root-gg / plik Goto Github PK
View Code? Open in Web Editor NEWPlik is a temporary file upload system (Wetransfer like) in Go.
Home Page: https://plik.root.gg
License: Other
Plik is a temporary file upload system (Wetransfer like) in Go.
Home Page: https://plik.root.gg
License: Other
I'm technologically literate, I use VPS and I'm not really great at it. I'm primarily a designer, this is the reason why I'm not a primarily a programmer.
Is Plik a service that allow me to run Plik on my VPS, and have ShareX upload files and fetch short url like imgur does, and store files on my server. Is this correct?
Thanks.
Plik installed from root.gg Debian repository. Configured with reverse proxy apache and https. SourceIpHeader fed with server ip.
While trying to upload, I get
Oops ! (401)
Unable to get source IP address
[WARNING ][plik.go:850 checkSourceIP][[]] Unable to get source IP address from context
From external IP with an empty link, I get an error 403 or 502:
Oops ! (502)
[WARNING ][addFile.go:53 AddFile][[xx.xx.xx.xx][30GPHD4ojcpOnfAF]] Unable to add file from untrusted source IP address
Can any one explain how to use UploadWhitelist in plikd.cfg file?
I've tried:
["123.123.123.123"] for an IP
["123.123.123.123/24"] for an IP range
But not work.
I run plik in container with official image:rootgg/plik:1.2.2
Hello!
I've setup the Google API in Plik but when I do the login, this message pops up:
Unable to get user info from google API
What should I do?
Thanks!
It seems that currently uploading files larger than 4GB seems to be broken. Also web interface shows negative file sizes for files > 2GB
Hello,
is there any desktop client available for this upload server?
ShareX is unfortunately not working with this upload server yet.
And thanks for this nice image / file hosting service 👍 👍
Hello there
It appears that the bolt project have been archived: https://github.com/boltdb/bolt.
What is the plan for Plik ? Is the MongoDB backend the only maintained one ? Or can we still use the file backend for public instances ?
When using --secure option, generated curl command does not follow redirects:
$ echo "Hello" > test.txt
$ plik --secure openssl test.txt
Passphrase : xxx
Upload successfully created at Wed, 21 Sep 2016 16:51:32 CEST :
https://plik.ovh/#/?id=xxx
test.txt : 32 B / 6 B [========================================================] 533.33 % 3.50 KB/s
Commands :
curl -s "https://plik.ovh/file/xxx/test.txt" | openssl aes-256-cbc -d -pass pass:xxx > 'test.txt'
$ curl -s "https://plik.ovh/file/xxx/test.txt" | openssl aes-256-cbc -d -pass pass:xxx > 'test.txt'
bad magic number
$ curl -s "https://plik.ovh/file/xxx/test.txt"
<a href="https://dl.plik.ovh//file/xxx/test.txt">Moved Permanently</a>.
$ curl -Ls "https://plik.ovh/file/xxx/test.txt" | openssl aes-256-cbc -d -pass pass:xxx
Hello
For now there is no restriction to get the metadata of an upload protected by yubikey.
I think upload metadata should be protected by the yubikey too, as it is the case for basic auth though.
Hello,
I installed plik on my box using the docker container, but I want to use it as custom uploader in my ShareX instance.
I got the application key and the secret application key from the OVH page, put them in my config and did a docker-compose down && docker-compose up -d
. When I enter either the application key or the secret application key in my ShareX setting as API Key it doesn't work. ({"message":"Invalid token","value":null}
) I guess it's another key I need, but how to get it?
Thanks
When adding an url like https://plik.root.gg/
the trailing /
make it fail (redirection)
Validating inputed url with https://golang.org/pkg/net/url/#Parse would also be nice :)
I feel silly to open an issue for that but I cannot find plik log file.
I am using plik docker image and looked at usual /var/log location and ~/server dir but could not find any log file there.
I would like to see the root of the error 500 I have on save (Oops ! (500) Unable to save file).
The Upload button is replaced by the delete button once the files are uploaded.
It's easy too easy to double click and delete the upload.
When you use csp-evaluator.withgoogle.com to check the Content Security Policy there appear errors in the plugin-types
and sandbox section
.
Additional there should be allowed to play a mp4
file in the browser instead of getting the following error:
I can be simply reproduced by uploading a mp4
file. (In my case I used ShareX with the Plik uploader).
Plik lets users upload untrusted HTML content. This content is then made available at a static URL.
In addition to being convenient for hosting phishing pages, the HTML content is rendered as-is. Untrusted Javascript and Flash scripts get executed in the context of the Plik server.
