Messages

16

Bug reports / Re: Possible vulnerability

« on: December 11, 2021, 09:46:00 PM »

if you are using one of the latest versions the remote use of macros by a user using a url is automatically detected and made harmless.
https://rejetto.com/forum/index.php?topic=11758.msg1061386#msg1061386

the other vulnerability exploit that was resolved quickly was the null byte injection
https://rejetto.com/forum/index.php?topic=11619.msg1064421#msg1064421

I can no longer remember where and in what way these two types of attack are detected in the sources of hfs but it is certain that if your version is up to date there is no more risk when a remote user performs such attempts

17

router & port problems / Re: Can't connect from a Mobile device to the laptop with running HFS

« on: October 26, 2021, 03:03:56 PM »

it may depend on several factors:
1) make sure that the mobile phone is well connected in wifi on the local network and not on the 3G-4G-5G network, otherwise it is necessary to set up an external routing
2) with HFS in standard mode, the phone browser must be able to display the home page, if necessary try another browser
3) in all circumstances, in the event of problems, use the IP address of the computer on the local network as the connection url and not the DNS name used for external connections

18

HTML & templates / Re: About "hits"

« on: October 17, 2021, 12:56:00 AM »

attach your hfs.tpl in a new post

19

Bug reports / Re: False errors on upload

« on: September 17, 2021, 11:15:34 PM »

Appears for one of the following reasons:

when sending each file with the method that was used for it
- the logged in user does not have write rights to upload file in the folder
- the user and the password used do not correspond to a registered account values

20

Everything else / Re: I can't change the website to English.

« on: August 03, 2021, 11:22:27 PM »

just indicate the country in the paypal url before /home as in the examples below

https://www.paypal.com/uk/home

https://www.paypal.com/it/home

https://www.paypal.com/de/home

https://www.paypal.com/es/home

21

HFS ~ HTTP File Server / Re: "username not found"

« on: May 11, 2021, 02:40:22 PM »

"user/password for each folder"  is an old protection technique implemented during the first versions of HFS, it is preferable to use as much as possible the use of accounts

22

HFS ~ HTTP File Server / Re: Any way to limit viewing a folder/file from one specific IP?

« on: April 28, 2021, 07:01:21 PM »

if only one particular ip should be able to access the folder, add something similar in the diff template of the folder properties

either by using a forced disconnection

Code: [Select]

[+]
{.if|{.=|%ip%|127.0.0.1.}|{:{.disconnect.}:}.}
or even better by using a redirect which gives the user the impression of an invalid link

Code: [Select]

[+]
{.if|{.=|%ip%|127.0.0.1.}|{:{.redirect|../ .}:}.}

replace 127.0.0.1 by the allowed ip


a more concrete example is to only give access to a specific user without going through permissions

Code: [Select]

[+]
{.if|{.!=|%user%|Tsuna.}|{:{.redirect|../ .}:}.}

note the difference in use between  {.!=|    and  {.=|  , difference or equal usage

23

Programmers corner / Re: Template/events for QOS or traffic shaping.

« on: April 28, 2021, 05:43:39 PM »

Are there some per ip-specific measurements?

no

How to make global variable apply to only 1 ip? 

a variable is defined by its name which can include letters or numbers and preceded by # to become a global variable
just include %ip% in the name

{.set|#flag_%ip%| ....   .}

global variables only exist while hfs is running

24

Programmers corner / Re: Template/events for QOS or traffic shaping.

« on: April 13, 2021, 11:41:19 AM »

you must analyze the url which is sent by the path variable and check its validity by eliminating the non-existent parts or use a fallback url like the use with newurl in the following

[not found]
{set|newurl|/.}
{.add header|Cache-Control: no-cache, max-age=0.}
{.redirect|/~404?path={.if|{.exists|%url%.}|{:{.encodeuri|{.filepath|%url%.}.}:}|{:{.^newurl.}:}.}.}

the problem is that in section 404, the url is not that of the containing directory but that of the requested file "return to previous page" does not correspond to% url% as for [max contemp downloads]

use macro {. add to log | ..what you need to see.. .} in various places to control the transmitted data and more easily determine why you are having inconsistencies in the operation of your scripts

25

Programmers corner / Re: Template/events for QOS or traffic shaping.

