root-gg / plik Goto Github PK

I'm technologically literate, I use VPS and I'm not really great at it. I'm primarily a designer, this is the reason why I'm not a primarily a programmer.

Is Plik a service that allow me to run Plik on my VPS, and have ShareX upload files and fetch short url like imgur does, and store files on my server. Is this correct?

Thanks.

Plik installed from root.gg Debian repository. Configured with reverse proxy apache and https. SourceIpHeader fed with server ip.

While trying to upload, I get
Oops ! (401)
Unable to get source IP address

[WARNING ][plik.go:850 checkSourceIP][[]] Unable to get source IP address from context

From external IP with an empty link, I get an error 403 or 502:
Oops ! (502)
[WARNING ][addFile.go:53 AddFile][[xx.xx.xx.xx][30GPHD4ojcpOnfAF]] Unable to add file from untrusted source IP address

Can any one explain how to use UploadWhitelist in plikd.cfg file?
I've tried:
["123.123.123.123"] for an IP
["123.123.123.123/24"] for an IP range
But not work.
I run plik in container with official image:rootgg/plik:1.2.2

Hello!
I've setup the Google API in Plik but when I do the login, this message pops up:

Unable to get user info from google API

What should I do?

Thanks!

It seems that currently uploading files larger than 4GB seems to be broken. Also web interface shows negative file sizes for files > 2GB

Hello,

is there any desktop client available for this upload server?
ShareX is unfortunately not working with this upload server yet.

And thanks for this nice image / file hosting service 👍 👍

Hello there

It appears that the bolt project have been archived: https://github.com/boltdb/bolt.

What is the plan for Plik ? Is the MongoDB backend the only maintained one ? Or can we still use the file backend for public instances ?

When using --secure option, generated curl command does not follow redirects:

$ echo "Hello" > test.txt
$ plik --secure openssl test.txt
Passphrase : xxx
Upload successfully created at Wed, 21 Sep 2016 16:51:32 CEST : 
    https://plik.ovh/#/?id=xxx

test.txt : 32 B / 6 B [========================================================] 533.33 % 3.50 KB/s 

Commands : 
curl -s "https://plik.ovh/file/xxx/test.txt" | openssl aes-256-cbc -d -pass pass:xxx > 'test.txt'

$ curl -s "https://plik.ovh/file/xxx/test.txt" | openssl aes-256-cbc -d -pass pass:xxx > 'test.txt'
bad magic number
$ curl -s "https://plik.ovh/file/xxx/test.txt"
<a href="https://dl.plik.ovh//file/xxx/test.txt">Moved Permanently</a>.

$ curl -Ls "https://plik.ovh/file/xxx/test.txt" | openssl aes-256-cbc -d -pass pass:xxx
Hello

For now there is no restriction to get the metadata of an upload protected by yubikey.
I think upload metadata should be protected by the yubikey too, as it is the case for basic auth though.

Hello,

I installed plik on my box using the docker container, but I want to use it as custom uploader in my ShareX instance.
I got the application key and the secret application key from the OVH page, put them in my config and did a docker-compose down && docker-compose up -d. When I enter either the application key or the secret application key in my ShareX setting as API Key it doesn't work. ({"message":"Invalid token","value":null}) I guess it's another key I need, but how to get it?

Thanks

When adding an url like https://plik.root.gg/
the trailing / make it fail (redirection)

Validating inputed url with https://golang.org/pkg/net/url/#Parse would also be nice :)

I feel silly to open an issue for that but I cannot find plik log file.

I am using plik docker image and looked at usual /var/log location and ~/server dir but could not find any log file there.

I would like to see the root of the error 500 I have on save (Oops ! (500) Unable to save file).

The Upload button is replaced by the delete button once the files are uploaded.
It's easy too easy to double click and delete the upload.

Running on CentOS 6, behind an Apache reverse proxy and using the binaries.

After upgrading from 1.2.0 to 1.2.2 the main Plik page loads but the file upload options (in the red box below) are missing and files can no longer be uploaded.

