Dubvee Meta

96 readers

3 users here now

Announcements and meta discussions about the DubVee instance.

founded 1 year ago

MODERATORS

[email protected]

Image Uploads Are Disabled Until Further Notice (dubvee.org)

submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]

3 comments fedilink hide all child comments

There's an issue with the way Lemmy handles user uploads that makes me uncomfortable leaving them enabled. Without getting too deep into the technical details of the matter, the issue leaves my server open to abuse and does so in a way which is both invisible to the admins and difficult to rectify.

Until that is resolved by the upstream project, I have opted to disable user uploads entirely as a precautionary measure. While the "upload image" button is still present in post/comment options, any uploads will be rejected by the server; you will see a red error message saying "Type error: Failed to fetch" when attempting to upload. If you're using Jerboa or another native app, it may fail with a different message, but it will fail (as-intended).

Please note that this decision was not reached lightly and is the only currently-known way to ensure the safety and integrity of the platform. If you wish to embed images in your submissions, until further notice, please embed them from an outside source (imgur, giphy, getyarn.io, your own server, etc). If you're an old Redditor, this should be familiar.

This also affects setting your avatar and banner in your profile. Unfortunately, I have no way of allowing just those to remain functional while disabling comment/post images; the method I have to use to block uploads is somewhat all-or-nothing.

If you would like to set an avatar/logo, please DM me and I can make an arrangement to do it on the backend.

top 2 comments

sorted by: hot top controversial new old

[–] [email protected] 1 points 1 year ago (1 children)

That sounds ominous. How did you disable uploads? I'm worried for my own instance 😅

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

I am doing it through Nginx.

The original backend location block is this:

location ~ ^/(api|pictrs|feeds|nodeinfo|.well-known) {

I removed pictrs from that so it's now this:

location ~ ^/(api|feeds|nodeinfo|.well-known) {

Then I created a new location block just for pictrs where I do some extra stuff:

location ^~ /pictrs {
      # Deny uploads
      if ($request_method ~ ^(POST)$ ) {
        return 444;
      }
      proxy_cache imgcache;
      proxy_cache_valid any 72h;

      add_header        X-Proxy-Cache                   $upstream_cache_status;
      add_header        X-Content-Type-Options    "nosniff";
      add_header        X-Frame-Options               "DENY";
      add_header        X-XSS-Protection               "1; mode=block";

      proxy_pass "http://lemmyBE";

      # Set standardized headers to send to backend server
      include conf.d/includes/proxy.conf;
    }

The if block checking the $request_method denies any POST from the frontend to anything under /pictrs which effectively disables all user uploads. Lemmy backend is still able to use the pictrs service to generate thumnbails, though. However, that is fine. The proxy_cache stuff has a few extra directives outside the server block and caches image responses for 72 hours.

load more comments