Selecting more -> Upload files from an existing bin lets me select a new file, and it seems the file is uploeaded (there's a progress bar, but the file does not show up in the bin.

In the case of using filebin for file distribution to multiple parties, it would be very beneficial to be able to set a tag as read only.

For a shared tag, it would be possible for someone that has the link to replace uploaded binaries with trojaned ones.

It could work like a one-way setting. You can set it, but there is no way of making the tag readable again.

It should not prohibit the tag from being deleted. Usually you can just create a new tag with the same files if the tag is deleted unintentionally/maliciously.

When a user tries to upload to / download from a tag that has invalid name (i.e. too short), the web application returns http code 400. The client should also get some kind of human readable error message.

Should use vendoring to better control dependencies.

Hello,

Using the official website, I'm currently on an unstable network, and simple files that are ~20MB each almost always results in Failed due to network error.

I was thinking it would be a good idea to handle gracefully these errors to not have to start over every time.

This can be done by resuming the upload, or splitting the file in multiple chunks (of configurable-at-upload-time size?) and send each chunk one after the other, with retries if needed..

I know it'll not resolve itself overnight, but this might help the future me or someone else!

Thank you for anything you (or anyone else) can do about this!

Not sure how well Filebin scales. So was thinking to dockerize and run multiple filebin binaries all pointing back to the same underlying file system in either k8s or swarm.

Seemed like a good idea as I could scale horizontally by adding more containers and provide high resiliency.

But although everything sorta works state is/seems to be kept in memory as well as the underlying filesystem. Could you confirm?

Happy to work on a solution to this, but would welcome your point of view.

the readme states that in order to download a file, we just GET it's path: https://github.com/espebra/filebin#download-file-1
However, that is fetching the HTML page, not the file itself. The download button in the UI has a ?t= suffix, which is not deterministic. Is there a way to download files using a known URL? Did I misunderstand the readme?

To limit abuse it is necessary to (optionally) limit certain content-types.

"é.png" is impossible to upload (infinite wait)

Attempting to simultaneously upload more than four files into a bin results in an error: Filebin is currently unavailable. Please retry later. However, the upload of the same files one at a time, or in smaller quantities than four at once, works just fine.
This four-file limitation has also been observed by my friends that use this platform for file transfers.
I'm more than happy to provide further details if needed!

Building from latest 2eb6042 gives me white page on '/' access; and gives the error below.

Building from this commit works: 297a7f5

full debug:

- 2016/06/22 18:04:25 Generate new bin 43mm302z6qj16v6y
r-49ao0 2016/06/22 18:04:25 Response status: 200
r-49ao0 2016/06/22 18:04:25 template: newbin:71:32: executing "newbin" at <.Data.ExpirationRead...>: ExpirationReadable is not a field of struct type interface {}
2016/06/22 18:04:25 http: panic serving 127.0.0.1:40618: template: newbin:71:32: executing "newbin" at <.Data.ExpirationRead...>: ExpirationReadable is not a field of struct type interface {}

goroutine 8 [running]:
net/http.(*conn).serve.func1(0xc839988000)
    /usr/local/go/src/net/http/server.go:1389 +0xc1
panic(0x887ca0, 0xc839937c20)
    /usr/local/go/src/runtime/panic.go:426 +0x4e9
log.(*Logger).Panicln(0xc839984500, 0xc820163140, 0x1, 0x1)
    /usr/local/go/src/log/log.go:220 +0xbf
github.com/espebra/filebin/app/output.HTMLresponse(0x7f183242cf60, 0xc839990090, 0xa1fac8, 0x6, 0xc8, 0x9d9fa0, 0xc83996a280, 0xc8201ce750, 0xc8201ce720, 0x7fff4f0d5dae, ...)
    /home/vik/go/src/github.com/espebra/filebin/app/output/output.go:58 +0xa28
github.com/espebra/filebin/app/api.NewBin(0x7f183242cf60, 0xc839990090, 0xc839992000, 0x7fff4f0d5dd3, 0x9, 0x7a69, 0xe10, 0xe10, 0x100000, 0x7fff4f0d5d6d, ...)
    /home/vik/go/src/github.com/espebra/filebin/app/api/api.go:519 +0x365
main.reqHandler.func1(0x7f183242cf60, 0xc839990090, 0xc839992000)
    /home/vik/go/src/github.com/espebra/filebin/main.go:421 +0xb25
net/http.HandlerFunc.ServeHTTP(0xc83992d0d0, 0x7f183242cf60, 0xc839990090, 0xc839992000)
    /usr/local/go/src/net/http/server.go:1618 +0x3a
github.com/gorilla/mux.(*Router).ServeHTTP(0xc8398cc280, 0x7f183242cf60, 0xc839990090, 0xc839992000)
    /home/vik/go/src/github.com/gorilla/mux/mux.go:107 +0x297
github.com/gorilla/handlers.combinedLoggingHandler.ServeHTTP(0x7f18324211c0, 0xc8200240c0, 0x7f18323a0210, 0xc8398cc280, 0x7f183242cdc0, 0xc839981a00, 0xc839992000)
    /home/vik/go/src/github.com/gorilla/handlers/handlers.go:77 +0x121
github.com/gorilla/handlers.(*combinedLoggingHandler).ServeHTTP(0xc839945860, 0x7f183242cdc0, 0xc839981a00, 0xc839992000)
    <autogenerated>:15 +0xb4
net/http.serverHandler.ServeHTTP(0xc8398c3480, 0x7f183242cdc0, 0xc839981a00, 0xc839992000)
    /usr/local/go/src/net/http/server.go:2081 +0x19e
net/http.(*conn).serve(0xc839988000)
    /usr/local/go/src/net/http/server.go:1472 +0xf2e
created by net/http.(*Server).Serve
    /usr/local/go/src/net/http/server.go:2137 +0x44e

Download archive was not working because zip is not installed on a ubuntu minimal installation.
apt-get install zip
fixed it.
maybe you add this to the Requirements section in the readme.