The plik-session
cookie is marked HTTPOnly
. However, this doesn't prevent injected scripts from sending authenticated requests to the Plik API. The session cookie will not be directly visible to the scripts, but it will still be transmitted to the API endpoints.
For example, an attacker can upload a webpage to Plik that includes this code in order to retrieve the list of files uploaded by Plik users viewing that upload:
fetch('/me/uploads?offset=0&size=50', {credentials: 'same-origin'}).
then(e => e.json()).then(e => /* send e to a remote server */)
PoC: https://plik.root.gg/file/AJ9s2NI2ftAPgN2n/htc835caknBiIGBd/a.html
The actual cookies can also be retrieved by attackers in spite of the HTTPOnly
flag, by including Flash objects in the webpage. These can send queries with theTRACE
method, whose response include cookies if the server supports that method.
Possible mitigations:
Content-Disposition: Attachment
), and pay attention to the fact that this is not enough on some Internet Explorer versions. The X-Download-Options: noopen
and X-Content-Type-Options: nosniff
headers have to be sent. This also prevents Plik websites from being abused for phishing.Is it possible to implement an auto-zipping feature? It would be great to zip multiple files server side. (Great for mobile phones uploading pictures)
So,there is a BT web panel working on my server and the question is how to make it work with domain and how to set
I deployed plikd
via apt-get
on my Debian machine and I can access the instance fine. However, when I try to upload a file, it spits out this:
Unable to parse source IP address
I am running plikd
behind caddy
(as reverse proxy). Any ideas on how to get this working?
Invalid secure params : Fail to read your GnuPG keyring : openpgp: invalid data: tag byte does not have MSB set
GnuPG 2.1 introduce a new default keyring format that Plik isn't able to read :
https://www.gnupg.org/faq/whats-new-in-2.1.html#keybox
Hi,
I just noticed that the plik CLI does not include the URL shortening.
It could be great and priceless to add it :)
Cheers,
damajor
There is a few things which are unclear in the inline documentation of the example config file:
YubikeyAPIKey
-- When you request a key, there is a numeric "Client ID" and a secret key. I am assuming this value is supposed to be the Client ID, but it is not clear.UploadWhiteList
-- Does this use CIDR notation, or a range such as: 1.1.1.0-1.1.1.254
Hi, somehow I can't get the reverse proxy function to work in NGINX with plik.
Here is my config:
upstream plik {
server 127.0.0.1:8090;
}
server {
#I am omitting here the other parts of the config for http and https (which is working fine for other web apps anyway)
location /plik {
proxy_pass http://plik;
proxy_set_header Host $host;
proxy_set_header Connection "upgrade";
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_buffer_size 1M;
proxy_buffers 8 1M;
proxy_redirect off;
client_body_buffer_size 1M;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
I get a 404 error, and nginx says the following in the log
SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream
Any idea what is wrong? Note that while I am using https usually, i have no issue doing reverse proxy with other apps. But somehow I cannot figure what is wrong here. Any hint appreciated!
http(s)_proxy environment variables are a de-facto standard. Example with wget:
$ wget https://plik.ovh/clients/linux-amd64/plik
--2018-01-09 10:08:07-- https://plik.ovh/clients/linux-amd64/plik
Resolving plik.ovh (plik.ovh)... failed: Name or service not known.
wget: unable to resolve host address `plik.ovh'
$ https_proxy=http://proxy.***:6256 wget https://plik.ovh/clients/linux-amd64/plik
--2018-01-09 10:08:24-- https://plik.ovh/clients/linux-amd64/plik
Resolving proxy.*** (proxy.)... ...
Connecting to proxy.** (proxy.)|...*|:6256... connected.
Proxy request sent, awaiting response... 200 OK
Length: 7699226 (7.3M) [application/octet-stream]
Saving to: `plik'
[...]
With plik (Linux 64bits client), it does not work:
$ ./plik test
Unable to create upload
Post https://plik.ovh/upload: dial tcp: lookup plik.ovh on 127.0.0.1:53: server misbehaving
$ https_proxy=http://proxy.***:6256 ./plik test
Unable to create upload
Post https://plik.ovh/upload: dial tcp: lookup plik.ovh on 127.0.0.1:53: server misbehaving
$ http_proxy=http://proxy.***:6256 ./plik test
Unable to create upload
Post https://plik.ovh/upload: dial tcp: lookup plik.ovh on 127.0.0.1:53: server misbehaving
You could simplify the token creation so that from any authorized ip, a button allows to create a token (a link like https://plik.root.gg/#/?id=NGG5eJiaaK9lGfsc expiring after 24h) which would allow to upload from any ip, and create ONE download link like this : https://plik.root.gg/file/NGG5eJiaaK9lGfsc/LiHJHLalEMLjqHt4/file.zip
Currently it requires a login for permanent upload access. Better one time upload access, without login.
