyone can encode anything into the blockchain, it just makes sense to sanitize any output before displaying it, since you can’t ever trust the server to do the right thing. Since all output is appended to the DOM via client side templates, there’s a single point which all data must pass through before being rendered. This makes the whole design trivial and idiot-proof. You just need to handle the special cases of things that should be allowed but normally aren’t.
-
I doubt you could truthfully santise at DOM level. You are giving ball back, surely?.
-
[quote name=“UKMark” post=“47907” timestamp=“1388181492”]
I doubt you could truthfully santise at DOM level. You are giving ball back, surely?.
[/quote]In fact that’s exactly what it’s doing. Specifically document.createTextNode() is a native function that will escape ANYTHING that the browser considers a DOM element. That’s why it’s future proof: As new tags are added, and supported on the browser, this native function will escape them.
It doesn’t work for PHP code, because PHP is rife with xss possibilities.
Consider the following example:
[code]
document.createTextNode(‘’);
[/code]The browser will leave that intact, because it’s perfectly safe to render in the DOM. The XSS happens on the server side, which is why mixing code and templates in HTML documents is inherently dangerous, and should be avoided.
-
Show me one xss possibilities that can evade ctype_alnum?..I am anal about sever side security, call me out, but honesty prevails…
-
[quote name=“UKMark” post=“47918” timestamp=“1388183032”]
Show me one xss possibilities that can evade ctype_alnum?..I am anal about sever side security, call me out, but honesty prevails…
[/quote]I’m sure it’s a solid package that address a huge problem with PHP, namely the intermingling of server side code and client side HTML. In the security world, we call that particular feature “Broken By Design”.
Since I’m not using PHP, and I’m not rendering anything server side except JSON, it’s a non issue for this project. I’m not vulnerable to server side attacks, because business logic is kept well clear of client templates, and I’m not vulnerable to client side attacks because the browser sanitizes any output before appending it to the DOM.
The client HTML is static html files that can be served up off the filesystem with no execution, pushing all the work of rendering onto the client. This means they can be e-tagged and cached client side trivially, since they don’t change when data changes. That means the server has less load because no execution is required, and the client page loads faster because it always comes out of local cache, and only the data need be queried, reducing the amount of bandwidth required. Those queries can be e-taged and cached as well, making the entire experience as optimal as possible. Since the template need only be transferred once, and the data is all that has to go over the wire, the bandwidth is even further reduced, since you don’t need to transfer the HTML each time with the data.
That’s server side security: No execution path whatsoever for the most common case, while significantly reducing the amount of work that must be done server side, significantly reducing the bandwidth required, and significantly reducing the load times while keeping a trivially simple cache model.
-
[quote name=“Kevlar” post=“47923” timestamp=“1388184280”]
That’s server side security: No execution path whatsoever for the most common case.
[/quote]I am so unlearning PHP from watching this project. Also: [url=http://forum.feathercoin.com/index.php/topic,6422]http://forum.feathercoin.com/index.php/topic,6422[/url]
-
[quote name=“zerodrama” post=“47924” timestamp=“1388184502”]
I am so unlearning PHP from watching this project.
[/quote]For once, I feel like I’m ahead of you. I never learned PHP. ;)
-
Ok, unleash the hounds on it!
Turns out the xss scare was all for not: the templating engine was doing it by default, and my paranoia had me writing code for nothing.
Publishing is fixed. Please test it out.
For those of you who notice the major change… please don’t spoil the surprise for the rest! I’ll be making a big announcement about it soon.