Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - skb

Pages: [1] 2 3 4
1
Thanks, Danny. I'm pretty sure the warning in this thread is just referring back to the issue patched in 2.3c. (Or, if it _is_ a real threat, there's no documentation of it provided. What do we need to do to test that we are still protected against this 2014 exploit? )

Quote
I'm fairly confident that if you add *.exe types to my filter, in addition to the js py and vbs, that a remote request just can't run those on the server
Ah, so that explains the problem I had with *.js, as parts of my template use Javascript. I will add *.exe as well, because I only use HFS to serve small (< 50KB) .csv input data files to some android devices, and then to accept the results (also *.csv) back from them.

2
FWIW, using Danny's script to disconnecting on *.js requests seemed to break some of the buttons and controls on my template, but maybe it is just my quirky niche template.

I've added Danny's event with "*.js;" removed, but keepingthe other types, and will see if it cuts down on log entries like the ones I posted above. However, seems possible that those logs are generated by scripts that will just keep going through their lists of items to try, despite the disconnects.

3
Wait, is this actually a new report of this issue, or merely an old bug report being duplicated and resurfaced by a different "Security Provider", so, a false alarm? 

The CheckPoint page at https://www.checkpoint.com/defense/advisories/public/2019/cpai-2019-0748.html references the 2014 CVE report, which says it was patched in version 2.3c :  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287

I'm still going to try out Danny's filter. But, just because we disconnect them, I think they can still just try again. Not sure if it is more load for the server to send them a 404, or to process an event and disconnect.

4
Not sure if Danny's suggestion would solve the particular bug reported here, but does seem like a good way to limit the "noise" of random get requests that are fishing for vulnerabilities. E.g. my logs always have lots of crap like :
Code: [Select]
6/17/2019 2:21:39 AM 122.114.191.125 50639 Requested GET /help.php
6/17/2019 2:21:39 AM 122.114.191.125 50833 Requested GET /java.php
6/17/2019 2:21:43 AM 122.114.191.125 51098 Requested GET /_query.php
6/17/2019 2:21:43 AM 122.114.191.125 51361 Requested GET /test.php
6/17/2019 2:21:47 AM 122.114.191.125 51705 Requested GET /db_pma.php
6/17/2019 2:21:47 AM 122.114.191.125 51907 Requested GET /logon.php
6/17/2019 2:21:55 AM 122.114.191.125 52953 Requested GET /x.php
6/17/2019 2:21:59 AM 122.114.191.125 53179 Requested GET /htdocs.php
6/17/2019 2:22:27 AM 122.114.191.125 58081 Requested GET /desktop.ini.php
6/17/2019 2:22:31 AM 122.114.191.125 58606 Requested GET /lala.php
6/17/2019 2:22:35 AM 122.114.191.125 59500 Requested GET /t6nv.php
6/17/2019 2:22:36 AM 122.114.191.125 59661 Requested GET /muhstik.php

and etc.

5
Bug reports / Re: Download interrupted after starting another
« on: October 23, 2017, 07:51:57 PM »
Hi, I'm pretty sure this is _not_ the normal or expected behavior, as I've never heard of any such limitations in discussions here, and I know some of our colleagues here have large and busy sites.

But, I can't personally replicate your test -- my instance of HFS has only very small text data files for an android project, and even when I tar them all together and download, it completes too fast for me to switch to another browser and try to interrupt it.

Sorry that I'm only stating the obvious, but for debugging, if you're using a custom template, please repeat your test with your server using only the default template, just to rule out any possible template issues.

Also, do the logs in your HFS server window give any insights? There are several more extensive logging options that you can enable temporarily, so see if these provide any pointers to what's going on.

6
Programmers corner / Re: remotely renaming files using post
« on: October 23, 2017, 03:55:28 AM »
Probably not really a useful answer, but, I've only renamed files using the {.rename|oldname|newname.} command macro. That may well do some post under the covers, but as far as I know, the only way to rename files is to have some code in the server's config call the rename macro.

7
Thanks for the speedy reply, and for all your work on HFS!

No rush on the fix, as it's really no big deal: a minor bug that's hard to trigger in real life! (I was doing this manual rename to make test file for a new feature, and in my production version such renames won't be needed.) 

Or, if necessary, I can use a different "flag" character in the data file name than "$".