One click to create the access
Still, the link must be created from an authorized ip
Each upload (or set of files) requires a link
at ca. 70% on file upload I'm getting a error:
Oops ! (-1) Connection failed
not usre whats the problem as in plikd.cfg file size is set:
MaxFileSize = 10737418240 # 10GB
and can't start the debug:
./plikd -d
flag provided but not defined: -d
Usage of ./plikd:
-config string
Configuration file (default: plikd.cfg (default "plikd.cfg")
-port int
Overrides plik listen port
-version
Show version of plikd
./plikd -version Plik server v1.2.2 (built from git rev ddc1b0f [mint] at 2018-04-26 22:21:20 +0200 CEST with go1.10.1 linux/arm)
also I've updated the media folder (736G 688G 48G 94% /media/usb1):
Directory = "/media/usb1/up/"
any help? I've compiled it from source
thx
When empty upload link is created
/#/?id=Ip9MhsGLr2bEeKe4&uploadToken=66I3IPELLCom9PkL3OHHejKA30ptkP2o
and after one click on “Upload”, I would disable the link (token) and (always) redirect to
/#/?id=Ip9MhsGLr2bEeKe4
a classic link with both buttons “Add files”, “Delete” and red cross removed.
This way, it locks the upload and token for further use/reuse. But any link including an expired/invalid token should always redirect to the shorter one to ensure continuity of the links sent/received. The token dies but the link still points to the uploaded files.
/#/?id=Ip9MhsGLr2bEeKe4&uploadToken=66I3IPELLCom9PkL3OHHejKA30ptkP2o
-> /#/?id=Ip9MhsGLr2bEeKe4
And ideally, enforce a TTL for empty links as a new parameter in plikd.cfg
Everything's in the title ;)
Full log message:
[02/18/2017 12:16:44][INFO ] Starting plikd server v1.2
2017/02/18 12:16:44 Unable to open Bolt database plik.db : open plik.db: permission denied
Hi,
Maybe I did not find the correct information but it could be nice to have a CLI to administrate the server, for example:
plikadm list files
plikadm delete [id]
I'm looking for something like plik but am not sure it has the features I am looking for. Currently still comparing a few different projects.
I see Google and OVH are available for authentication but I'm not sure how I would use those two and still restrict access to a specific user base. Would it be possible to add IMAP as an authentication provider? That way I could easily give all existing users of an IMAP server access.
How are uploaded files treated, are they encrypted? If yes. client-side or server-side?
It looks like the file names of uploaded files are visible in the download URL, can that be changed?
Hi, should be possible to add, on top of Google and OVH, the LDAP authentication as well?
Hey there,
I've written a client for the great plik API. Maybe it helps people writing apps leveraging the power of plik.
Thanks for your great work! The repo is plikSharp.
Best, Jan
it act like like --oneshot (-o) ...
When the last file is removed from an upload the upload is deleted and the web app goes back to the upload page.
Unfortunately the URL is not cleaned properly and the uploadToken can stay.
The Google Cloud API client libraries for Go are making some breaking changes:
google.golang.org/cloud/...
tocloud.google.com/go/...
. For example, if your code imports the BigQuery clientimport "google.golang.org/cloud/bigquery"
import "cloud.google.com/go/bigquery"
google.golang.org/cloud
togoogle.golang.org/api/option
. Two have also been renamed:
WithBaseGRPC
is now WithGRPCConn
WithBaseHTTP
is now WithHTTPClient
cloud.WithContext
and cloud.NewContext
methods are gone, as are theClient
You should make these changes before September 12, 2016, when the packages at
google.golang.org/cloud
will go away.
Hi,
I am trying to do some experiments using the streaming feature but it does not seem to work.
Here is the behavior I get:
=> At this moment nothing is different from a classic upload, no custom URL is generated so I cannot provide the link to the other computer.
So I tried the following:
=> Now the download is starting while the file is uploaded at the same time.
My guess is that the Plik server is in the middle of the transfer.
Could you help me to understand how to use the streaming feature and also how it works technically ?
Thx.
Hi,
I'd like to work on implementing an IPFS dataBackend for Plik.
Hi,
I can't seem to increase max days the files will be kept. The max days is 30 days and can't seem to increase it. Any help?
Hey ! Could you update the GPG of the repo, it's outdated :)
Thanks
Hello!
I've noticed that every upload is automatically shortened once a service is specified in plikd.cfg
.
I think it would be better to "shorten on demand", i.e: when a user wants to do it.
Furthermore, it would be nice to be able to shorten specific files too, not only the "main" upload.
Thank you guys, you are doing a GREAT job!
