/meta/ - Board Meta

[Make a Post]
[X]





Nanochan source code hakase ## Nanochan Administrator No.859 [D][U][F][S][L][A][C]
File: 160cdc0d85f2fd36f8d9d7094fcb32933c69e5a099d94b364695257bdf84928e.gif (dl) (1.33 MiB)

The Nanochan source code is now available at http://nanochanxv2lxnqi.onion/nanochan.lua
This "release" contains the image captcha code.

Nanonymous No.1061 [D] >>1065

404

Nanonymous No.1062 [D] >>1065

404

Nanonymous No.1063 [D] >>1065

404

Nanonymous No.1064 [D] >>1065

Why does it repost after I press the back button? Tor browser on phone.

Nanonymous No.1065 [D]

>>1064
Because the previous page was a HTML redirect.
You shouldn't need to use the back button anyway. There are links to the catalog and overboard on the bottom and top of each page.
>>1061
>>1062
>>1063
The URL has changed, it is now:
http://nanochanxv2lxnqi.onion/source.lua
This will stay the same for the forseeable future. That link will always point to the latest version of the nanochan source code.

Nanonymous No.1158 [D]

>using sha512 to hash passwords
It's like you *want* passwords to be brute forced.

Nanonymous No.1295 [D] >>1296 >>1346

Not a huge deal, but identity.session.valid(key) should be rewritten to not use a SELECT * FROM Sessions returning every single session key there is. This isn't a huge deal since sessions are only created whenever a "mod" logs in to their account. It would be better to do something like SELECT * FROM Sessions WHERE Key = ? AND ExpireDate < FUNC() where FUNC is some way to get the time. Elsewhere you should delete expired sessions by using a query that deletes all of them at once. With the current way the system works, it would be best to create a trigger whenever a new session is inserted to delete all expired / old sessions.

Nanonymous No.1296 [D] >>1346

>>1295
Well actually, if you are deleting old sessions for that account you might as well just do it all with a regular DELETE query when creating the new session.

Nanonymous No.1337 [D] >>1344 >>1346

also I meant ExpireDate > FUNC() obviously

hakase ## Nanochan Administrator No.1346 [D] >>1515

>>1295
>>1296
>>1337
This was already implemented in sakamoto, since in C you can't do pajeet shit like looping through an entire table :^)
Thanks for the suggestion though.

Nanonymous No.1347 [D] >>1401

I'm still finding it impressive that the whole site is just html and css front end.
So clean.

Nanonymous No.1401 [D][U][F] >>1402
File: f652e808390277fca854778341f92e9ca22c93eeed43b41ddf5589814d8a700b.jpg (dl) (48.14 KiB)

>>1347
Indeed. Every website should be like Nanochan.
But first, web devs will have to stop being pajeets.

Nanonymous No.1402 [D]

>>1401
pajeets will have to stop being web devs.

Nanonymous No.1515 [D] >>1517

>>1346
>sakamoto
I assume that is some sort of background daemon. Is the source for that going to be available too, or are you going to keep it to yourself?

Nanonymous No.1517 [D]

>>1515
Nah, I didn't end up finishing the software because it was too much work and I'm lazy. I ended up making the original nanochan into a static generator, which wasn't hard but still offered many advantages over a dynamic generator.

Nanonymous No.1678 [D] >>1680

I like that is it so open that anyone can just download the entire database when they please
nanochanxv2lxnqi.onion/nanochan.db
this is truly innovative.

Nanonymous No.1680 [D] >>1682 >>1687 >>1729

>>1678
Holy shitfucking keks
>open with sqlite browser
>accounts table, pwhash col
RIP nanochan's zero exploit streak
Cool to see that bump/post limits are implemented like in regular imageboards, but it fucking sucks that this is gonna get patched now, this looks like an extremely easy way to archive nanochan

Nanonymous No.1682 [D] >>1683 >>1685 >>1687

>>1680
Just looked at the source, are the passwords even salted at all? Can't find any mention of it in the source, is it done elsewhere is the bcrypt library hakase's not supporting salts?

Nanonymous No.1683 [D]

>>1682
>or is the*
>using not supporting*

hakase ## Nanochan Administrator No.1685 [D] >>1686 >>1689 >>1707

>>1682
Bcrypt is a password salting algorithm. It is used by e.g. OpenBSD in their master.passwd files. Bcrypt salts the password automatically.
https://en.wikipedia.org/wiki/bcrypt

hakase ## Nanochan Administrator No.1686 [D]

>>1685
>Bcrypt is a password salting algorithm
password hashing and salting algorithm*

>bcrypt is a password hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher, and presented at USENIX in 1999.[1] Besides incorporating a salt to protect against rainbow table attacks, bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power.

Said iteration count is set to 13 as you can see in the source code. This is secure but quite slow. It is only used for mods when logging in.

Nanonymous No.1687 [D] >>1707

>>1680
To be fair they are using bcrypt with 13 rounds which should give them plenty of time to lock down the database and switch passwords. Hopefully they will switch to argon2 if they are planning on resetting passwords.
>>1682
Yeah, it's done for you in the bcrypt library. From what I remember checking weeks (mouths?) ago they removed letting you specify the salt yourself from their api. Maybe too many people were doing it wrong or something.

hakase ## Nanochan Administrator No.1688 [D] >>1709

Originally I left the database open because it was a good way to get all the shit archived. However, I realized that people can use it to bypass the captcha, so it is now patched. Sorry.
Maybe in the future I will set up a cron job to create a version of the db without that information so that nanochan can be archived more easily. It would be very nice for it to be possible for others to make their own fork of nanochan in case this one goes down for whatever reason.

Nanonymous No.1689 [D]

>>1685
bcrypt is not a password salting algorithm, it's a key derivation algorithm.

Nanonymous No.1690 [D] >>1694

>However, I realized that people can use it to bypass the captcha
You can fix this buy using a decently long pepper and storing a hash of the captcha. You could even use a quick hash function for this as you can ensure that you have a strong salt. Passwords on the other hand are typically low entropy which is why you need a slow algorithm. As long as no one can figure out your pepper they can't use rainbow tables to instantly solve the captcha.

Nanonymous No.1691 [D] >>1694

Could you
- make a git repo/release tarballs, since there are assets (CSS) not included in the script itself, and
- add a license? WTFPL is good.
I'd like to run nanochan myself.

Nanonymous No.1692 [D] >>1693

>WTFPL
This is a terrible license

Nanonymous No.1693 [D]

>>1692
If you care at all, yes. I'm guessing they don't really give a shit though.
Otherwise there's (in order of restrictions) Unlicense, MIT, Apache 2, GPLv3, and AGPLv3).
What would you recommend?

Nanonymous No.1694 [D] >>1696

>>1690
To make a long story short, that used to be possible but is no longer viable since Nanochan is now a static generator (a captcha ID used to be included in the post form, now it cannot be).
>>1691
>there are assets nit included in the script itself
Those can be downloaded trivially. There are no assets which cannot be downloaded, except for the webserver configuration and the clearnet-blocking script (which is server-specific). I assume that you will have enough skills to set those up however you like.
>add a license
No point. Licenses are useless and all they do is add extra cruft at the top of source code files. It's not as if I could sue you without compromising my anonymity anyway.

Nanonymous No.1695 [D]

>>1964
You don't need to put an obnoxious license header on the top of your files. Having a LICENSE file or even just saying "license: WTFPL" is enough.

Nanonymous No.1696 [D] >>1701

>>1694
Can you at least actually give permission to use/modify/distribute the code? "Do what the fuck you want"

hakase ## Nanochan Administrator No.1701 [D]

>>1696
Yeah do whatever you want with the code. not as if i can stop you anyway

Nanonymous No.1707 [D]

>>1687
>>1685
I knew it was resistant against rainbow tables, but I didn't know about the auto salting, thought you had to do it yourself, nice to know

Nanonymous No.1709 [D]

>>1688
Wouldn't separating the two databases achieve the same effect

Nanonymous No.1713 [D] >>1714

I love lua, but is there any way to fasten its compilation? can the CGI thing be compiled with luaJIT instead? dunno if that will make it better.
I foresee issues in the future if a simple spambot can already get the website to give errors here and there.

Nanonymous No.1714 [D]

>>1713
The problem is just race conditions which are easy to fix. Not necessarily due to speed

Nanonymous No.1729 [D]

>>1680
It's not a bug, it's a feature :^)

Nanonymous No.1730 [D]

allow crossposting.
delete this:

return text:gsub("&gt;&gt;(%d+)", "<a class='reference' href='#post%1'>&gt;&gt;%1</a>")

and add an if statement to it if the referenced post is not in the current thread and then fuckin search in the database for that post and which thread it is a reply to, then get that thread in the url of the fuckin >> thingy
pls