>>1064 Because the previous page was a HTML redirect.
You shouldn't need to use the back button anyway. There are links to the catalog and overboard on the bottom and top of each page.
>>1061 >>1062 >>1063 The URL has changed, it is now:
http://nanochanxv2lxnqi.onion/source.lua This will stay the same for the forseeable future. That link will always point to the latest version of the nanochan source code.
Not a huge deal, but identity.session.valid(key) should be rewritten to not use a SELECT * FROM Sessions returning every single session key there is. This isn't a huge deal since sessions are only created whenever a "mod" logs in to their account. It would be better to do something like SELECT * FROM Sessions WHERE Key = ? AND ExpireDate < FUNC() where FUNC is some way to get the time. Elsewhere you should delete expired sessions by using a query that deletes all of them at once. With the current way the system works, it would be best to create a trigger whenever a new session is inserted to delete all expired / old sessions.
>>1295 Well actually, if you are deleting old sessions for that account you might as well just do it all with a regular DELETE query when creating the new session.
>>1295 >>1296 >>1337 This was already implemented in sakamoto, since in C you can't do pajeet shit like looping through an entire table :^)
Thanks for the suggestion though.
>>1346 >sakamoto
I assume that is some sort of background daemon. Is the source for that going to be available too, or are you going to keep it to yourself?
>>1515 Nah, I didn't end up finishing the software because it was too much work and I'm lazy. I ended up making the original nanochan into a static generator, which wasn't hard but still offered many advantages over a dynamic generator.
I like that is it so open that anyone can just download the entire database when they please
nanochanxv2lxnqi.onion/nanochan.db
this is truly innovative.
>>1678 Holy shitfucking keks
>open with sqlite browser
>accounts table, pwhash col
RIP nanochan's zero exploit streak
Cool to see that bump/post limits are implemented like in regular imageboards, but it fucking sucks that this is gonna get patched now, this looks like an extremely easy way to archive nanochan
>>1680 Just looked at the source, are the passwords even salted at all? Can't find any mention of it in the source, is it done elsewhere is the bcrypt library hakase's not supporting salts?
>>1682 Bcrypt is a password salting algorithm. It is used by e.g. OpenBSD in their master.passwd files. Bcrypt salts the password automatically.
https://en.wikipedia.org/wiki/bcrypt
>>1685 >Bcrypt is a password salting algorithm
password hashing and salting algorithm*
>bcrypt is a password hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher, and presented at USENIX in 1999.[1] Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.
Said iteration count is set to 13 as you can see in the source code. This is secure but quite slow. It is only used for mods when logging in.
>>1680 To be fair they are using bcrypt with 13 rounds which should give them plenty of time to lock down the database and switch passwords. Hopefully they will switch to argon2 if they are planning on resetting passwords.
>>1682 Yeah, it's done for you in the bcrypt library. From what I remember checking weeks (mouths?) ago they removed letting you specify the salt yourself from their api. Maybe too many people were doing it wrong or something.
Originally I left the database open because it was a good way to get all the shit archived. However, I realized that people can use it to bypass the captcha, so it is now patched. Sorry.
Maybe in the future I will set up a cron job to create a version of the db without that information so that nanochan can be archived more easily. It would be very nice for it to be possible for others to make their own fork of nanochan in case this one goes down for whatever reason.
>However, I realized that people can use it to bypass the captcha
You can fix this buy using a decently long pepper and storing a hash of the captcha. You could even use a quick hash function for this as you can ensure that you have a strong salt. Passwords on the other hand are typically low entropy which is why you need a slow algorithm. As long as no one can figure out your pepper they can't use rainbow tables to instantly solve the captcha.
Could you
- make a git repo/release tarballs, since there are assets (CSS) not included in the script itself, and
- add a license? WTFPL is good.
I'd like to run nanochan myself.
>>1692 If you care at all, yes. I'm guessing they don't really give a shit though.
Otherwise there's (in order of restrictions) Unlicense, MIT, Apache 2, GPLv3, and AGPLv3).
What would you recommend?
>>1690 To make a long story short, that used to be possible but is no longer viable since Nanochan is now a static generator (a captcha ID used to be included in the post form, now it cannot be).
>>1691 >there are assets nit included in the script itself
Those can be downloaded trivially. There are no assets which cannot be downloaded, except for the webserver configuration and the clearnet-blocking script (which is server-specific). I assume that you will have enough skills to set those up however you like.
>add a license
No point. Licenses are useless and all they do is add extra cruft at the top of source code files. It's not as if I could sue you without compromising my anonymity anyway.
>>1964 You don't need to put an obnoxious license header on the top of your files. Having a LICENSE file or even just saying "license: WTFPL" is enough.
>>1687 >>1685 I knew it was resistant against rainbow tables, but I didn't know about the auto salting, thought you had to do it yourself, nice to know
I love lua, but is there any way to fasten its compilation? can the CGI thing be compiled with luaJIT instead? dunno if that will make it better.
I foresee issues in the future if a simple spambot can already get the website to give errors here and there.
and add an if statement to it if the referenced post is not in the current thread and then fuckin search in the database for that post and which thread it is a reply to, then get that thread in the url of the fuckin >> thingy
pls
The Nanochan source code is now available at http://nanochanxv2lxnqi.onion/nanochan.lua
This "release" contains the image captcha code.