logo
 drop

Main

Community

Submissions

Help

Author Topic: Why does RHDN require direct URLs and not allow uploads?  (Read 7260 times)

Nightcrawler

  • Hero Member
  • *****
  • Posts: 6077
    • View Profile
    • Nightcrawler's Translation Corporation
Why does RHDN require direct URLs and not allow uploads?
« on: October 21, 2011, 11:17:28 am »
http://www.net-security.org/dl/articles/php-file-upload.pdf

Over the years, a number of people have questioned this and/or expressed grievances about it. I've never been great at articulating my reasons for this design decision. Today, I came across a great article specifically about PHP file uploading, which does a tremendous job explaining the many issues that come with it. It's very time consuming to do it right and more difficult than one might think. Forget one minor detail and you're open to a big exploit. There are many security issues. Beyond those issues, I was pleased to see it also mentions (toward the end) the fact that you are now open to easier DoS attacks, and abuse that can cause performance crippling very quickly. We are already a resource sensitive site without adding that. There are just so many good reasons not to do it and place that burden elsewhere.

I realize it can be difficult for those that may not have any web hosting and are a bit technically challenged. However, we take security, longevity, and preservation of the site pretty seriously here. At nearly 6 years, I believe we are officially the longest lasting ROM hacking specific mega-site of our kind now. To last many more years, we are continually looking to do more with less resources at the server level, keep cost down, and preserve the tool that is ROMhacking.net as long as possible. If anyone strongly disagrees, they are free to assume the burden and set up file hosting on their own server for our community. It would be welcomed.

Here and there I have worked on some methods for allowing direct uploading to RHDN, but it is far from secure enough to trust for public consumption and I can make no promise I will ever finish. So, for the foreseeable future, it will remain as one of life's little annoyances. At least now, there's a nice explanation for it. ;)
« Last Edit: December 18, 2012, 11:45:53 am by Nightcrawler »
TransCorp - Nearing 20 years of community dedication.
Dual Orb 2, Wozz, Emerald Dragon, Tenshi No Uta, Glory of Heracles IV SFC/SNES Translations

snarfblam

  • Submission Reviewer
  • Hero Member
  • *****
  • Posts: 707
  • CANT HACK METROID
    • View Profile
    • snarfblam
Re: Why does RHDN require direct URLs and not allow uploads?
« Reply #1 on: October 21, 2011, 05:37:15 pm »
I've considered putting together some sort of simple file-hosting solution for smaller communities like this, but I don't think I will ever go through with something like that because there are already great solutions in place. There are free file hosting services that don't require any technical know-how, like Dropbox. Install the program, create an account, and you get very easy, no hassle, straight-up file hosting.

One small suggestion: on the submission form, maybe there should be a link directly next to the URL field that brings the user to the list of suggested file hosting solutions. I know there is already a link on that page, but maybe a for-the-love-of-god-you-can't-possibly-miss-it link would help, because the issue keeps coming up.

I.S.T.

  • IRC Staff
  • Hero Member
  • *****
  • Posts: 4618
  • Ten years, still no avatar.
    • View Profile
Re: Why does RHDN require direct URLs and not allow uploads?
« Reply #2 on: October 22, 2011, 04:08:53 pm »
http://www.scanit.be/uploads/php-file-upload.pdf

Over the years, a number of people have questioned this and/or expressed grievances about it. I've never been great at articulating my reasons for this design decision. Today, I came across a great article specifically about PHP file uploading, which does a tremendous job explaining the many issues that come with it. It's very time consuming to do it right and more difficult than one might think. Forget one minor detail and you're open to a big exploit. There are many security issues. Beyond those issues, I was pleased to see it also mentions (toward the end) the fact that you are now open to easier DoS attacks, and abuse that can cause performance crippling very quickly. We are already a resource sensitive site without adding that. There are just so many good reasons not to do it and place that burden elsewhere.

I realize it can be difficult for those that may not have any web hosting and are a bit technically challenged. However, we take security, longevity, and preservation of the site pretty seriously here. At nearly 6 years, I believe we are officially the longest lasting ROM hacking specific mega-site of our kind now. To last many more years, we are continually looking to do more with less resources at the server level, keep cost down, and preserve the tool that is ROMhacking.net as long as possible. If anyone strongly disagrees, they are free to assume the burden and set up file hosting on their own server for our community. It would be welcomed.

Here and there I have worked on some methods for allowing direct uploading to RHDN, but it is far from secure enough to trust for public consumption and I can make no promise I will ever finish. So, for the foreseeable future, it will remain as one of life's little annoyances. At least now, there's a nice explanation for it. ;)

I suggest linking to this in the submissions form.
Retired moderator/staff member as of July 14th 2016