nning / imgshr Goto Github PK
View Code? Open in Web Editor NEWSimple image gallery sharing web application.
License: GNU Affero General Public License v3.0
Simple image gallery sharing web application.
License: GNU Affero General Public License v3.0
Dependabot couldn't reach https://rails-assets.org/ due to underlying error <too many connection resets (https://rails-assets.org/specs.4.8.gz)> as it timed out.
Is https://rails-assets.org/ due to underlying error <too many connection resets (https://rails-assets.org/specs.4.8.gz)> accessible over the internet? If it is then this may be a transitory issue and can be ignored - Dependabot will close it on its next successful update run.
Dependabot couldn't reach https://rails-assets.org/ as it timed out.
Is https://rails-assets.org/ accessible over the internet? If it is then this may be a transitory issue and can be ignored - Dependabot will close it on its next successful update run.
Create Thumbnails for encrypted images on the client side. This might speed up the loading of galleries as well as save users of mobile plans some of their valuable bytes.
secure_headers is a good way to ship imgshr with some protection by default, but i think it might be more secure to set those headers outside the scope of the web application code. In case of a remote code execution it is possible for an attacker to remove or override the headers. If the headers are supplied by a webserver configuration which isn't modifiable by the application code, removal or modification can be prohibited.
The goal should be to prevent js code from being injected. Modification or removal of the headers leads to the possiblity to inject js code. So far, the only way to extract the client side encryption key from the localStorage is by injecting malicious js code.
Is it possible/is there a how to on deploying this to a shared hosting environment that does not have docker?
If i open the "gallery info" modal for the first time i visited a gallery, there is only shown "QR" instead of an actual qrcode. If i close the modal window and open it again, the qrcode is shown as expected. This only affects the normal qrcode for sharing a gallery link.
Sharing keys for client side encryption is done by attaching them to the hash part of a gallery URL. This solves the problem of including the key into URL and preventing the browser from sending it to the server while visiting it.
Following problems arise by doing so:
The hash part is saved in the global browser history and it seems that there is nothing that could be done about it from a programmers point of view.
It is very easy to leak the key for example by pasting it online, using link shorteners etc.
One way to deal with it, might be to display a warning that points out those problems, if a user tries to share the key by URL.
Possible paths to a URL with a key in it should be minimized.
In case a user visits a URL with a key in it, the hash must be removed from the URL by js immediately to minimize the risk of the user to paste a leaky url.
Also a flash msg should be shown which says something like "please clean your history" every time a URL is visited that contains a key.
Another solution could be to only "allow" key sharing by URL via a qrcode. Simply remove all ways from the site that gives the user access to a URL with a key in it. This prevents the user from pasting it to the wrong location.
The qrcode should only be shown if the user explicitly demands for it and it should be the only qrcode that is shown in this case. It is very easy to confuse the qrcode with- and without the key.
Dependabot couldn't reach https://rails-assets.org/ as it timed out.
Is https://rails-assets.org/ accessible over the internet? If it is then this may be a transitory issue and can be ignored - Dependabot will close it on its next successful update run.
Dependabot couldn't reach https://rails-assets.org/ as it timed out.
Is https://rails-assets.org/ accessible over the internet? If it is then this may be a transitory issue and can be ignored - Dependabot will close it on its next successful update run.
If an encrypted gallery is visited without the right key, a random key is shown as well as a qrcode to share it which doesn't belong to the gallery. In this case all encryption informations should be omited instead.
Dependabot couldn't reach https://rails-assets.org/ as it timed out.
Is https://rails-assets.org/ accessible over the internet? If it is then this may be a transitory issue and can be ignored - Dependabot will close it on its next successful update run.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.