-
-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Image filename is remembered #207
Comments
Oh, this also happens for media in posts. |
As a user, I would prefer if metadata was stripped (most sensitive would probably be gps-coordinates), and that the filename was given a UUID instead. |
Mastodon already strips EXIF metadata from JPEG images, at least, including GPS coördinates. |
Solving this would appear to be relatively easy. Paperclip actually has built-in support for URL obfuscation. So we only need to edit url: "/system/:class/:attachment/:id_partition/:style/:hash.:extension",
hash_secret: Rails.env.development? ? "foobar" : ENV["PAPERCLIP_SECRET"] This works great. Now all the new attachment URLs are obfuscated. I'm not sure if it works properly in “production” mode, but it does in development. However, there's a catch: apparently, this change is retrospective and now it looks at that URL for existing media. That media didn't use the same URL format, so you get a 404. That's pretty bad. I'm not sure how to fix this. One way would be to perform a migration wherein all existing media is renamed, but that would break links from federated sites. Or, perhaps there's a way to make Paperclip use two different URL formats, one for old media, one for new media. But I don't know what that way would be. :S |
There's a small amount of discussion on how to migrate in thoughtbot/paperclip#416 (comment). |
Oh, that's interesting. Solution might be to make |
We'd also need to touch the |
Migrating would mean transferring over 5GB of files back and forth over S3 so not an option (costly and ineffective). Perhaps there is a solution that renames the file a-priori in Paperclip |
That's what I'm currently working on, actually ^^ |
Done: https://github.com/Gargron/mastodon/pull/242 Hacky, but it works great. |
This is obvious, but it bears pointing out: If that's merged, bear in mind it's a workaround to avoid migration. Any future uses of |
Rename media to avoid exposing filename (fixes #207)
Rename media to avoid exposing filename (fixes #207)
iOS/Android announcements
admin_announcementコンポーネントおよび関連機能を削除
Probably minor: Mastodon remembers, and makes public the filename of avatars and banners uploaded. This might be sensitive in some cases.
The text was updated successfully, but these errors were encountered: