zeitonline / briefkasten Goto Github PK

What i did after installing, i copied the briefkasten.conf to the right place and updated its parameters. When i open the server instance in the browser i get the "This is a default, unconfigured instance" message.
When i directly access a route, e.g. "/briefkasten/submit" i see the form but additionally a big red box telling me again, that "this instance is obviously not yet configured properly!".

I absolutely do not know how to go from there. The Readme states, "The current implementation should be ready for general use on a functional level". So what did i miss ?
How do i go about, to "properly configure" it ?

Please advise!
THX

When cleaning up the temporary files, they are removed via rm -rf. On most filesystems, this does not securely delete the files. It might make sense to use something like "wipe" to remove the files instead (OTOH, secure deletion from disk is hard. Maybe put the temporary files only in a memory-backed filesystem instead?).

What about DOS?

Is there some protection? It seems a lorem-ipsum generator loop can send as often as i want.

Plesase no external services like Google captchas! ;-)

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

• chore(deps): update zeitonline/gh-action-workflows action to v1.3
• chore(deps): update actions/checkout action to v3
• chore(deps): update github/codeql-action action to v2
• chore(deps): lock file maintenance

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update dependency click to v8.1.5
• chore(deps): update dependency pyyaml to v6.0.1

Detected dependencies

Both drop_id and editor_token seem to be vulnerable to a timing attack.

Use a constant time comparison when processing requests to avoid that an attacker can guess secret URLs.

Hi Support Team,

My pgp is working, I get the emails encrypted und I can decrypte the E-Mail.
if i attache an jpeg File the EMail has got an attachment but I am not able to get the picture back.

If I attach an pdf or an doc File, then i do not get an attachment in the E-Mail.

Do i need some Software on my Server to work with attachements ?

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Awaiting Schedule

These updates are awaiting their schedule. Click on a checkbox to get an update now.

• chore(deps): lock file maintenance

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

• chore(deps): pin dependencies (actions/checkout, editorconfig-checker/editorconfig-checker.python, github/codeql-action, peter-evans/repository-dispatch, pre-commit/pre-commit-hooks, pycqa/flake8, python, zeitonline/gh-action-workflows)
• chore(deps): update dependency markupsafe to v2.1.5
• chore(deps): update pre-commit hook editorconfig-checker/editorconfig-checker.python to v2.7.3
• chore(deps): update dependency itsdangerous to v2.2.0
• chore(deps): update dependency zope.interface to v6.3
• chore(deps): update pre-commit hook pre-commit/pre-commit-hooks to v4.6.0
• chore(deps): update dependency diazo to v2
• chore(deps): update dependency future to v1
• chore(deps): update dependency lxml to v5
• chore(deps): update dependency watchdog to v4
• chore(deps): update peter-evans/repository-dispatch action to v3
• chore(deps): update pre-commit hook pycqa/flake8 to v7
• 🔐 Create all rate-limited PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update dependency jinja2 to v3.1.4 [security]
• chore(deps): update dependency hupper to v1.12.1
• chore(deps): update dependency lxml to v4.9.4
• chore(deps): update dependency python-gnupg to v0.5.2
• chore(deps): update dependency chameleon to v4.5.4
• chore(deps): update dependency paste to v3.10.1
• chore(deps): update dependency pastedeploy to v3.1.0
• chore(deps): update dependency venusian to v3.1.0
• chore(deps): update python docker tag to v3.12.3
• chore(deps): update github/codeql-action action to v3
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

In a setting where the application is not used very often, an attacker with the ability to do traffic analysis may be able to capture the IP of a whistleblower by correlating the fact that some accessed the website and the fact that soon after that a mail is sent out. Similarly as in anonymous remailers, a random time delay may help to counter this attack (the time delay should be based on the estimated access rates for the application and may be quite large for an application without much usage).

Is this project free software? If yes, please add a LICENSE file and license information to setup.py.

Use Forward Secrecy on the HTTPS connection.

This is not an issue with the software itself, but with the deployment. An appropriate key exchange algorithm could be ECDHE_RSA.

in #7 (comment) @DrWhax suggests using https://mat.boum.org/ which (still) seems like a pretty good idea and that we still should look into.

If a user wants to run her own instance of briefkasten without any affiliation with to Zeit Online, and does not update the CSS files, background images are still referenced from Zeit Online, creating a possible way for Zeit Online to trace uploaders to that cloned instance.

Example line no in base.css: 149, 424, 453, 524, ...

Please either include the files in the package, or comment out the lines, or tell users to remove the references.