On the uploading size after the UI is left unclean after the upload has been downloaded.

When you use csp-evaluator.withgoogle.com to check the Content Security Policy there appear errors in the plugin-types and sandbox section.

Additional there should be allowed to play a mp4 file in the browser instead of getting the following error:

I can be simply reproduced by uploading a mp4 file. (In my case I used ShareX with the Plik uploader).

Plik lets users upload untrusted HTML content. This content is then made available at a static URL.

In addition to being convenient for hosting phishing pages, the HTML content is rendered as-is. Untrusted Javascript and Flash scripts get executed in the context of the Plik server.

The plik-session cookie is marked HTTPOnly. However, this doesn't prevent injected scripts from sending authenticated requests to the Plik API. The session cookie will not be directly visible to the scripts, but it will still be transmitted to the API endpoints.

For example, an attacker can upload a webpage to Plik that includes this code in order to retrieve the list of files uploaded by Plik users viewing that upload:

fetch('/me/uploads?offset=0&size=50', {credentials: 'same-origin'}).
    then(e => e.json()).then(e => /* send e to a remote server */)

PoC: https://plik.root.gg/file/AJ9s2NI2ftAPgN2n/htc835caknBiIGBd/a.html

The actual cookies can also be retrieved by attackers in spite of the HTTPOnly flag, by including Flash objects in the webpage. These can send queries with theTRACE method, whose response include cookies if the server supports that method.

Possible mitigations:

• Viewing and uploading files should not share the same origin, so that viewing a document doesn't involve any cookies.
• Do not render HTML. Offer it as a download (Content-Disposition: Attachment), and pay attention to the fact that this is not enough on some Internet Explorer versions. The X-Download-Options: noopen and X-Content-Type-Options: nosniff headers have to be sent. This also prevents Plik websites from being abused for phishing.
• If untrusted HTML really has to be rendered, render it in an iframe with the sandbox attribute. All browsers do not support this attribute, though.

Is it possible to implement an auto-zipping feature? It would be great to zip multiple files server side. (Great for mobile phones uploading pictures)

So,there is a BT web panel working on my server and the question is how to make it work with domain and how to set

I deployed plikd via apt-get on my Debian machine and I can access the instance fine. However, when I try to upload a file, it spits out this:

Unable to parse source IP address

I am running plikd behind caddy (as reverse proxy). Any ideas on how to get this working?

Invalid secure params : Fail to read your GnuPG keyring : openpgp: invalid data: tag byte does not have MSB set

GnuPG 2.1 introduce a new default keyring format that Plik isn't able to read :
https://www.gnupg.org/faq/whats-new-in-2.1.html#keybox

Hi,

I just noticed that the plik CLI does not include the URL shortening.
It could be great and priceless to add it :)

Cheers,
damajor

There is a few things which are unclear in the inline documentation of the example config file:

1. YubikeyAPIKey -- When you request a key, there is a numeric "Client ID" and a secret key. I am assuming this value is supposed to be the Client ID, but it is not clear.
2. UploadWhiteList -- Does this use CIDR notation, or a range such as: 1.1.1.0-1.1.1.254

Hi, somehow I can't get the reverse proxy function to work in NGINX with plik.
Here is my config:

upstream plik { 
server 127.0.0.1:8090;   
}

server {

#I am omitting here the other parts of the config for http and https (which is working fine for other web apps anyway)

location /plik {
proxy_pass http://plik;                                    
proxy_set_header Host $host;    
proxy_set_header Connection "upgrade";
proxy_buffering off;
proxy_request_buffering off;                                          
proxy_http_version 1.1; 
proxy_buffer_size 1M; 
proxy_buffers 8 1M;
proxy_redirect off;
client_body_buffer_size 1M; 
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
}

I get a 404 error, and nginx says the following in the log

SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream

Any idea what is wrong? Note that while I am using https usually, i have no issue doing reverse proxy with other apps. But somehow I cannot figure what is wrong here. Any hint appreciated!

http(s)_proxy environment variables are a de-facto standard. Example with wget:

