lgommans / dro.pm Goto Github PK

Hi,

I really like your website and I use it all the time in my class. Often I share a link on the big screen with them and it would be really cool and handy if they could also just scan a big QR code instead of typing in dro.pm/X (which they often misspell by the way:))

Got a well-written user report about not being able to download a file. Upon investigation (luckily I saw the report before the link expired), it turned out that the serialized data in the database contains a non-ASCII character. Browsers act weird, but with curl -v it can be seen that the connection is prematurely closed.

If I recall correctly in the past it was possible to upload files and have it shortlinked. There was an file
upload button but it is disappeared / not visible. I tried on latest FF and Chrome and Edge.
Is this on purpose? I really liked the feature.

The short link dro.pm/o was generated although generated short links shouldn't contain any of 1 i 0 o.

Screenshot:

When the following payload is entered in the short link generator, a PHP warning shows up:

https://google.com/
X-example: test

The newline (\n, %0A) should be replaced by a carriage return (\r, %0D) in a program like BurpSuite for this to work.

Newline and carriage return characters should be filtered before being passed to the PHP header() function. Newlines are already being filtered out, but carriage returns not.

Here is the POST body:
https%3A%2F%2Fgoogle.com%2F%0AX-example%3A%20test

https://developer.chrome.com/articles/web-share-target/

Seems useful. Should check what the requirements are for being a PWA. Does it just require hosting a manifest somewhere that specifies the HTML to use and some API endpoints to use for submitting that share thing?

I've long been wanting a proper app to share with, a crappy version of which is in this repository, and this seems like a good and potentially trivial way to get there

Hi!

To prevent others from stumbling upon my content, I use the 'delete' option a lot. However, I believe this immediately frees the url for others to use, which could lead to someone being redirected somewhere I didn't intend. Perhaps it would be possible to occupy the url for an x amount of hours; before releasing it for re-use.

What do you think?

See https://transfer.archivete.am

A picture says more than a thousand words:

Issue is that the newly entered custom url is not valid until the textbox used for entering content is touched. Also shouldn't this action invalidate the old url (dro.pm/e in this example)? Otherwise you'd still end up with a copy of the content that could be easily found by others.