Hi!
I Have a Vserver from Hetzner with Debian 10 Minimal. I Have cloned the git-Repo and copied the etc.sample/plain.conf to etc/ploy.conf.
Then I have changed the IP Line, ansible-fqdn and the approot_url.
after this I executed make bootstrap
Know I get the following error-Message:
(...)
/root/briefkasten/deployment/venv/log/develop-1.log)', 1)
ERROR: develop: could not install deps [pip >= 19.1.1, setuptools >= 31.0.0, a
(...)
In the develop-1.log file:
checking for gcc... gcc
checking whether the C compiler works... no
configure: error: in /tmp/pip-install-4e1mm3/pycrypto': configure: error: C compiler cannot create executables See config.log' for more details
Traceback (most recent call last):
(...)
RuntimeError: autoconf error
----------------------------------------
ERROR: Command errored out with exit status 1: /root/briefkasten/deployment/venv/bin/python -u -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/tmp/pip-install-4e1mm3/pycrypto/setup.py'"'"'; file='"'"'/tmp/pip-install-4e1mm3/pycrypto/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(file);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, file, '"'"'exec'"'"'))' install --record /tmp/pip-record-bj8j8L/install-record.txt --single-version-externally-managed --compile --install-headers /root/briefkasten/deployment/venv/include/site/python2.7/pycrypto Check the logs for full command output.
gcc is installed.
I have a debian Minimal-Installation ... are some Packages missing? ... :-)

When creating the access token, Random() is used, which uses the Mersenne Twister PRNG algorithm. Even though Python seems to seed decently when entropy sources are available on OS-level, I'd encourage the use of a cryptographically-secure pseudorandom number generator instead.

Add to doc or readme:

Because the whistleblower's browser will send the url as referer don't embed (images, scripts, stylesheets and so on) from or don't even link to another (logged or tracked) websites in your templates!

It might make sense to run the metadata stripping processes in a sandbox or as a different user, as they run scripts which parse attacker controlled data. Vulnerabilities in image or PDF parsing libraries are a possibility and would allow an attacker access to other whistleblower's data in the current setting.

Hi,
I have got the briefkasten application working with Protocal http and Port 6543.
Now I try to secure the traffic with SSL.
I am using an Apache webserver as an Reverse-Proxy.
With an sed output-filter I was able to rewrite the link in the Application, but the Email has still got an link to the webserver with http://xxxxxx, not https

What do I have to change to get the reply_url to point to https:/xxxx, in the application and EMail.

kind regards.
Peter

ubuntu:~/briefkasten/briefkasten-master$ make
bin/buildout -c buildout.cfg
Develop: '/home/xxxx/briefkasten/briefkasten-master/.'
Traceback (most recent call last):
File "/tmp/tmpyw2ZbT", line 6, in
import os, setuptools
ImportError: No module named setuptools
While:
Installing.
Processing develop directory '/home/xxxx/briefkasten/briefkasten-master/.'.

An internal error occurred due to a bug in either zc.buildout or in a
recipe being used:
Traceback (most recent call last):
File "/home/xxxxx/briefkasten/briefkasten-master/local/lib/python2.7/site-packages/zc/buildout/buildout.py", line 1942, in main
getattr(buildout, command)(args)
File "/home/xxxx/briefkasten/briefkasten-master/local/lib/python2.7/site-packages/zc/buildout/buildout.py", line 484, in install
installed_develop_eggs = self._develop()
File "/home/xxxx/briefkasten/briefkasten-master/local/lib/python2.7/site-packages/zc/buildout/buildout.py", line 726, in _develop
zc.buildout.easy_install.develop(setup, dest)
File "/home/xxxx/briefkasten/briefkasten-master/local/lib/python2.7/site-packages/zc/buildout/easy_install.py", line 901, in develop
call_subprocess(args)
File "/home/xxx/briefkasten/briefkasten-master/local/lib/python2.7/site-packages/zc/buildout/easy_install.py", line 154, in call_subprocess
% repr(args)[1:-1])
Exception: Failed to run command:
'/home/xxxx/briefkasten/briefkasten-master/bin/python', '/tmp/tmpyw2ZbT', '-q', 'develop', '-mxN', '-d', '/home/xxxx/briefkasten/briefkasten-master/develop-eggs/tmpOE8oksbuild'
make: *** [buildout] Fehler 1

I try to add an internal URL to briefkasten. This does not work, it says: 'Error saving'. If I check the devtools I see this error on the console: POST http://ubuntu01.home.intra:3000/api/bookmarks 500 (Internal Server Error)

I'm trying to add URLs like:
https://nas02.home.intra
http://ac.home.intra

Public URL like https://docs.frigate.video/installation work fine. If I add the previous URL I can then edit it and change it to an internal only version.

It looks like the bk-app cannot get a picture to use to save the URL. How to solve this?

The code, although already mentioned (e.g. process-msword.sh) is missing in the repository. Does it exist or is Zeit already using a version without the functions "promised" ?