fix!: switch from CFB to CTR cipher

depado · depado · commit e234132cce26 · 2025-02-27T00:17:56.000+01:00
CFB cipher is deprecated and insecure, see: https://pkg.go.dev/crypto/cipher#NewCFBDecrypter Because of the way goploader works, files created with the CFB cipher can't be decrypted using the CTR cipher. If you plan on upgrading, use a different path for your database and files. BREAKING CHANGE: this will effectively invalidate all uplodaded files that used the CFB cipher.
diff --git a/.gitignore b/.gitignore
@@ -2,13 +2,11 @@ client/client
 client/client*
 client/misc/
 client/testfiles/
-server/my.db
 server/*.back
 server/*.db
 server/up/
 server/server
 server/conf.yml
-server/rice-box.go
 server/ssl
 releases
 server/data/
@@ -17,5 +15,4 @@ vendor/
 docs/env/
 docs/site/
 .vscode/
-
 dist/
diff --git a/README.md b/README.md
@@ -3,11 +3,11 @@
 [![forthebadge](https://forthebadge.com/images/badges/made-with-go.svg)](https://forthebadge.com)[![forthebadge](https://forthebadge.com/images/badges/contains-technical-debt.svg)](https://forthebadge.com)[![forthebadge](https://forthebadge.com/images/badges/built-with-love.svg)](https://forthebadge.com)
 
 ![Go Version](https://img.shields.io/badge/go-1.18-brightgreen.svg)
-[![Go Report Card](https://goreportcard.com/badge/github.com/Depado/goploader)](https://goreportcard.com/report/github.com/Depado/goploader)
+[![Go Report Card](https://goreportcard.com/badge/github.com/depado/goploader)](https://goreportcard.com/report/github.com/depado/goploader)
 [![codebeat badge](https://codebeat.co/badges/0faefc03-91a4-41e7-a955-ccd8c1b096cd)](https://codebeat.co/projects/github-com-depado-goploader)
-[![Maintainability](https://api.codeclimate.com/v1/badges/af3e40751fb9d01d4627/maintainability)](https://codeclimate.com/github/Depado/goploader/maintainability)
-[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/Depado/goploader/blob/master/LICENSE)
-[![Say Thanks!](https://img.shields.io/badge/Say%20Thanks-!-1EAEDB.svg)](https://saythanks.io/to/Depado)
+[![Maintainability](https://api.codeclimate.com/v1/badges/af3e40751fb9d01d4627/maintainability)](https://codeclimate.com/github/depado/goploader/maintainability)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/depado/goploader/blob/master/LICENSE)
+[![Say Thanks!](https://img.shields.io/badge/Say%20Thanks-!-1EAEDB.svg)](https://saythanks.io/to/depado)
 
 > [!WARNING]  
 > This repository is maintained as is but most of the tech used for this project
@@ -22,49 +22,35 @@ Goploader's ultimate goal is to make file sharing easy and painless. This projec
 
 ## Build from source
 
-Make sure you have Go installed on your machine.
+Make sure you have go installed on your machine.
 
 ### Client
 
 ```shell
-$ go get github.com/Depado/goploader/client
-$ go build -o $GOPATH/bin/goploader github.com/Depado/goploader/client
+$ git clone https://github.com/depado/goploader.git
+$ cd goploader
+$ go build -o gpldr ./client/
 ```
 
 ### Server
 
 ```shell
-$ # Move to a new directory that will be used to run the server
-$ go get github.com/Depado/goploader/server
-$ # The following steps are optional
-$ # Execute those if you wish to embed the assets and templates into the binary
-$ go get github.com/GeertJohan/go.rice/rice
-$ rice embed-go -i=github.com/Depado/goploader/server
-$ # End of the optional steps
-$ go build github.com/Depado/goploader/server
-$ # If you did not embed the resources, make sure to copy the assets and templates directories
-$ cp -r $GOPATH/src/github.com/Depado/goploader/server/{assets,templates} .
-$ # Execute the binary a first time to trigger the setup
-$ # Or write your own conf.yml file
-$ ./server
+$ git clone https://github.com/depado/goploader.git
+$ cd goploader
+$ go build -o goploader-server ./server/
+$ ./goploader-server
 ```
 
