rejetto forum
Software => HFS ~ HTTP File Server => Programmers corner => Topic started by: User21 on August 14, 2018, 01:09:33 PM
-
Hallo Forum,
so far I used HFS version 2.2f as a simple binary file server.
If HFS got an HTTP-Request /GET/update.bin, the HTTP-Response Header was
HTTP / 1.1 200 OK
Content-Type: application / octet-stream
Content Length: 75470
Accept-Ranges: bytes
Content-Disposition: attachment; filename = "update.bin";
Last-Modified: Fri, 08 Sep 2017 09:39:43 GMT
For security reasons I wanted to update HFS to the current version.
But version 2.3k now answers with:
HTTP / 1.1 200 OK
Content-Type: application / octet-stream
Content Length: 75470
Accept-Ranges: bytes
Set-Cookie: HFS_SID_ = 0.818251500837505; path = /; HttpOnly
ETag: B0772E23A80C880E27639CEF62C2F1A1
Last-Modified: Fri, 08 Sep 2017 09:39:43 GMT
Content-Disposition: attachment; filename = "update.bin";
That's nearly 100 bytes more information which my (embedded) system does not need and unfortunately creates a buffer overflow because I only provided a 256 bytes buffer for HTTP-Response. The whole HTTP header will be dropped off immediately.
Is there an easy way to turn off Set-Cookie and ETag?
And if not, ist there an security reason not to use 2.2f any longer?
Regards,
Lothar
-
current version doesn't allow you to remove such headers.
with next version 2.3m you will be able to program this event
[+download]
{.remove header|ETag.}
{.remove header|Set-cookie.}
I'm not sure if security problems that have been fixed in time affect 2.2f. Surely most don't. You should make a search yourself, sorry.
-
New version 2.3m has been installed and
[+download]
{.remove header|ETag.}
{.remove header|Set-cookie.}
has been added to hfs.events.
It works perfectly now. :D
Thanks a lot for this very fast fix.
Regards,
Lothar
-
Possible bug?... ???
This works:
[+download]
{.remove header|ETag.}
{.remove header|Set-cookie.}
This partially work:
[+request]
{.remove header|ETag.}
{.remove header|Set-cookie.}
It seems the "remove header" works perfectly on [+download] but on [+request] only remove the header "Set-cookie" but NOT the ETag. I haven't tested using another "Events" (perhaps this is a small detail to fix on the build).
-
all the headers are not added in one block but at various stages of the execution, so it can happen that the one we want to withdraw at a given moment does not exist yet and that it appears at the end, the phenomenon is even more possible since some macros are not directly usable (especially in events)
-
all the headers are not added in one block but at various stages of the execution, so it can happen that the one we want to withdraw at a given moment does not exist yet and that it appears at the end, the phenomenon is even more possible since some macros are not directly usable (especially in events)
That's right, I do understand, but from my point of view, I think [+request] is run first before anything (even before [+download]), so, perhaps the code to remove headers should be taken on consideration since the first initial request section. Correct me if I'm wrong.
You can try to reproduce the error using this (http://rejetto.com/forum/index.php?topic=13046.msg1063976#msg1063976) or these (http://rejetto.com/forum/index.php?topic=12055.msg1063977#msg1063977) 'HFS.Events'. More information about view HTTP Headers here (http://rejetto.com/forum/index.php?topic=12055.msg1063989#msg1063989).