I'm just finishing up on the preset sharing feature, and I'm seriously wrestling with the security implications. It is always dangerous whenever you let people upload arbitrary stuff onto your server. But that's not even my main concern, I can code around those security issues. The problem is when you guys download it!
It's Not Me, It's You
I'm 99.9% sure I can keep people from hacking the site through the preset uploads, but I have zero ways of preventing people from uploading malicious shit that could hack you. Okay, not quite zero, I can prevent people uploading .exe and .dmg files.
But there are hundreds of apps with their own unique way of handling presets. I can't just say "only allow files of this type" because there are just too many different types. Maintaining a list of filetypes used by every app is impossible.
So when you download a file from here, I cannot begin to guarantee that it will work or even that it won't brick your devices. Now this might not come up, and no one will ever abuse the system, but you don't design a system on hope.
The best I can come up with is either limiting uploads to select users, like Patrons, or have a free-for-all with a reporting system. I'm disinclined to limit it to Patrons, because I worry that this is going to dramatically limit the amount of people sharing on the site. Over 3,000 people come to the site every day, and only about 50 of you are Patrons. I doubt very much that anyone who wants to give away free presets is going to want to give me money for the privilege. I know Apple and Google expect you to pay them license fees to "sell" free apps, but I don't think I can pull that off.
There's a whole reporting system on comments that has been in there since day one of discchord v3. I don't know if you know that or not, because in the 10 months the site has been running on discchord v3 you guys have reported exactly 0 comments. If you're logged into the site you'll see a little exclamation mark in a triangle below every comment.
The system keeps nearly all the spam out, so there haven't been a lot of opportunities for you guys to report things. However, there have been some comments that were sketchy or xenophobic... yet no one reported them. This makes me worried about relying on reports to alert me about potentially harmful files being distributed from the site.
Help Me, Help You
I will be putting up legal disclaimers left and right, but that only covers my ass and not yours. I'm interested in hearing your thoughts on the subject and how you'd like me to insure your devices stay safe. Once again: this is probably irrelevant, and no one will ever abuse the system, but I have anxiety so I'm really good at thinking about security and insecurity. Right now I'm toying with the idea of a hybrid system; where Patrons can upload freely, but non-Patrons have to jump through some hoops to upload.
I'd also like to hear from anyone that has found the comment reporting Easter Egg. That shit was hilarious to me when I made it, but I don't think anyone's found it yet. There's all sorts of Easter Eggs in here for hackers too. Try sending weird POST messages at my API and it warns you off with goofy messages.