Messages

1

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability, Patched 2.3K

« on: July 11, 2025, 10:06:03 PM »

Speedup: 
locate hfs23-K-patched3.zip and you can test it out. 
http://software.run.place
It is running that same copy of HFS2.3K, with the macros on.

Thanks to Leo for help in bypassing the always-on limiters, and this prevents freezes.  Also, I raised the console TTL so the UI stays responsive. 

 Edit:  For round 3, more compatibility with custom templates:  Thanks to Leo for updated code that blocks hfs-specific attack, in the .exe, without reliance on any particular template.  So, you can use any template that you want to.

2

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability, Patched 2.3K

« on: July 09, 2025, 12:30:32 AM »

For patched version of HFS2.3K, I've added many layers of defense. . . and *Might have solved/reduced the gigabit freeze problem. 
http://software.run.place
locate hfs23-K-patched.zip and you can test it out. 
The site to download it, is running that same copy of HFS2.3K, with the macros on. 

3

HTML & templates / Re: Stripes, the template for simple and easy. Updated for security.

« on: July 05, 2025, 08:25:59 AM »

There is a vulnerability in HFS 2.3 and 2.4 that allows remote code execution if 'macro' feature is on.  So...

Stripes 5 shuts off macros at first run, to secure.
Stripes 5 is designed to run without macros.
HFS 2.3 doesn't require macros for login.

4

HTML & templates / Re: The Throwback (retro) template. Updated. Security patch edition

« on: July 05, 2025, 07:00:03 AM »

The new files are available at Post#1

There is a vulnerability in HFS 2.3 and 2.4 that allows remote code execution if 'macro' feature is on.  So...

Throwback 15 shuts off macros at first run, to secure.
Throwback 15 is designed to run without macros. 
HFS 2.3 doesn't require macros for login.

5

HFS ~ HTTP File Server / HFS v2.x severe vulnerability patched

« on: July 02, 2025, 04:30:29 PM »

Hi Leo!  Thanks for the reply.  Thanks for the compiling guide! 

Patched edition available at http://software.run.place
Macros are disabled.  New Throwback15 template added.

Is there a way to do New Folder with macros off? 

6

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability possible fix?

« on: June 29, 2025, 09:36:35 PM »

Edit:  Here is an approach with Auto-Ban.   This will not catch everything--keep scrolling, several posts further down.
in hfs.events (alt+f6)

Code: [Select]

[+request]
{.if|{.match|*filter=*.exec*;*search=*.exec*;*.exec*;*%host%*;*_host_*;*cmd.exe*;*&cmd=*;*powershell+*;*/wp-includes/*|%url%.}|{:
{.set|n|{.from table|#tries|%ip%.}.}{.inc|n.}{.set table|#tries|%ip%={.^n.}.}
{.if|{.{.^n.} > 0.}|{:
{.set ini|ban-list={.no pipe|{.from table|#ini|ban-list.}%ip%#AutoBan {.time.}.}.}{.set table|#tries|%ip%=0.}
:}/if.}
{.disconnect.}{.add to log|%ip% %user% BANNED FOR POSSIBLE SECURITY THREAT.}:}.}Note:  This is possibly useful in combination with the TINYWALL firewall project, an egress blocking firewall, whereby you'd let through (allow) your web browser, HFS (possibly unblock lan), and very little else.  Newer version or there is also older version (for older server).

7

Beta / Re: version 2.4

« on: October 27, 2022, 11:07:51 PM »

. . . it just stops taking new connections, switching the server off and then on fixes it, i couldn't find why this happens and had to resort to run a script that checks 24x7 if hfs is not accepting downloads and kills it and runs it again.

Do you use the Watchcat2 script? https://rejetto.com/forum/index.php?action=dlattach;topic=12055.0;attach=9809

The stuck/off server is made worse by running limits (hfs menu > limits) that make HFS get more busy and stuck more often.
The Worst is Speed limit.  Instead of HFS speed limit, you could spend 3 dollars on a 100 megabit USB2 adapter, assign it a fixed address and assign HFS to the megabit>USB adapter's ip address.   If you were to accidentally get a gigabit adapter, (and therefore get stuck), just go to properties of the network adapter and manually set 100-half.  This also applies to single-thread versions of most web servers. 

Upload and download at the same time will probably get stuck If the connection speed is high.  Perhaps a clever programmer could figure out complete lockout/tagout logic to thoroughly prevent simultaneous uploads+downloads?  The problem is not severe at 100megabit and lower speeds. 

Edit: HFS2.4 RC7 has 'archive-only-selected' for overload protection; however, earlier versions can try to download the entire server with just one click on the archive button (stuck in 1 click).  Possible fixes include search and disable the recursive function. . . Or switch to the RC7 template or takeback or throwback or stripes.  Since the archive feature makes .tar files that the user doesn't want, removing the archive button is an option. 

EDIT:  See HFS 3 https://github.com/rejetto/hfs

8

HFS ~ HTTP File Server / Re: a new beginning...

