Messages

31

Beta / Re: 2.4 template-making guide

« on: June 17, 2020, 05:49:27 PM »

some sections do not need to be with public attribute because they are already included by a macro call in a public section ~style.css, ~lib.js

[icons.css|public|no log|cache]  --> {.$icons.css.}
[normalize.css|public|no log|cache]  --> {.$normalize.css.}
[sha256.js|public]  --> {.$sha256.js.}

another thing needs probably to be extended

public sections are called mainly with the reference / ~ sectionname, however in a diff template this type of section may have to be completely redefined.
Due to the inheritance principle this section is available from anywhere in the vfs using the macro {.section | sectionname.} But should also be available by adding ~ sectionname to the url of any folder element vfs as example http://127.0.0.1/New%20folder%20(2)/~test

32

Beta / Re: 2.4 template-making guide

« on: June 14, 2020, 09:46:59 AM »

wouldn't it be simpler to name the accessible sections by url by preceding their name with ~( except for [] ) as [~login]

this would no longer pose a problem of interpretation and unnecessary option writing

the rest of the other sections could have their name coded to access them  url or form requests

33

Beta / Re: version 2.4

« on: June 10, 2020, 11:38:38 PM »

in the version of silentpliz using stunnel, he introduced a tab on the main page to manage the creation of such a certificate,

one solution would be to integrate it as a tab in the options or as an additional module, we could easily create his own certificate, and use it either to configure stunnel.conf or nginx.conf without using an external program.

 for the transmission of change password you should consider a solution like my encryption in the absence of a certificate, and abandon sending it by your old method

I think that with the help of silentpliz we could manage to offer you a module that would be easily integrated into hfs

34

Bug reports / Re: unimportant leaks through to error section

« on: June 10, 2020, 11:24:01 PM »

mars, i didn't know you like regexp. Good job

{.if not|%user%|{:{.if|{.match|^\/([Ff]ile(\/)?)?$|%url%.}|{:{.disconnect.}:}.}:}.}

or

{.if|{.and|{.not|%user%.}|{.match|^\/([Ff]ile(\/)?)?$|%url%.}.}|{:{.disconnect.}:}.}

and for fun i discovered that in this case you can even do like this

{.{.if|{.and|{.not|%user%.}|{.match|^\/([Ff]ile(\/)?)?$|%url%.}.}|disconnect.} .}

thanks for the compliment but the regexp are hard to digest for my mind

your last example can't work, it's a false positive, this example proves it

[test]
start
{.{.if|%user%|stop server.} .}
{.add to log|all is good.}
end


in your second line the expression {.match|^\/([Ff]ile(\/)?)?$|%url%.}  is always evaluated, which can have an influence on the rest of the script (duration or content)

the first one seems the best choice in terms of evaluations

{.if not|%user%   |{:
   {.if|{.match|^\/([Ff]ile(\/)?)?$|%url%.}|{:{.disconnect.}:}.}
:}.}

similar to

if not (%user%) then
   if match('^\/([Ff]ile(\/)?)?$', %url%) then
      disconnect();
 

35

Beta / Re: version 2.4

« on: June 10, 2020, 09:41:04 PM »

 

here is what to test its use in the password change by "form"

old password
new password
confirm password

Passing over the eyes with the mouse the passwords are displayed in clear


positioning the mouse at eye level the passwords are displayed in clear



the old password is not sent in clear but its sha256 is combined with the new and sha256 of the confirmation to check the validity at the server level by macros

everything takes place in the template and only requires the existence of the macro sha256

it's not the best we can do, but it's better than a clear password, and it allows accidental password change if we don't know the old one, the rest will come later when RSA becomes available jointly using the certificate for HTTPS

36

Beta / Re: version 2.4

« on: June 10, 2020, 07:27:39 PM »

could you add this macro in scriptlib.pas during the new release of hfs
it is to allow an intercation with the function sha256(s) that you placed in the template

sure, next release

because,
first: you promised
secondly: failing  to be able to use rsa client-server encryption, this is useful for validating an exchange of encrypted passwords

I thought of inserting the data to be transmitted in a zip protected by a sha256 based on the connection pass, but it requires too many resources to add in javascript and in hfs

37

Bug reports / Re: unimportant leaks through to error section

« on: June 10, 2020, 05:23:10 PM »

sugestion...