Do you plan to update the repo to support Debian 9 Stretch ?
Cheers !
I am no words an expert or coder of any kind but in the JS console there seems to be an issue with the software mentioning some "vendor.js"
cant seem to make the "Add files" button to work either.
See for yourself here: http://134.90.151.114:8080/#/
I dont know what i did wrong, just followed the steps on the install readme. Would be great if there are any dependencies that you also list that in the readme.
Running on Ubuntu 16.04, tied on Mint 18 too, does not work on either.
This would be useful to expose Plik to a reverse proxy such as Traefik.
Hi
I set up plik behind apache with this configuration :
ProxyPass / http://127.0.0.1:8080/
ProxyPreserveHost On
ProxyRequests on
I can upload files and download them, but if I want to set a password, when I try to retrieve the file I get this message :
{"message":"Please provide valid credentials to access this upload","value":null}
In logs :
[02/02/2018 12:06:10][WARNING ][[127.0.0.1][srsUkD1ili00savw]] Missing Authorization header
I'm using the git version on debian (tar.gz version doesn't work at all .. but this will be another issue ;))
plik@ks2:~/gopath/src/github.com/root-gg# go get -v github.com/root-gg/plik/server
github.com/root-gg/plik/server/vendor/github.com/facebookgo/stats
github.com/root-gg/plik/server/vendor/github.com/gorilla/context
github.com/root-gg/plik/server/vendor/github.com/facebookgo/clock
github.com/root-gg/plik/server/vendor/github.com/root-gg/juliet
github.com/root-gg/plik/server/vendor/github.com/root-gg/utils
github.com/root-gg/plik/server/vendor/github.com/BurntSushi/toml
github.com/root-gg/plik/server/vendor/github.com/gorilla/mux
github.com/root-gg/plik/server/vendor/github.com/facebookgo/httpdown
github.com/root-gg/plik/server/vendor/github.com/root-gg/logger
github.com/root-gg/plik/server/vendor/github.com/GeertJohan/yubigo
github.com/root-gg/plik/server/vendor/github.com/nu7hatch/gouuid
github.com/root-gg/plik/server/vendor/github.com/ncw/swift
github.com/root-gg/plik/server/vendor/github.com/boombuler/barcode
github.com/root-gg/plik/server/vendor/github.com/boombuler/barcode/utils
github.com/root-gg/plik/server/vendor/github.com/dgrijalva/jwt-go
github.com/root-gg/plik/server/vendor/github.com/boombuler/barcode/qr
github.com/root-gg/plik/server/common
github.com/root-gg/plik/server/vendor/github.com/boltdb/bolt
github.com/root-gg/plik/server/vendor/gopkg.in/mgo.v2/bson
github.com/root-gg/plik/server/vendor/gopkg.in/mgo.v2/internal/scram
github.com/root-gg/plik/server/dataBackend/file
github.com/root-gg/plik/server/dataBackend/stream
github.com/root-gg/plik/server/dataBackend/swift
github.com/root-gg/plik/server/dataBackend/weedfs
github.com/root-gg/plik/server/metadataBackend/file
github.com/root-gg/plik/server/dataBackend
github.com/root-gg/plik/server/vendor/gopkg.in/mgo.v2
github.com/root-gg/plik/server/vendor/golang.org/x/net/context
github.com/root-gg/plik/server/vendor/golang.org/x/oauth2/jws
github.com/root-gg/plik/server/metadataBackend/bolt
github.com/root-gg/plik/server/vendor/golang.org/x/oauth2/internal
github.com/root-gg/plik/server/vendor/google.golang.org/cloud/internal
github.com/root-gg/plik/server/vendor/google.golang.org/cloud/compute/metadata
github.com/root-gg/plik/server/vendor/golang.org/x/oauth2
github.com/root-gg/plik/server/vendor/golang.org/x/net/context/ctxhttp
github.com/root-gg/plik/server/vendor/google.golang.org/api/googleapi/internal/uritemplates
github.com/root-gg/plik/server/vendor/google.golang.org/api/googleapi
github.com/root-gg/plik/server/vendor/golang.org/x/oauth2/jwt
github.com/root-gg/plik/server/vendor/golang.org/x/oauth2/google
github.com/root-gg/plik/server/vendor/google.golang.org/api/gensupport
github.com/root-gg/plik/server/vendor/google.golang.org/api/oauth2/v2
github.com/root-gg/plik/server/metadataBackend/mongo
github.com/root-gg/plik/server/metadataBackend
github.com/root-gg/plik/server/handlers
github.com/root-gg/plik/server/middleware
# github.com/root-gg/plik/server/handlers
plik/server/handlers/misc.go:51:28: undefined: common.GetBuildInfo
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.