Image filename is remembered

[hikari-no-yume]

Probably minor: Mastodon remembers, and makes public the filename of avatars and banners uploaded. This might be sensitive in some cases.

[hikari-no-yume]

Oh, this also happens for media in posts.

[jhauberg]

As a user, I would prefer if metadata was stripped (most sensitive would probably be gps-coordinates), and that the filename was given a UUID instead.

[hikari-no-yume]

Mastodon already strips EXIF metadata from JPEG images, at least, including GPS coördinates.

[hikari-no-yume]

Solving this would appear to be relatively easy. Paperclip actually has built-in support for URL obfuscation. So we only need to edit /app/models/media_attachment.rb and insert this after line 13:

                    url: "/system/:class/:attachment/:id_partition/:style/:hash.:extension",
                    hash_secret: Rails.env.development? ? "foobar" : ENV["PAPERCLIP_SECRET"]

This works great. Now all the new attachment URLs are obfuscated. I'm not sure if it works properly in “production” mode, but it does in development.

However, there's a catch: apparently, this change is retrospective and now it looks at that URL for existing media. That media didn't use the same URL format, so you get a 404. That's pretty bad.

I'm not sure how to fix this. One way would be to perform a migration wherein all existing media is renamed, but that would break links from federated sites. Or, perhaps there's a way to make Paperclip use two different URL formats, one for old media, one for new media. But I don't know what that way would be.

:S

[alyssais]

There's a small amount of discussion on how to migrate in thoughtbot/paperclip#416 (comment).

[hikari-no-yume]

Oh, that's interesting. Solution might be to make MediaAttachment into, say, LegacyMediaAttachment or something, and have a new MediaAttachment with the new code.

[hikari-no-yume]

We'd also need to touch the has_attached_file instances for avatars and headers.

[Gargron]

Migrating would mean transferring over 5GB of files back and forth over S3 so not an option (costly and ineffective). Perhaps there is a solution that renames the file a-priori in Paperclip

[hikari-no-yume]

That's what I'm currently working on, actually ^^

[hikari-no-yume]

Done: https://github.com/Gargron/mastodon/pull/242

Hacky, but it works great.

[hikari-no-yume]

This is obvious, but it bears pointing out: If that's merged, bear in mind it's a workaround to avoid migration. Any future uses of has_attached_file should do things the proper way.