[Project] 0807 - a self-hosted ephemeral file host with no accounts and a Tor onion service

Simple, private file hosting.

I run 0807, a small self-hosted file host. Drop a file, get a short link, and choose when it disappears.

What it does:

No account, no ads, no trackers
Auto-delete by time (1 hour up to 30 days, or never) or after a set number of downloads
Optional password protection on files and on text notes
Files up to 20 GB, with 16 TB of storage behind it
Reachable over Tor through an onion service
Text notes with the same self-destruct and password options
A few file types are blocked for safety (exe, bat, scripts, and similar)

PS: there is no end-to-end encryption, and that is deliberate. The server can read what is stored.

I want to be able to take illegal uploads down when they get reported, CSAM in particular.

End-to-end encryption would make the server blind to its own contents, which is great for privacy but would also stop me from acting on those reports.

If you need real secrecy, encrypt the file before you upload it. The password option is there for casual privacy (not as protection from me or from whoever might get into the server.)

The code is open, and I host it the same way I host the files, on my own server instead of HERE .

You can read it, propose a change, or open an issue there, no account needed

Happy to answer questions about the setup or take feedback.

load all comments

Bombastic 21 points 4 days ago

Doesn't allow exe files

Introducing my totally real image called calc.jpg that is totally not a pe file with a different extension!

Anyway, prepare to have your file hoster be used to host malware payloads

save

path: 0 24323866, hotness: undefined, score: 21, children: 5

Matty_r 9 points 4 days ago

I was thinking surely it doesn't just look at the extension and instead uses the mime type at the backend.. After looking for a minute (on mobile) I think thats what it does.

process.env.BLOCKED_EXT === undefined ? 'exe,bat,cmd,com,scr,msi,vbs,ps1,sh,jar' : process.env.BLOCKED_EXT)

save

path: 0 24323866 24324231, hotness: undefined, score: 9, children: 3

0807 9 points 4 days ago

You read it right, BLOCKED_EXT is just an extension list and renaming walks straight past it. But that list was never the malware check, it only stops someone uploading payload.exe

Mime sniffing wouldn't have caught it either, since that value rides along in the request and a renamed upload just lies about it.

The actual defense is ClamAV, same file if you grep clamScan and CLAMAV_SCAN, and it reads what's inside the file instead of the name. I tried the calc.jpg trick for real, an EICAR test renamed to calc.jpg sent as image/jpeg, and the upload came back refused.

save

path: 0 24323866 24324231 24324387, hotness: undefined, score: 9, children: 2

non_burglar 9 points 4 days ago

Clamav is woefully behind on definitions, just be aware of that.

save

path: 0 24323866 24324231 24324387 24324626, hotness: undefined, score: 9, children: 1

xinayder 3 points 4 days ago

you can install updated filters for it, though. Just check out fangfrisch.

save

path: 0 24323866 24324231 24324387 24324626 24331103, hotness: undefined, score: 3, children: 0