Messages

1

Everything else / Re: Leave here your holiday season's greetings!

« on: December 10, 2021, 04:27:13 AM »

Hi, nice to check in! I am still using HFS in _very_ limited production for a small bus ridership data logging app, and it does what I need simply, with no muss or fuss.  As MarkV says, it runs fine so I have no reason to check the forums for fixes!

Hope you are all well.

2

Bug reports / Re: "Network Error. Request Failed" for "Menu > Updates > Check for news/updates

« on: December 15, 2019, 09:19:01 PM »

Sorry I dropped the ball on replying in a timely manor, Mars!

Is there something I can do differently? Not sure how I broke it, but the boxes I'm testing on are behind external firewalls, so it may be that they are not realizing the replies to the update queries match the requests. (Both 80 and 443 are open for incoming traffic, but that is probably not relevant to a request I make to an external server.)

3

Bug reports / "Network Error. Request Failed" for "Menu > Updates > Check for news/updates

« on: July 31, 2019, 05:12:45 PM »

Not sure if this is a bug or merely my problem, but the auto checks for updates had been working fine, and then started getting errors.

As a check, I downloaded the plain HFS.exe onto a different PC on a different network, started it, and checked for updates there, and get the same error.

(Not a big issue, as I can manually update once we go past 2.3m, but I am wondering if it is down for everyone or just me)

I originally thought I broke it with changes to my security settings, but turning off the firewall doesn't make any difference.

On my "production" server, the logs show updates were working fine through June 8,

6/8/2019 11:31:19 AM               Check update: no new version

but then started failing on the next check:

6/9/2019 11:31:59 AM               Check update: failed

Are updates from within HFS working for all of you?

Thanks, Steve

4

Bug reports / Re: vulnerability Rejetto HTTP File Server Remote Code Execution CVE-2014-6287

« on: June 27, 2019, 01:51:49 PM »

Thanks, Danny. I'm pretty sure the warning in this thread is just referring back to the issue patched in 2.3c. (Or, if it _is_ a real threat, there's no documentation of it provided. What do we need to do to test that we are still protected against this 2014 exploit? )

I'm fairly confident that if you add *.exe types to my filter, in addition to the js py and vbs, that a remote request just can't run those on the server

Ah, so that explains the problem I had with *.js, as parts of my template use Javascript. I will add *.exe as well, because I only use HFS to serve small (< 50KB) .csv input data files to some android devices, and then to accept the results (also *.csv) back from them.

5

Bug reports / Re: vulnerability Rejetto HTTP File Server Remote Code Execution CVE-2014-6287

« on: June 26, 2019, 09:44:02 PM »

FWIW, using Danny's script to disconnecting on *.js requests seemed to break some of the buttons and controls on my template, but maybe it is just my quirky niche template.

I've added Danny's event with "*.js;" removed, but keepingthe other types, and will see if it cuts down on log entries like the ones I posted above. However, seems possible that those logs are generated by scripts that will just keep going through their lists of items to try, despite the disconnects.

6

Bug reports / Re: vulnerability Rejetto HTTP File Server Remote Code Execution CVE-2014-6287

« on: June 26, 2019, 09:03:16 PM »

Wait, is this actually a new report of this issue, or merely an old bug report being duplicated and resurfaced by a different "Security Provider", so, a false alarm? 

The CheckPoint page at https://www.checkpoint.com/defense/advisories/public/2019/cpai-2019-0748.html references the 2014 CVE report, which says it was patched in version 2.3c :  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287

I'm still going to try out Danny's filter. But, just because we disconnect them, I think they can still just try again. Not sure if it is more load for the server to send them a 404, or to process an event and disconnect.

7

Bug reports / Re: vulnerability Rejetto HTTP File Server Remote Code Execution CVE-2014-6287

« on: June 26, 2019, 08:43:16 PM »

Not sure if Danny's suggestion would solve the particular bug reported here, but does seem like a good way to limit the "noise" of random get requests that are fishing for vulnerabilities. E.g. my logs always have lots of crap like :

Code: [Select]

6/17/2019 2:21:39 AM 122.114.191.125 50639 Requested GET /help.php
6/17/2019 2:21:39 AM 122.114.191.125 50833 Requested GET /java.php
6/17/2019 2:21:43 AM 122.114.191.125 51098 Requested GET /_query.php
6/17/2019 2:21:43 AM 122.114.191.125 51361 Requested GET /test.php
6/17/2019 2:21:47 AM 122.114.191.125 51705 Requested GET /db_pma.php
6/17/2019 2:21:47 AM 122.114.191.125 51907 Requested GET /logon.php
6/17/2019 2:21:55 AM 122.114.191.125 52953 Requested GET /x.php
6/17/2019 2:21:59 AM 122.114.191.125 53179 Requested GET /htdocs.php
6/17/2019 2:22:27 AM 122.114.191.125 58081 Requested GET /desktop.ini.php
6/17/2019 2:22:31 AM 122.114.191.125 58606 Requested GET /lala.php
6/17/2019 2:22:35 AM 122.114.191.125 59500 Requested GET /t6nv.php
6/17/2019 2:22:36 AM 122.114.191.125 59661 Requested GET /muhstik.php
and etc.

