103
[Project] 0807 - a self-hosted ephemeral file host with no accounts and a Tor onion service (0807.st)
submitted 6 days ago* (last edited 6 days ago) by 0807@lemmy.world to c/selfhosted@lemmy.world
17 comments fedilink hide all child comments

I run 0807, a small self-hosted file host. Drop a file, get a short link, and choose when it disappears.

What it does:

  • No account, no ads, no trackers
  • Auto-delete by time (1 hour up to 30 days, or never) or after a set number of downloads
  • Optional password protection on files and on text notes
  • Files up to 20 GB, with 16 TB of storage behind it
  • Reachable over Tor through an onion service
  • Text notes with the same self-destruct and password options
  • A few file types are blocked for safety (exe, bat, scripts, and similar)

PS: there is no end-to-end encryption, and that is deliberate. The server can read what is stored.

I want to be able to take illegal uploads down when they get reported, CSAM in particular.

End-to-end encryption would make the server blind to its own contents, which is great for privacy but would also stop me from acting on those reports.

If you need real secrecy, encrypt the file before you upload it. The password option is there for casual privacy (not as protection from me or from whoever might get into the server.)

The code is open, and I host it the same way I host the files, on my own server instead of HERE .

You can read it, propose a change, or open an issue there, no account needed

Happy to answer questions about the setup or take feedback.

you are viewing a single comment's thread
view the rest of the comments
[-] Bombastic@sopuli.xyz 21 points 6 days ago* (last edited 6 days ago)

Doesn't allow exe files

Introducing my totally real image called calc.jpg that is totally not a pe file with a different extension!

Anyway, prepare to have your file hoster be used to host malware payloads

[-] Matty_r@programming.dev 9 points 6 days ago

I was thinking surely it doesn't just look at the extension and instead uses the mime type at the backend.. After looking for a minute (on mobile) I think thats what it does.

process.env.BLOCKED_EXT === undefined ? 'exe,bat,cmd,com,scr,msi,vbs,ps1,sh,jar' : process.env.BLOCKED_EXT)

[-] 0807@lemmy.world 9 points 6 days ago

You read it right, BLOCKED_EXT is just an extension list and renaming walks straight past it. But that list was never the malware check, it only stops someone uploading payload.exe

Mime sniffing wouldn't have caught it either, since that value rides along in the request and a renamed upload just lies about it.

The actual defense is ClamAV, same file if you grep clamScan and CLAMAV_SCAN, and it reads what's inside the file instead of the name. I tried the calc.jpg trick for real, an EICAR test renamed to calc.jpg sent as image/jpeg, and the upload came back refused.

[-] non_burglar@lemmy.world 9 points 6 days ago

Clamav is woefully behind on definitions, just be aware of that.

[-] xinayder@infosec.pub 3 points 5 days ago

you can install updated filters for it, though. Just check out fangfrisch.

[-] plutopos@lemmy.zip 1 points 5 days ago

Linux systems don't rely on extensions to tell a file's type afaik

this post was submitted on 18 Jun 2026
103 points (95.6% liked)

Selfhosted

60093 readers
751 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, your post is exempt from this rule as long as you continue to engage in comments.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world