rejetto forum

deny versus not found

raybob · 8 · 1480

0 Members and 1 Guest are viewing this topic.

Offline raybob

  • Tireless poster
  • ****
    • Posts: 453
    • View Profile
    • FileSplat.com
1) When trying to hotlink to a folder/file that is under a protected directory and that doesn't exist, you are directed to the ~not found page.  Ex., a user tries to get /test/test2/ , while test2 doesn't exist and they don't have permission to access the folder test.

2) When trying to hotlink to a folder/file that is under a protected directory and that does exist, you are directed to the ~login page.  Ex., a user tires to get /test/test3/ , and is denied because they can't access the root folder /test/

The only flaw with this is that users are able to verify the existence of folders/files, even if they don't have access to them.

Personally, I think it would be more secure to make it so that both scenarios end in the same result, being redirected to ~deny rather than login or not found, this way a user can't verify that an actual file exists.

If you can't make this happen by default can you at least add an option for it?  Or is there already some way to do it already?
« Last Edit: July 14, 2011, 12:53:51 AM by raybob95 »


Offline r][m

  • Tireless poster
  • ****
    • Posts: 347
    • View Profile
If you have
Menu > Virtual File System > List Protected Items Only For Allowed Users
check marked they can only see what you have given them access to.
Eliminates the need for a error page.


Offline raybob

  • Tireless poster
  • ****
    • Posts: 453
    • View Profile
    • FileSplat.com
I already have that checked.

What I'm talking about here is hot-linking, and being able to verify the existence of folders/files even without access, based on the redirection to ~login or ~not found.  The ideal way would be to redirect to ~login or ~deny always, whether the file is there or not.
« Last Edit: July 14, 2011, 01:21:20 PM by raybob95 »


Offline r][m

  • Tireless poster
  • ****
    • Posts: 347
    • View Profile
OK, I overlooked that,  but how do users obtain a hot link?
It would seem, someone with access (that can see it) would have to share it.
Would it be possible to do an event script to block these?
It's never been a problem here, so I'm not familiar.
Would something structured like
Code: [Select]
[+request]
{.if|{.match|.php;.js|%url%.}|{:{.disconnect.}:}
.}
in events be made to stop hot linking?

How exactly is a hot link structured? Does it always contain @ for the login?

Edit:
This events macro works for php and js hack attempts when HFS runs in Windows,
but not on Ubuntu 11.04/Wine. In windows the macro wont work with @ because, apparently
the browsers don't recognize @ in
https://user:pass@ip address:port/Folder1/Folder2/File-name.ext
as being part of the url........so.... still think there could to be a way.
I'll experiment more tonight after work.
« Last Edit: July 14, 2011, 05:56:22 PM by r][m »


Offline raybob

  • Tireless poster
  • ****
    • Posts: 453
    • View Profile
    • FileSplat.com
It's really not that much of a problem I just thought it could be better.

My end goal here is that when directly linking to a non-existent file in a protected folder, the user is redirected to the same page as if the file did exist, e.g. ~login or ~deny, rather than ~not found.


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13308
    • View Profile
Currently this is out of question, it cannot be done.
HFS is using http authentication, and there's no login-then-browse logic like other servers.
When you see the login it's not because HFS asked a login. HFS said to the browser "error: you are not authorized".
Any file is protected on its own, having a login-for-access logic. So HFS must offer authentication.


Offline raybob

  • Tireless poster
  • ****
    • Posts: 453
    • View Profile
    • FileSplat.com
Really?  Oh....  Anyway I got it to work but my solution will not work for everyone.

Reason being is that I recently wrote my own macro-based authentication system (which is very possible to do, I might make a topic for it because it works as well as before + now there's a sign out button and better functionality).

All I had to do was move the part under [download] in hfs.events that authenticates users (custom code) to the [request] section and now it acts the same whether the file exists or not.
« Last Edit: August 30, 2011, 05:53:22 PM by raybob95 »