8

Bug reports / Re: Download interrupted after starting another

« on: October 23, 2017, 07:51:57 PM »

Hi, I'm pretty sure this is _not_ the normal or expected behavior, as I've never heard of any such limitations in discussions here, and I know some of our colleagues here have large and busy sites.

But, I can't personally replicate your test -- my instance of HFS has only very small text data files for an android project, and even when I tar them all together and download, it completes too fast for me to switch to another browser and try to interrupt it.

Sorry that I'm only stating the obvious, but for debugging, if you're using a custom template, please repeat your test with your server using only the default template, just to rule out any possible template issues.

Also, do the logs in your HFS server window give any insights? There are several more extensive logging options that you can enable temporarily, so see if these provide any pointers to what's going on.

9

Programmers corner / Re: remotely renaming files using post

« on: October 23, 2017, 03:55:28 AM »

Probably not really a useful answer, but, I've only renamed files using the {.rename|oldname|newname.} command macro. That may well do some post under the covers, but as far as I know, the only way to rename files is to have some code in the server's config call the rename macro.

10

Bug reports / Re: Standard Template rename does funny things with $ before numbers in new name

« on: January 09, 2017, 04:41:36 AM »

Thanks for the speedy reply, and for all your work on HFS!

No rush on the fix, as it's really no big deal: a minor bug that's hard to trigger in real life! (I was doing this manual rename to make test file for a new feature, and in my production version such renames won't be needed.) 

Or, if necessary, I can use a different "flag" character in the data file name than "$".

Cheers, Steve

11

HFS ~ HTTP File Server / Re: Sorry i have a question about multiple downloads

« on: January 08, 2017, 05:32:03 AM »

Remember, there is no cloud. It's just someone else's computer!

No matter what the server, if you make a 450 GB copy, it needs to go somewhere.

(As several suggested, using a downloader program would scan for a list of all the files on the server, and then would request them all one by one for download, so there would be no server-side copy. The "Archive" feature zips all the individual files into one large single file, and then downloads that one file, thus it does require a copy on the server.)

12

Bug reports / Standard Template rename does funny things with $ before numbers in new name

« on: January 08, 2017, 05:14:41 AM »

Not really debugged this at all yet; I've merely noticed it in my modified version of the standard template, and then restore the default one to confirm it wasn't just me.

If a file name includes numbers, and you rename it to insert a "$" before those numbers, the $ and some numbers are deleted from the name.

The specific example I found was attempting to rename the file name "SCS_A01_10039.CSV" to "SCS_A01_$10039.CSV".

The resulting file name became: "SCS_A01_039.CSV".  That is, the "$10" was deleted from the new name.

"$" works fine in other parts of the string, but before a digit 1-9, the $ and one or two digits are removed.

13

HTML & templates / Re: Documentation for item-resource?

« on: July 25, 2016, 03:54:54 AM »

Nevermind! 

After posting I read the recent ticket about "move files after upload", and found Mars' suggestion to use the log for debug output, e.g. add "{.add to log| event upload completed  by %user%.}" to the completed event handler. Works well and easily -- Thanks Mars!!

I used this to print out %item-name%, %item-resource%, and %item-url%. Looks like I can parse the URL to figure out which folder the upload is going to, and the -resource symbol has the windows file path rather than the VFS path.

Any other debugging tips are welcomed!

Steve

14

HTML & templates / Documentation for item-resource?

« on: July 25, 2016, 01:56:34 AM »

Is there documentation for %item-resource%?

On the list in the forums at http://www.rejetto.com/forum/html-templates/hfs-templates-vars-and-section-help/ , it is mentioned, but with no explanation.

In the docs on the wiki, at http://www.rejetto.com/wiki/index.php?title=HFS:_Template_symbols , it is not mentioned at all.

More generally, what is a simple way to find out the value of various symbols with test code? That is, while I'm trying to figure stuff out, what sample code could I put into, say, an [upload-completed] event handler to show me the values of various symbols for each file?  Can I write stuff to, say, the java script console?

Or, would it be better to use the [upload-success] section for this sort of temporary debug output?

Thanks for clues,
Steve

15

HTML & templates / Tracking default hfs.tpl changes: Does "template revision TR2" change?

« on: June 23, 2016, 03:57:49 AM »

Does the "template revision" line in the default hfs.tpl get changed whenever there are changes to this template?

That is, if I download the current version of hfs.exe, and choose the command  "Menu > HTML Template > Edit", it will generate an hfs.tpl file in the same folder as the hfs.exe file, and in this file, it has:

"Welcome! This is the default template for HFS 2.3
template revision TR2."

Can I assume that these lines change whenever Rejetto makes any revisions to the default template? 

For example, back with version 2.3f, Rejetto fixed a bug with cookies and file renames in the default template. Did this version string change with that update?  I didn't think to check at that time...