« on: April 05, 2021, 08:42:24 PM »

{.set | #frompath | %encoded-folder%.} cannot work because [max contemp downloads] is served as a new page from root and at this point the session is no longer the original page then %encoded- folder% returns / because some %var% are not defined, on the other hand I came across %url% which is the link of the loaded file that allows to deduce the original path

you can either use a global variable but which risks being changed by another user in the same situation or an url variable which will be valid only for the right recipient

Code: [Select]

[max contemp downloads]
{.add header|Cache-Control: no-cache, max-age=0.}
{.set|#frompath|{.encodeuri|%url%.}.}
{.redirect|/~server%20is%20busy?path={.encodeuri|{.filepath|%url%.}.}.}

[server is busy|public]
{.set|backpath|{.decodeuri|{.urlvar|path.}.}.}
<!DOCTYPE html><html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<META HTTP-EQUIV="Refresh" CONTENT="3;URL={.^backpath.}">
<TITLE>Busy</TITLE>
<link rel="icon" href="data:,"></head>
<body bgcolor="black" text="white" alink="white" link="white" vlink="white"><center><h2><br>Server is busy.</h2>Returning to previous page...</center>
</body></html>

26

Programmers corner / Re: Template/events for QOS or traffic shaping.

« on: April 05, 2021, 01:46:53 PM »

is this correct?   {.set|%encoded-folder%|#frompath.}

always  set | #variable | value

this variable will be initiated for all connections, if you plan to use it in an event, you should associate the ip and the name of the user to it in order to target the event

{.set|#frompath|%encoded-folder%;%ip%;%user%;.}

and separate the different fields in the event zone or the section considered
it may seem like a long process, but there is no simplified macro to do this kind of manipulation

this is an example you can verify in menu  > debug > run script

{.set|#frompath|http://127.0.0.1/test;127.0.0.255;MyName;Private message to the user;/set.}
Start = "{.^#frompath.}"

{.comment|Use script only frome here.}

{.set|frompath|{.substring||;|{.^#frompath.}/substring.}/set.}
frompath = "{.^frompath.}"

{.set|#frompath|{.replace|{.^frompath.};||{.^#frompath.}/replace.}/set.}
{.set|ip|{.substring||;|{.^#frompath.}/substring.}/set.}
ip = "{.^ip.}"

{.set|#frompath|{.replace|{.^ip.};||{.^#frompath.}/replace.}/set.}
{.set|user|{.substring||;|{.^#frompath.}/substring.}/set.}
user = "{.^user.}"

{.set|#frompath|{.replace|{.^user.};||{.^#frompath.}/replace.}/set.}
{.set|reply|{.substring||;|{.^#frompath.}/substring.}/set.}
reply = "{.^reply.}"

{.set|#frompath|{.replace|{.^reply.};||{.^#frompath.}/replace.}/set.}
Final = "{.^#frompath.}"

result give
 

Start = "http://127.0.0.1/test;127.0.0.255;MyName;Private message to the user;"

frompath = "http://127.0.0.1/test"
ip = "127.0.0.255"
user = "MyName"
reply = "Private message to the user"

Final = ""

everything is based only on the manipulation of the chains

another form of use if the number of elements is not known in advance

{.set|sep|;.}
{.set|#frompath|http://127.0.0.1/test{.^sep.}127.0.0.255{.^sep.}MyName{.^sep.}Private message to the user{.^sep.}/set.}

Start = "{.^#frompath.}"
{.set|tot|{.count substring|{.^sep.}|{.^#frompath.}.}/set.}
{.set|#nb|{.^tot.}.}

{.while| #nb | {:
{.set|tab[{.^#nb.}]|{.substring||{.^sep.}|{.^#frompath.}/substring.}/set.} {.set|#frompath|{.replace|{.^tab[{.^#nb.}].}{.^sep.}||{.^#frompath.}/replace.}/set.} {.dec|#nb.}
:}/while.}
total items = {.^tot.}
{.for|x|{.^tot.}|1|-1|{:
tab[{.^x.}] = {.^tab[{.^x.}].}:}/for.}

