Oddbean new post about | logout
CXPLAY | 6 months ago (raw) | root | parent | reply | flag +1 
 So this would require no authentication from the Blossom server owner at all? I can indirectly transfer any temporarily saved files on cdn.satellite.earth to your Blossom server, and use your server to serve the files. There are considerable risks involved.
Gzuuus | 6 months ago (raw) | root | parent | reply | flag 
 Yes, i was thinking about that too, it can be even worse if there is some way to do some remote code execution, and it would be very easy to infect a machine, so for example i can upload some malicious file to my blossom server and then make other server pull it from mine... But if im not mistaken the only way to deal with this would be to not set any relay or cdn for discovelability of files, but this will also limit/kill the usability of the server... Maybe @hzrd149 can enlighten us more
hzrd149 | 6 months ago (raw) | root | parent | reply | flag 
 Discovering and downloading (or streaming) blobs from other servers isn't part of the blossom spec but its something I added to my blossom-server implementation
By default the example config has it setup to check cdn.satellite.earth and nostr 1063 events to find blobs, but if you want you can turn it off in the config https://github.com/hzrd149/blossom-server/blob/master/config.example.yml#L15-L30

I don't know if there are any security implications of downloading a blob. but its possible an attacker could flood a server by asking it to download everything from another server
CXPLAY | 6 months ago (raw) | root | parent | reply | flag +2 
 
This feature definitely makes sense, but requires more security. For example, a signed event would be required to allow files to be discovered and saved through other servers.
Gzuuus | 6 months ago (raw) | root | parent | reply | flag 
 Aaa I see my bad, i was thinking that was part of the spec 😅