{.if|!%user%|{:{.if|{.%url% = /.}|{:{.disconnect.}:}.}:}.}{.if|!%user%|{:{.if|{.%url% = /file.}|{:{.disconnect.}:}.}:}.}{.if|!%user%|{:{.if|{.%url% = /File.}|{:{.disconnect.}:}.}:}.}

replaced by :

{.if|!%user%|{:{.if|{.match|^\/([Ff]ile(\/)?)?$|%url%.}|{:{.disconnect.}:}.}:}.}

can be tested at  https://regexr.com/ or https://regex101.com/tests

mask = ^\/([Ff]ile(\/)?)?$

working text
/
/file
/file/
/File
/File/

38

Beta / Re: version 2.4

« on: June 10, 2020, 04:48:54 PM »

Me not happy, rejetto forget sugar in coffee 

Missing  macro 'sha256' in rc2

Waiting quickly rc3

39

Beta / Re: version 2.4

« on: June 09, 2020, 10:20:13 AM »

any external connection made through stunnel is seen as a local connection in 127.0.0.1 by hfs, it is impossible to go back to the user and the use of the ban therefore is rendered useless

transparent = yes | no (Unix only)
Transparent proxy mode

Rewrite the addresses so that they appear to come from the SSL client machine
rather than one that runs stunnel. This option is only available in local mode
(exec option) with the LD_PRELOADing env.so shared library shared library and
in remote mode (connect option) on Linux 2.2 kernels compiled with the option
transparent proxy and only in server mode. This option cannot be combined with the mode
proxy (connect) unless the default route from the client to the target goes through
the host running stunnel, which cannot be localhost.

transmission of external ip is only available on UNIX

40

Beta / Re: version 2.4

« on: June 08, 2020, 06:04:56 PM »

@rejetto

could you add this macro in scriptlib.pas during the new release of hfs
    ....

    if name = 'sha1' then
      result:=strSHA1(p);
    if name = 'sha256' then
      result:=strSHA256(p);

it is to allow an intercation with the function sha256(s) that you placed in the template


thank you in advance

41

Beta / Re: version 2.4

« on: June 07, 2020, 06:46:52 PM »

the exchange of data between the form and the section is now under control, it only remains to implement the encryption protocols...

42

Beta / Re: version 2.4

« on: June 07, 2020, 02:53:38 PM »

this is what I tried to do last night but I have a problem of transferring values by using a form to process the data

for now I explore the way to use ask () by inserting three input fields instead of one, which would simplify the transfer problem that I am facing



an attempt with the attached template, but I am faced with the processing of the form to send it to the section as with ASK, it follows that the data is found in the url

43

Beta / Re: version 2.4

« on: June 06, 2020, 05:44:51 PM »

sorry for the explanations of the link which are in french

https://benjamin-balet.info/developpement/chiffrement-rsa-partiel-en-golang-javascript/

you can use a subterfuge by encrypting the transmission of the password using a private key and a public key

encoding will be done on the client side in javascrypt

on the server side you have to see if it is feasible from macro in a specialized script or using an external program, otherwise it could study an additional macro to include in the exe

44

Beta / Re: version 2.4

« on: June 05, 2020, 05:53:13 PM »

under firefox the file name is truncated from the semicolon when download it,
on the other hand this phenomenon is not present with hfs 2.3m

45

HFS ~ HTTP File Server / Re: Send text file over http

« on: June 05, 2020, 02:47:31 PM »

i don't know if HFS will be good for you, but you can try.
the first step to allow upload is to give upload permission.
if it is trying to upload to folder "aos" you will have to have this folder in the "virtual file system",  right-click, properties, upload, anyone.
Anyone is not good for security but it is a good start to see if it works.

The protocol it uses to send out is HTTP so i have to provide it a URL for which to send.
Would HTTP File Server work for this if I give it the IP?

it is therefore possible to authorize an on upload account for the real file and to integrate user and password in url

otherwise according to the method of sending data, if they can be done in text mode and not binary, then as much integrate them either in the url or in the form of a form.

for security reasons this data would be processed in a specific section placed in a diff template of the folder hidden in the tree structure, the data processed by the script may be saved after appropriate processing in one or more files as required with names different

the folder can also be protected in access, for only the previous account and the persons authorized to deal with it, thus preserving any risk of intrusion by an anonymous person