Hello!

I have been developing a simple Filebin upload client with C# and Universal Windows Platform. It started as more of a learning challenge, but I think that it could be really useful to some people, because Filebin doesn't require sign up and provides direct links to bins. So I was wondering if you would allow me to publish the application on the Windows Store for free. Here it is in action:

My plan is to name it "Filebin Uploader" and put the following disclaimer into the app's description to satisfy the requirements of 3-BSD license:
"This application is not affiliated with, endorsed, sponsored, or specifically approved by Filebit, Espen Braastad or other contributors of Filebit project and they are not responsible for it. For more information on Filebit see https://github.com/espebra/filebin"

I doubt that it will be popular (Windows Store is only supported on Windows 10 and doesn't have that many users at all), but I can add a User-Agent header to all requests made by the app so you could block or throttle all of them if they become a problem.

Please tell me what your thoughts are!

On Ubuntu 14.04.3 LTS

[~/go] mkdir src bin pkg
[~/go] export GOPATH=~/go
[~/go] export PATH="${PATH}:${GOPATH}/bin"
[~/go] env
...
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/home/alf/go/bin
GOPATH=/home/alf/go
...
[~/go] sudo apt-get install golang
[~/go] go get -d github.com/espebra/filebin
[~/go] cd src/github.com/espebra/filebin/
[~/go/src/github.com/espebra/filebin] make get-deps
go get github.com/dustin/go-humanize
go get github.com/gorilla/mux
go get github.com/gorilla/handlers
go get github.com/rwcarlsen/goexif/exif
go get github.com/disintegration/imaging
go get github.com/GeertJohan/go.rice
go get github.com/GeertJohan/go.rice/rice
[~/go/src/github.com/espebra/filebin] make install
rm -f templates.rice-box.go
rm -f static.rice-box.go
rice embed-go
go install -ldflags "-X \"main.buildstamp=`date -u '+%Y-%m-%d %H:%M:%S'`\" -X \"main.githash=`git rev-parse HEAD`\""
# github.com/espebra/filebin/app/backend/fs
app/backend/fs/fs.go:334: zw.RegisterCompressor undefined (type *zip.Writer has no field or method RegisterCompresso                                                                                 r)
# github.com/espebra/filebin/app/shared
app/shared/shared.go:12: unknown http.Client field 'Timeout' in struct literal
make: *** [install] Error 2

Hi.

Tried to install newest version today but seems like install is broken again. fs.go was edited recently as far as I can see.

make install
rm -f templates.rice-box.go
rm -f static.rice-box.go
rice embed-go
go install -ldflags "-X "main.buildstamp=date -u '+%Y-%m-%d %H:%M:%S'" -X "main.githash=git rev-parse HEAD""

github.com/espebra/filebin/app/backend/fs

app/backend/fs/fs.go:334: zw.RegisterCompressor undefined (type zip.Writer has no field or method RegisterCompressor)
Makefile:25: recipe for target 'install' failed
make: ** [install] Error 2

Currently it is possible to reuse deleted bins. This is a known issue. The current version does not have a database other than the filesystem, which means it is not obvious how this state can be stored.

Do you plan to add support for direct pasting of images (like github does in this "New issue form" or https://pasteboard.co/ does)?

Use case
Let's say I have an image in clipboard and I don't want to be required to open some image editor, save the image into a file, upload that file and then delete it.

Hi, i get internal error while im tryng to save a file. Why?

When uploading using the non-drag-and-drop-method, after selecting files, the UI says:

"Status: 0 of 1 file uploaded, please wait ..."

The upload however doesn't start before actually clicking on the "Upload" button.

Suggested fix: Upload start should be triggered automatically when selecting file(s).

I'm receiving this error message from time to time regardless of the size of the file or the number of simultaneous uploads (the case with #24);

Leaving the site for some time (to recover maybe?) resolves the issue for me.

http://en.wikipedia.org/wiki/Internationalization_and_localization

Hello Team,

Being a responsible security researcher, I want to catch your attention to the vulnerability I found on your website.

Proof Of Concept :

I have found critical Unrestricted File Upload vulnerability on below url:

Target URL: https://filebin.net/

As you may already know, it is possible to make a website vulnerable to XSS if you can upload/include a SWF file into that website.

I tried to upload a malicious file "xssproject(1).swf" on the target url and the file uploaded successfully.

This shows that the Target URL is vulnerable to Unrestricted File Upload vulnerability.

Uploaded Malicious File URL: https://filebin.net/g9z3k6ajxm2qxikm

Impact:
The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.

Mitigation:

1. Never allow users to upload executables (php, exe, ...etc)
2. Check the File Type and File Extention.
3. Analyse the uploaded file itself, recreate it and rename it.

Source of Malicious File:
https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/file-upload/malicious-images/xssproject.swf

Reference:
https://www.owasp.org/index.php/Unrestricted_File_Upload

Notes:

1. Please find supporting screenshots attached herewith.
2. Please Takedown the uploaded malicious file and Delete the content ASAP

Step1- Filebin's File upload page

Step 2- Uploading Malicious File

Step 3- Successfully Uploaded Malicious File