$ wget https://plik.ovh/clients/linux-amd64/plik
--2018-01-09 10:08:07-- https://plik.ovh/clients/linux-amd64/plik
Resolving plik.ovh (plik.ovh)... failed: Name or service not known.
wget: unable to resolve host address `plik.ovh'

$ https_proxy=http://proxy.***:6256 wget https://plik.ovh/clients/linux-amd64/plik
--2018-01-09 10:08:24-- https://plik.ovh/clients/linux-amd64/plik
Resolving proxy.*** (proxy.)... ...
Connecting to proxy.** (proxy.)|...*|:6256... connected.
Proxy request sent, awaiting response... 200 OK
Length: 7699226 (7.3M) [application/octet-stream]
Saving to: `plik'
[...]

With plik (Linux 64bits client), it does not work:

$ ./plik test
Unable to create upload
Post https://plik.ovh/upload: dial tcp: lookup plik.ovh on 127.0.0.1:53: server misbehaving

$ https_proxy=http://proxy.***:6256 ./plik test
Unable to create upload
Post https://plik.ovh/upload: dial tcp: lookup plik.ovh on 127.0.0.1:53: server misbehaving

$ http_proxy=http://proxy.***:6256 ./plik test
Unable to create upload
Post https://plik.ovh/upload: dial tcp: lookup plik.ovh on 127.0.0.1:53: server misbehaving

You could simplify the token creation so that from any authorized ip, a button allows to create a token (a link like https://plik.root.gg/#/?id=NGG5eJiaaK9lGfsc expiring after 24h) which would allow to upload from any ip, and create ONE download link like this : https://plik.root.gg/file/NGG5eJiaaK9lGfsc/LiHJHLalEMLjqHt4/file.zip

Currently it requires a login for permanent upload access. Better one time upload access, without login.
One click to create the access
Still, the link must be created from an authorized ip
Each upload (or set of files) requires a link

at ca. 70% on file upload I'm getting a error:

Oops ! (-1) Connection failed

not usre whats the problem as in plikd.cfg file size is set:
MaxFileSize = 10737418240 # 10GB
and can't start the debug:

./plikd -d
flag provided but not defined: -d
Usage of ./plikd:
-config string
Configuration file (default: plikd.cfg (default "plikd.cfg")
-port int
Overrides plik listen port
-version
Show version of plikd

./plikd -version Plik server v1.2.2 (built from git rev ddc1b0f [mint] at 2018-04-26 22:21:20 +0200 CEST with go1.10.1 linux/arm)

also I've updated the media folder (736G 688G 48G 94% /media/usb1):
Directory = "/media/usb1/up/"

any help? I've compiled it from source

thx

When empty upload link is created
/#/?id=Ip9MhsGLr2bEeKe4&uploadToken=66I3IPELLCom9PkL3OHHejKA30ptkP2o

and after one click on “Upload”, I would disable the link (token) and (always) redirect to
/#/?id=Ip9MhsGLr2bEeKe4

a classic link with both buttons “Add files”, “Delete” and red cross removed.

This way, it locks the upload and token for further use/reuse. But any link including an expired/invalid token should always redirect to the shorter one to ensure continuity of the links sent/received. The token dies but the link still points to the uploaded files.
/#/?id=Ip9MhsGLr2bEeKe4&uploadToken=66I3IPELLCom9PkL3OHHejKA30ptkP2o
-> /#/?id=Ip9MhsGLr2bEeKe4

And ideally, enforce a TTL for empty links as a new parameter in plikd.cfg

Hello, downloading file from plik.root.gg with the .pptx extension, you get a content-type:application/zip

Everything's in the title ;)

Full log message:

[02/18/2017 12:16:44][INFO ] Starting plikd server v1.2
2017/02/18 12:16:44 Unable to open Bolt database plik.db : open plik.db: permission denied

Hi,

Maybe I did not find the correct information but it could be nice to have a CLI to administrate the server, for example:

plikadm list files
plikadm delete [id]

I'm looking for something like plik but am not sure it has the features I am looking for. Currently still comparing a few different projects.

