I run 0807, a small self-hosted file host. Drop a file, get a short link, and choose when it disappears.
What it does:
- No account, no ads, no trackers
- Auto-delete by time (1 hour up to 30 days, or never) or after a set number of downloads
- Optional password protection on files and on text notes
- Files up to 20 GB, with 16 TB of storage behind it
- Reachable over Tor through an onion service
- Text notes with the same self-destruct and password options
- A few file types are blocked for safety (exe, bat, scripts, and similar)
PS: there is no end-to-end encryption, and that is deliberate. The server can read what is stored.
I want to be able to take illegal uploads down when they get reported, CSAM in particular.
End-to-end encryption would make the server blind to its own contents, which is great for privacy but would also stop me from acting on those reports.
If you need real secrecy, encrypt the file before you upload it. The password option is there for casual privacy (not as protection from me or from whoever might get into the server.)
The code is open, and I host it the same way I host the files, on my own server instead of HERE .
You can read it, propose a change, or open an issue there, no account needed
Happy to answer questions about the setup or take feedback.
Thank you for making this!
Do youbkeep in touch with the other folks who run cool filehosts? The only other one i know like this is catbox, but it is a similar vibe.
I want to be able to take illegal uploads down when they get reported
never underestimate how fucked up the internet can be, and how quickly they can ruin things.
For filehosts probably at least 90% of all uploads are illegal if you ask a copyright lawyer. 🥴 But that’s mostly just people sharing culture.
Of course damn CSAM is a different (and actual) kind of issue and plain awful to deal with. If I remember correctly some organisation from the US provides a free list of checksums of known crap that’s circulating to automatically check media file signatures against, I think that’s the first thing I’d look for to have some baseline defense against those disgusting fucks. Or (depending on your jurisdiction) even be compatible with the law for public hosting services.
Better use Tor & a trustworthy search engine when looking for infos how to implement such an upload filter, I wouldn’t trust automated systems from Google to not misinterpret your intention with these topics.
Doesn’t allow exe files
Introducing my totally real image called calc.jpg that is totally not a pe file with a different extension!
Anyway, prepare to have your file hoster be used to host malware payloads
I was thinking surely it doesn’t just look at the extension and instead uses the mime type at the backend… After looking for a minute (on mobile) I think thats what it does.
process.env.BLOCKED_EXT === undefined ? ‘exe,bat,cmd,com,scr,msi,vbs,ps1,sh,jar’ : process.env.BLOCKED_EXT)
You read it right, BLOCKED_EXT is just an extension list and renaming walks straight past it. But that list was never the malware check, it only stops someone uploading payload.exe
Mime sniffing wouldn’t have caught it either, since that value rides along in the request and a renamed upload just lies about it.
The actual defense is ClamAV, same file if you grep clamScan and CLAMAV_SCAN, and it reads what’s inside the file instead of the name. I tried the calc.jpg trick for real, an EICAR test renamed to calc.jpg sent as image/jpeg, and the upload came back refused.
Clamav is woefully behind on definitions, just be aware of that.
Hey, hey, hey! Welcome back @0807.! You’ve made some changes, polished it up a bit, made it selfhostable. Awesome! I could see this being used ‘inhouse’. I’m wouldn’t be comfortable exposing this to the general public tho, for obvious reasons. The internet can be a very beneficial tool, but at the same time be a filthy, rotten, cespool. I’d rather not get dirty. I have bookmarked the source files at https://src.0807.st/, and dropped it in my projects folder. Thanks again for sharing your project.
Is the name of the service a reference to anything?
What happens if you run out of space because of too many uploads that are set to never expire?
(Also it’s neat! Thanks!)
Hello, yes, the name refers to the webtoon (08/07). It’s an anthology of horror stories. https://www.webtoons.com/en/canvas/0807/list?title_no=848743
As for the stored files whose retention period is set to never they do indeed remain online I monitor their status rather than letting them accumulate unchecked.
There is a configurable storage limit and once it’s reached, the server blocks any new uploads instead of silently deleting or overwriting existing files.
There’s also an (optional cleanup feature) for files that haven’t been used in a long time, which I can enable if I ever run out of space.
With 16 TB, I have plenty of leeway and since I manage the server myself I can add disks or sort through the files manually if necessary. No files without an expiration date are automatically deleted.
And thanks I’m glad you like it :)
Do you mitigate potential abuse where someone deliberately tries to upload as much as they can as fast as possible?