 ## Downloads
 
-All the downloads are available at [gpldr.in](https://gpldr.in) in the [clients](https://gpldr.in/#client-downloads) and [server](https://gpldr.in/#server-downloads) sections.
-
-### Client
-
-| Linux         | FreeBSD | Mac OS     | Windows  |
-| ------------- |---------|------------|----------|
-| [Linux 64bit](https://gpldr.in/releases/clients/client_linux_amd64) | [FreeBSD 64bit](https://gpldr.in/releases/clients/client_freebsd_amd64) | [Mac OS 64bit](https://gpldr.in/releases/clients/client_darwin_amd64) | [Windows 64bit](https://gpldr.in/releases/clients/client_windows_amd64.exe) |
-| [Linux 32bit](https://gpldr.in/releases/clients/client_linux_386) | [FreeBSD 32bit](https://gpldr.in/releases/clients/client_freebsd_386) | [Mac OS 32bit](https://gpldr.in/releases/clients/client_darwin_386) | [Windows 32bit](https://gpldr.in/releases/clients/client_windows_386.exe) |
-| [Linux ARMv7](https://gpldr.in/releases/clients/client_linux_arm) | | | | |
+All the downloads are available in the [releases tab](https://github.com/depado/goploader/releases)
+of this repository. 
 
 ## Documentation
 
-All the documentation is available at [gpldr.in](https://docs.gpldr.in). I intend to write a proper `README.md` file, but it takes a lot of work to transpose the existing documentation to the markdown format. So, work in progress.
-
+All the documentation is available at [depado.github.io/goploader/](https://depado.github.io/goploader/).
 
 ## License
-All the software in this repository is released under the MIT License. See [LICENSE](https://github.com/Depado/goploader/blob/master/LICENSE) for details.
+
+All the software in this repository is released under the MIT License. See 
+[LICENSE](https://github.com/depado/goploader/blob/master/LICENSE) for details.
diff --git a/server/models/resources.go b/server/models/resources.go
@@ -63,7 +63,7 @@ func (r Resource) NewStreamWriter(fd *os.File, key []byte) (*cipher.StreamWriter
 		return nil, err
 	}
 	var iv [aes.BlockSize]byte
-	stream := cipher.NewCFBEncrypter(block, iv[:])
+	stream := cipher.NewCTR(block, iv[:])
 	return &cipher.StreamWriter{S: stream, W: fd}, nil
 }
 
@@ -81,17 +81,20 @@ func (r *Resource) WriteEncrypted(fd multipart.File) (string, error) {
 		return "", err
 	}
 	defer file.Close()
+
 	k := uniuri.NewLen(conf.C.KeyLength)
 	kb := []byte(k)
 	sw, err := r.NewStreamWriter(file, kb)
 	if err != nil {
 		return "", err
 	}
+
 	wr, err := io.Copy(sw, bufio.NewReaderSize(fd, 512))
 	if err != nil {
 		os.Remove(path.Join(conf.C.UploadDir, r.Key))
 		return "", err
 	}
+
 	r.Size = wr
 	return k, nil
 }

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ func (r Resource) NewStreamWriter(fd os.File, key []byte) (cipher.StreamWriter`
`63`	`63`	`return nil, err`
`64`	`64`	`}`
`65`	`65`	`var iv [aes.BlockSize]byte`
`66`		`- stream := cipher.NewCFBEncrypter(block, iv[:])`
	`66`	`+ stream := cipher.NewCTR(block, iv[:])`
`67`	`67`	`return &cipher.StreamWriter{S: stream, W: fd}, nil`
`68`	`68`	`}`
`69`	`69`
`@@ -81,17 +81,20 @@ func (r *Resource) WriteEncrypted(fd multipart.File) (string, error) {`
`81`	`81`	`return "", err`
`82`	`82`	`}`
`83`	`83`	`defer file.Close()`
	`84`	`+`
`84`	`85`	`k := uniuri.NewLen(conf.C.KeyLength)`
`85`	`86`	`kb := []byte(k)`
`86`	`87`	`sw, err := r.NewStreamWriter(file, kb)`
`87`	`88`	`if err != nil {`
`88`	`89`	`return "", err`
`89`	`90`	`}`
	`91`	`+`
`90`	`92`	`wr, err := io.Copy(sw, bufio.NewReaderSize(fd, 512))`
`91`	`93`	`if err != nil {`
`92`	`94`	`os.Remove(path.Join(conf.C.UploadDir, r.Key))`
`93`	`95`	`return "", err`
`94`	`96`	`}`
	`97`	`+`
`95`	`98`	`r.Size = wr`
`96`	`99`	`return k, nil`
`97`	`100`	`}`