I see Google and OVH are available for authentication but I'm not sure how I would use those two and still restrict access to a specific user base. Would it be possible to add IMAP as an authentication provider? That way I could easily give all existing users of an IMAP server access.

How are uploaded files treated, are they encrypted? If yes. client-side or server-side?

It looks like the file names of uploaded files are visible in the download URL, can that be changed?

Could instead be This upload will expire on <data> at <time>

Hi, should be possible to add, on top of Google and OVH, the LDAP authentication as well?

Hey there,

I've written a client for the great plik API. Maybe it helps people writing apps leveraging the power of plik.
Thanks for your great work! The repo is plikSharp.

Best, Jan

it act like like --oneshot (-o) ...

When the last file is removed from an upload the upload is deleted and the web app goes back to the upload page.
Unfortunately the URL is not cleaned properly and the uploadToken can stay.

The Google Cloud API client libraries for Go are making some breaking changes:

• The import paths are changing from google.golang.org/cloud/... to
  cloud.google.com/go/.... For example, if your code imports the BigQuery client
  it currently reads
  import "google.golang.org/cloud/bigquery"
  It should be changed to
  import "cloud.google.com/go/bigquery"
• Client options are also moving, from google.golang.org/cloud to
  google.golang.org/api/option. Two have also been renamed:
  • WithBaseGRPC is now WithGRPCConn
  • WithBaseHTTP is now WithHTTPClient
• The cloud.WithContext and cloud.NewContext methods are gone, as are the
  deprecated pubsub and container functions that required them. Use the Client
  methods of these packages instead.

You should make these changes before September 12, 2016, when the packages at
google.golang.org/cloud will go away.

Hi,

I am trying to do some experiments using the streaming feature but it does not seem to work.

Here is the behavior I get:

• Both Computers: Open Plik
• Computer 1: Enable stream
• Computer 1: Drop a file

=> At this moment nothing is different from a classic upload, no custom URL is generated so I cannot provide the link to the other computer.
So I tried the following:

• Computer 1: Click on upload, then Plik provides me a custom URL and my browser starts to upload the file
• Computer 2: Load the custom URL

=> Now the download is starting while the file is uploaded at the same time.

My guess is that the Plik server is in the middle of the transfer.

Could you help me to understand how to use the streaming feature and also how it works technically ?

Thx.

Hi,
I'd like to work on implementing an IPFS dataBackend for Plik.

https://github.com/ipfs/go-ipfs

Hi,

I can't seem to increase max days the files will be kept. The max days is 30 days and can't seem to increase it. Any help?

Hey ! Could you update the GPG of the repo, it's outdated :)

Thanks

Hello!
I've noticed that every upload is automatically shortened once a service is specified in plikd.cfg.
I think it would be better to "shorten on demand", i.e: when a user wants to do it.
Furthermore, it would be nice to be able to shorten specific files too, not only the "main" upload.

Thank you guys, you are doing a GREAT job!

Do you plan to update the repo to support Debian 9 Stretch ?
Cheers !

I am no words an expert or coder of any kind but in the JS console there seems to be an issue with the software mentioning some "vendor.js"
cant seem to make the "Add files" button to work either.

See for yourself here: http://134.90.151.114:8080/#/

I dont know what i did wrong, just followed the steps on the install readme. Would be great if there are any dependencies that you also list that in the readme.

Running on Ubuntu 16.04, tied on Mint 18 too, does not work on either.

This would be useful to expose Plik to a reverse proxy such as Traefik.

Hi

I set up plik behind apache with this configuration :
ProxyPass / http://127.0.0.1:8080/
ProxyPreserveHost On
ProxyRequests on

I can upload files and download them, but if I want to set a password, when I try to retrieve the file I get this message :
{"message":"Please provide valid credentials to access this upload","value":null}

In logs :
[02/02/2018 12:06:10][WARNING ][[127.0.0.1][srsUkD1ili00savw]] Missing Authorization header

I'm using the git version on debian (tar.gz version doesn't work at all .. but this will be another issue ;))