Start = "http://127.0.0.1/test;127.0.0.255;MyName;Private message to the user;"
 
total items = 4

tab[4] = http://127.0.0.1/test
tab[3] = 127.0.0.255
tab[2] = MyName
tab[1] = Private message to the user

or to have it in the real order

{.set|sep|;.}
{.set|#frompath|http://127.0.0.1/test{.^sep.}127.0.0.255{.^sep.}MyName{.^sep.}Private message to the user{.^sep.}/set.}
Start = "{.^#frompath.}"
{.set|tot|{.count substring|{.^sep.}|{.^#frompath.}.}/set.}
{.set|#nb|{.^tot.}.}
{.while| #nb | {:
{.set|idx|{.calc|{.^tot.}-{.^#nb.}+1.}/set.}
{.set|tab[{.^idx.}]|{.substring||{.^sep.}|{.^#frompath.}/substring.}/set.}
{.set|#frompath|{.replace|{.^tab[{.^idx.}].}{.^sep.}||{.^#frompath.}/replace.}/set.}
{.dec|#nb.}
:}/while.}
total items = {.^tot.}
{.for|x|1|{.^tot.}|{:
tab[{.^x.}] = {.^tab[{.^x.}].}:}/for.}

Start = "http://127.0.0.1/test;127.0.0.255;MyName;Private message to the user;"

total items = 4

tab[1] = http://127.0.0.1/test
tab[2] = 127.0.0.255
tab[3] = MyName
tab[4] = Private message to the user

tab [ x ] is not a real array but a series of variables with different names "tab" + "[" + x + "]"

27

Programmers corner / Re: Template/events for QOS or traffic shaping.

« on: April 03, 2021, 01:40:03 PM »

under normal conditions if a download is interrupted the server sends the client a response with Not served: 503 - Overload, this is what should be reproduced instead of performing a sudden disconnection, perhaps a special section with a macro add header, I don't know more, on the other hand there is an event [download] but I don't know how to manage it
you have to look at the list of working variables even if it means creating variables {.set | # var1.} in the sections of the template to reuse them in the event as {. ^ var1.}

28

Everything else / Re: permission

« on: March 30, 2021, 11:05:09 AM »

Thanks Mars! 

Good to know that the feature was already built-in.

This is what happens when we skip school during basic HFS lessons, we don't know how it works,
the next time you start again you will be deprived of dessert for 1 week 

29

Everything else / Re: permission

« on: March 28, 2021, 08:56:09 PM »

Forget what Danny says,

 it's not the right way to always want to put everything in the template or in events or to use javascript,

 hfs already has a large amount of technical possibilities to satisfy a lot of situations

1) your folder must first be added to VFS as real folder

2) right click on it to access its properties on the "FLAGS" tab

3) check browsable and no download

4) go to the "PERMISSIONS" tab? then the "UPLOAD" sub-tab and check Anyone if you accept that anyone can upload a file in the directory, otherwise check "Any account" if you want only logged in people to be able to uplode

5) to allow you to keep management access, go to the "DELETE" sub-tab and check your username, this will give you additional command buttons on the web page

as it is, the contents of the directory will be visible to any user, this amounts to the same if in the "ACCESS" sub-tab is checked "Anayone", otherwise in this tab by checking "Any account", only authenticated users will be able to see it. the contents

30

Bug reports / Re: user account login

« on: March 25, 2021, 09:40:23 PM »

this behavior is completely normal, everything is accessible as long as no protection policy is in place,

unless you really want to share sensitive data with the rest of the world, it is unconscious to open an external port without having first set up a minimum of security

start by creating a personal user account and protecting each element of the VFS tree structure,

depending on the listening port used or all of them, you can test the web content using the address 127.0.0.1 in the browser on the pc, or its ip address on the local network,

to connect to the internet address, it is necessary to use another provider

these links do not reflect all the possibilities and latest version of hfs, but it can help to start your server

http://rejetto.com/wiki/index.php?title=First_time_configuration

http://rejetto.com/forum/index.php?topic=1939.0