Cheers, Steve

8
Remember, there is no cloud. It's just someone else's computer!

No matter what the server, if you make a 450 GB copy, it needs to go somewhere.

(As several suggested, using a downloader program would scan for a list of all the files on the server, and then would request them all one by one for download, so there would be no server-side copy. The "Archive" feature zips all the individual files into one large single file, and then downloads that one file, thus it does require a copy on the server.)

9
Not really debugged this at all yet; I've merely noticed it in my modified version of the standard template, and then restore the default one to confirm it wasn't just me.

If a file name includes numbers, and you rename it to insert a "$" before those numbers, the $ and some numbers are deleted from the name.

The specific example I found was attempting to rename the file name "SCS_A01_10039.CSV" to "SCS_A01_$10039.CSV".

The resulting file name became: "SCS_A01_039.CSV".  That is, the "$10" was deleted from the new name.

"$" works fine in other parts of the string, but before a digit 1-9, the $ and one or two digits are removed.


10
HTML & templates / Re: Documentation for item-resource?
« on: July 25, 2016, 03:54:54 AM »
Nevermind!  :P

After posting I read the recent ticket about "move files after upload", and found Mars' suggestion to use the log for debug output, e.g. add "{.add to log| event upload completed  by %user%.}" to the completed event handler. Works well and easily -- Thanks Mars!!

I used this to print out %item-name%, %item-resource%, and %item-url%. Looks like I can parse the URL to figure out which folder the upload is going to, and the -resource symbol has the windows file path rather than the VFS path.

Any other debugging tips are welcomed!

Steve

11
HTML & templates / Documentation for item-resource?
« on: July 25, 2016, 01:56:34 AM »
Is there documentation for %item-resource%?

On the list in the forums at http://www.rejetto.com/forum/html-templates/hfs-templates-vars-and-section-help/ , it is mentioned, but with no explanation.

In the docs on the wiki, at http://www.rejetto.com/wiki/index.php?title=HFS:_Template_symbols , it is not mentioned at all.

More generally, what is a simple way to find out the value of various symbols with test code? That is, while I'm trying to figure stuff out, what sample code could I put into, say, an [upload-completed] event handler to show me the values of various symbols for each file?  Can I write stuff to, say, the java script console?

Or, would it be better to use the [upload-success] section for this sort of temporary debug output?

Thanks for clues,
Steve

12
Does the "template revision" line in the default hfs.tpl get changed whenever there are changes to this template?

That is, if I download the current version of hfs.exe, and choose the command  "Menu > HTML Template > Edit", it will generate an hfs.tpl file in the same folder as the hfs.exe file, and in this file, it has:

"Welcome! This is the default template for HFS 2.3
template revision TR2."

Can I assume that these lines change whenever Rejetto makes any revisions to the default template? 

For example, back with version 2.3f, Rejetto fixed a bug with cookies and file renames in the default template. Did this version string change with that update?  I didn't think to check at that time...

13
This is very probably un-related, as I wasn't using WFetch, but but just a few days ago I had an issue where some uploads from my Android program were failing, and it was because they requested chunked encoding rather than sending a Content-Length.

My log output was like yours: In the failed uploads I saw the POST request without the previous "Uploading" and "Fully Uploaded" lines.

Try "Menu > Log > Log what > Requests dump", so that HFS will print the requests headers it receives. Then see if the failing cases have Transfer-Encoding chunked.

(In my case, looking with Wireshark, I saw that HFS was returning a 405 error response to the chunked mode requests, but the Android file upload routine (in the Phonegap files plugin) was losing this, and returning a 200 response to my code. The fix for me was an optional flag to this Android upload routine telling it not to use chunked mode. Perhaps WFetch has a similar no chunks option.)

Steve

14
Fixed by version 2.3f  :D (Via changes to the standard hfs.tpl file included in this version).

I had the problem recur despite the workaround suggested earlier in this thread, but upgrading to version 2.3f and patching my stripped-down version of the hfs template with the changes to the cookie handling from the new hfs.tpl made the problem go away.

Thanks for the fix, Rejetto!

Steve

15
HTML & templates / Re: Limits to uploaded files by size?
« on: August 09, 2015, 01:12:48 AM »
Ah, LeoNeeson, very clever using Google to search the forum! I'd never thought of that, and was trying to find stuff using only the local search tool. Thanks for the examples!

Steve

Pages: [1] 2 3 4