On Tue, 16 Apr 2024 at 14:37, Steve Langasek <steve.langasek@ubuntu.com> wrote:
On Mon, Apr 15, 2024 at 04:42:37PM -0400, Stéphane Graber wrote:
> > And if there are issues with the usability of paste.ubuntu.com, uh, we own
> > that service? So let's work with our IS team to make it fit for purpose.
> > (I don't know why it currently requires a login to *view* paste contents;
> > that seems straightforwardly a bug that we should just get sorted.)
> That's because pastebin servers are frequently abused as a way to get
> free mass storage.
> It's not very practical to require login to post to a pastebin as the
> whole point is for a tool like "pastebinit" to work without needing
> user configuration as it's commonly used as a debug tool on cloud
> instances and other random servers random than a user's personal
> system.
> With that in mind, a bunch of folks noticed that you could abuse a
> service like paste.ubuntu.com by pushing large files (base64 encoded
> or the like) and then retrieve them with a very trivial amount of html
> parsing (if no raw option is offered directly).
> There are obviously alternatives to this, but they tend to require a
> bunch more server side logic, basically trying to find the right set
> of restrictions to both poster and reader so that legitimate users can
> use the service normally while abusers get sufficiently annoyed to
> stay away from it.
The current behavior of paste.ubuntu.com, and what I assumed was the driver
for moving away from this as a default, was that it requires a login to VIEW
the contents of the pastebin. AFAICS this is not justifiable on the basis
of preventing abuse with illicit/illegal pastes, that's already addressed by
requiring login on the submission side.
I think the current behaviour is to require login for at least one of submission or view, so a paste created while logged in can be viewed anonymously and a paste created anonymously (e.g. by pastebinit, which I don't think supports logging in?) requires a login to view.
Cheers,
mwh