« on: January 14, 2022, 02:45:11 PM »

...It's not even a problem of "it's hard to edit it" because you almost CAN'T do it. You are not supposed to, because it's against the kind of technology used there. That's why I'm trying to do the job through plugins.
Editing the template was a big plus of HFS2, but also a huge problem...with consequences on functionality...

I think that the plugins method in HFS3 is a great improvement.

Comparison, I think:
HFS2x standalone templates = get the new feature you wanted but lose 3 more, or
HFS3x plugins = get the new feature you wanted, without losing other features. 

That is a lot different.  Thanks!!

9

HTML & templates / Re: Stripes, the template for simple and easy.

« on: January 14, 2022, 02:08:16 PM »

What happened with Stripes4.6c_Black

The dark theme was anti-purpose; because Stripes is supposed to be a professional-looking clear clean easy view. 
It was also difficult to update 4 separate files.  For more options, on Line 5 is body{background:#E6EBFA where you could edit for any background...

10

HTML & templates / Re: About "hits"

« on: January 13, 2022, 09:12:15 PM »

nice suggestion,  i will consider unicode icons as a fallback

It is the way. 
🐈

11

HTML & templates / Re: Stripes, the template for simple and easy

« on: January 13, 2022, 07:49:08 PM »

If you wanted to streamline/speed one folder (such as a Public/Guest folder or enormous/unorganized folder), you can so easily rename the Stripes template file to hfs.diff.tpl (if your Windows is not set to show .extensions then rename the template to hfs.diff); and then, save it into that particularly needy folder. 
This idea works even if the majority of your server didn't use Stripes.

12

HFS ~ HTTP File Server / Re: a new beginning...

« on: January 13, 2022, 06:11:47 PM »

can you tell me what is "server management menu" that you want to hide? i still fail to see

Just need a simple/grandma view, with much smaller-size simpler menu for guest/public.
Would also be good if 'simpleview' could be a user/folder rights flag option (and the default for guest/public). 

The default template has what I want to see; however, it may confuse my grandma/son/brother/guests too, because they don't own servers.  It is because of the purpose-difference:  I might like to manage the server; however, they might just want files/content.   So, there is 2 different purposes and thus need of 2 different views.

13

HFS ~ HTTP File Server / Re: a new beginning...

« on: January 13, 2022, 05:51:52 PM »

i don't know if you saw the new template, but is very similar to the one of hfs 2.4 . Is that simple enough? if negative, could you tell me what you would like to see removed?

Not simple enough for file server.  Because most users don't need to see server management menu. 
So, not really stuff to remove; but, there is stuff to Hide (to clear/clean the view, for the majority of users). 
 
The need is for a switchable view: 
Simple-Grandma mode (like Stripes), in light colors
Server-Manager mode (like hfs2.4),  in dark colors
. . . and default public/guest to use simple-grandma mode (it is right to use the Login button for mode/view switch). 

Per circa 1999 Orangebook and in regard to the Zenworks security module, the original background-color view switch was lightblue for basic users, darkblue for printer/backup manager, darkred for Administrator and lightgreen for inspector (business owner could see all but not accidentally disable the server). . . At login, the desktop icons as well as the program menu options would populate (or de-populate) to fit the user's access/experience level. 
Today, I think that can be translated into lightblue (colors like twitter, facebook, openmediavault, Stripes.tpl) for basic users, and then a dark theme for server managers. 

An example of menu for simple-grandma mode: 

HFS File Server
[sort][................................searchbox.............................][login]

A small thin menu, so that basic users (especially guest/public) are more likely to notice the file-listing/content, primarily. 

14

HTML & templates / Re: About "hits"

« on: January 13, 2022, 03:20:24 PM »

...Now struggling with adding an icon from Font Awsome. :-) ...

Alternatively, you can use a unicode icon, which is most efficient anyway (because it already exists at the client's browser).  The 6-digit versions are usually in full color.  🎥 

In order from best to worst:
1. Unicode icons (best--no shipping charge)
2. Fonts (costs a little bandwidth to send them)
3. Base64 encoded icon (very colorful icon is too big, but 16-color icon is okay)
4. Icon files (worst and slowest, because each file makes a separate trip).

Instead of storing the template as an ANSI encoded file, you can use UTF-8, which is editable with Notepad++ open source editor; And, a UTF-8 can store emoji's so much easier, just copy and paste from https://emojipedia.org/   Microsoft Notepad won't do; so, you'd need this:  https://notepad-plus-plus.org/  (click the Encoding menu) and save your icons directly in the template. 😺

15

HFS ~ HTTP File Server / Re: a new beginning...

« on: January 13, 2022, 03:02:13 PM »

Because somebody probably will use this on Gigabit,

I'd like a rights flag "SimpleView"
so that if "SimpleView" is assigned to a user, they would see a view that looks 'easier' like Stripes.tpl
. . . because not many users need to manage the server. . .  The majority just wanted files/content.
P.S. 
A "SimpleView" flag assigned to a folder or guest, could be very useful for public content.   
Not only for appearance, but also because a simple view can be ~5x more robust for high traffic.
P.P.S.
Additional request:  WatchDog feature included (to restart the server app, just in case it went unresponsive for x minutes).