2018-11-15 16:03:12 +01:00
|
|
|
```
|
|
|
|
|
_ ___ _
|
|
|
|
|
| | |__ \ | |
|
|
|
|
|
_ __ ___ __ _| |_ ) |_______ _____| |__ Trashing your meta,
|
|
|
|
|
| '_ ` _ \ / _` | __| / /______\ \ /\ / / _ \ '_ \ keeping your data,
|
|
|
|
|
| | | | | | (_| | |_ / /_ \ V V / __/ |_) | within your browser.
|
|
|
|
|
|_| |_| |_|\__,_|\__|____| \_/\_/ \___|_.__/
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
This is an online version of [mat2](https://0xacab.org/jvoisin/mat2).
|
|
|
|
|
Keep in mind that this is a beta version, don't rely on it for anything
|
|
|
|
|
serious, yet.
|
|
|
|
|
|
2018-12-25 19:24:42 +01:00
|
|
|
# Demo instance
|
|
|
|
|
|
|
|
|
|
There is a demo instance deployed a [mat2-web.dustri.org](https://mat2-web.dustri.org).
|
|
|
|
|
Please don't upload any sensitive files on it.
|
|
|
|
|
|
2018-11-15 16:03:12 +01:00
|
|
|
# How to deploy it?
|
|
|
|
|
|
|
|
|
|
Since mat2 isn't available in debian stable yet, you might want to add this to
|
|
|
|
|
/etc/apt/preferences.d/ to be able to install `mat2` via apt.
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
Package: *
|
|
|
|
|
Pin: release o=Debian,a=unstable
|
|
|
|
|
Pin-Priority: 10
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Then:
|
|
|
|
|
|
|
|
|
|
```
|
2019-02-23 13:27:33 +01:00
|
|
|
# apt install uwsgi uwsgi-plugin-python3 git mat2
|
|
|
|
|
# apt install nginx-light # if you prefer nginx
|
|
|
|
|
# apt install apache2 libapache2-mod-proxy-uwsgi # if you prefer Apache2
|
2018-11-15 16:03:12 +01:00
|
|
|
# cd /var/www/
|
|
|
|
|
# git clone https://0xacab.org/jvoisin/mat2-web.git
|
|
|
|
|
# mkdir ./mat2-web/uploads/
|
|
|
|
|
# chown -R www-data:www-data ./mat2-web
|
|
|
|
|
```
|
|
|
|
|
|
2019-02-23 13:27:33 +01:00
|
|
|
Since uwsgi isn't fun to configure, feel free to copy [this file](https://0xacab.org/jvoisin/mat2-web/tree/master/config/uwsgi.config)
|
|
|
|
|
to `/etc/uwsgi/apps-enabled/mat2-web.ini` and [this one](https://0xacab.org/jvoisin/mat2-web/tree/master/config/nginx.config)
|
|
|
|
|
to `/etc/nginx/site-enabled/mat2-web`.
|
2018-11-15 16:03:12 +01:00
|
|
|
|
2019-02-23 13:27:33 +01:00
|
|
|
Nginx is the recommended web engine, but you can also use Apache if you prefer,
|
|
|
|
|
by copying [this file](https://0xacab.org/jvoisin/mat2-web/tree/master/config/apache2.config)
|
|
|
|
|
to your `/etc/apache2/sites-enabled/mat2-web` file.
|
2018-12-22 14:20:06 +01:00
|
|
|
|
2018-12-24 13:50:18 +01:00
|
|
|
Finally, restart `uwsgi` and your web server:
|
|
|
|
|
|
2018-12-22 14:20:06 +01:00
|
|
|
```
|
|
|
|
|
systemctl restart uwsgi
|
2018-12-24 13:50:18 +01:00
|
|
|
systemctl restart nginx/apache/…
|
2018-12-22 14:20:06 +01:00
|
|
|
```
|
|
|
|
|
|
2018-11-15 16:03:12 +01:00
|
|
|
It should now be working.
|
2018-12-16 21:54:25 +01:00
|
|
|
|
2019-02-23 13:30:23 +01:00
|
|
|
You should add `find /var/www/mat2-web/uploads/* -mtime +1 -exec rm {} \;`
|
|
|
|
|
in a crontab to remove files that people might have uploaded but never
|
|
|
|
|
downloaded.
|
|
|
|
|
|
2019-02-22 21:20:51 +01:00
|
|
|
# Threat model
|
|
|
|
|
|
|
|
|
|
- An attacker in possession of the very same file that a user wants to clean,
|
|
|
|
|
along with its names, can perform a denial of service by continually
|
|
|
|
|
requesting this file, and getting it before the user.
|
|
|
|
|
- An attacker in possession of only the name of a file that a user wants to
|
|
|
|
|
clean can't perform a denial of service attack, since the path to download
|
|
|
|
|
the cleaned file is not only dependant of the name, but also the content.
|
|
|
|
|
- The server should do its very best to delete files as soon as possible.
|
|
|
|
|
|
2018-12-16 21:54:25 +01:00
|
|
|
# Licenses
|
|
|
|
|
|
|
|
|
|
- mat2-web is under MIT
|
|
|
|
|
- The [raleway](https://github.com/impallari/Raleway/) font is under OFL1.1
|
|
|
|
|
- [normalize.css](https://github.com/necolas/normalize.css/) is under MIT
|
|
|
|
|
- [skeleton](http://getskeleton.com/) is under MIT
|
