Messages

1

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« on: January 10, 2025, 07:04:47 AM »

By saying 'templates are based' on macros, it could only mean 'some templates depend' on macros (but only those templates that need a macro to work, like, for example, the default template). However, your latest statement is not entirely accurate, since you can have a template without macros. Otherwise, you would not be able to install or use the templates I've modified in this post HERE, which can be used with macros disabled (obviously, some features are disabled, such as the ability to delete, rename, or upload files, but it's still a template after all). I'm not looking to argue, but I do have a clear understanding of what macros are and how they work.
...

Ok, if we don't count "%item-url%" as macros, than you are right. But technically it's kind of macros too 

I like the idea to have a separate template for no-macros mode. So I will add an option "Disable macros for non-local IP" to use separate templates for local and non-local users.
It remains to add the possibility to define these separate templates.
As of start I will add template as a resource. We already have an example "dmBrowser.tpl" for download managers.

2

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« on: January 09, 2025, 09:41:53 AM »

I've sent you a private message because I can't run x64 apps.
...

32bit: https://rnq.ru/categories/download/8-hfs/216-hfs-324

...
We can have the best of both worlds if we do this:

(Ideas) The best way to achieve good security would be:
• Make the default template not use or require any macros at all.
• Make the entire macro system behave exactly like user permissions.
• Have a config panel to let HFS admin choose which macros are enabled.
Even then, nobody could guarantee 100% permanent security forever...

Making all those changes will take a lot of work, time, and testing.
(but it will provide all the features without compromising security)

I think you misunderstands what macroses are. Templates are based on macroses. So "no macros" = "no templates".
For me HFS is just a Home File Server. I don't really care about security.
All changes are just for fun...
Like a beautiful alpha-blend icons, serving thumbnails as WEBP,  using ZSTD compression instead of zlib. Nobody needs it, but it's fun to do
So the next big fun is to add "zip format for folder archives"

3

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« on: January 08, 2025, 11:42:37 AM »

ok, download link is fixed.

I really don't understand, why you afraid only 'exec' macros. With "save" macros it's possible to do the same (if write 'bat' or 'lnk' file). With 'add folder' - it's possible to add home folder of active user, and maybe download something private.

4

HFS ~ HTTP File Server / Re: Warning: HFS v2.x has a severe vulnerability

« on: January 06, 2025, 10:16:40 PM »

Hi Leo!
Could you check my versions, if it vulnerable or not? As I'm not really understand your answers per my fixes.
In my tests, I couldn't repeat vulnerability examples. May be I checked not enough?

My latest version: https://rnq.ru/downloads/download/8-hfs/215-hfs-324-x64

5

Bug reports / Re: [2.4.0 RC6][*.vfs][Menu->Save file system] almost empty file (less than 300byte)

« on: December 14, 2023, 10:39:03 AM »

I suggested a new file format to save settings - JSON in Zip.
So it's much easier to check for corruption and modify by hands.

Unfortunately I don't have time to make a patch for Rejetto's version as my version is very different now...
Maybe someone could make it? I think new format and PNG-support - is a must have.

6

HFS ~ HTTP File Server / Re: Two folders, two websites?

« on: September 14, 2021, 01:37:02 PM »

I would recommend to use reverse-proxy for this.
For example nginx.
It can handle any domains, folders, etc...

7

Programmers corner / Re: HTTP File Server on a Raspberry PI.

« on: August 30, 2021, 10:59:22 AM »

I hope next year we will have a Delphi with Windows ARM support.

8

Programmers corner / Re: HTTP File Server on a Raspberry PI.

« on: August 29, 2021, 07:31:46 PM »

This is HFS on Windows 11 in ESXi-ARM on Raspberry PI 

9

HFS ~ HTTP File Server / Re: HFS Perfomance

« on: August 28, 2021, 09:08:52 AM »

When I've made a profiling, I saw that most of processor-eating operation are exceptions.
So in my version I've tried to remove all possible exceptions. And recommend to compare timings

10

Programmers corner / Re: Discuss about the Virtual File System technique?

« on: August 11, 2021, 10:52:00 AM »

I'm suggesting a new format for VFS.
A JSON config file and all icons as separate files inside zip archive.
It will be easy to look and modify.

I've made an export into this format (i've called *.VFSJZ) so you can look at it.
https://github.com/drapid/HFS/releases/tag/2.4RC8

Loading is the next thing...

11

Bug reports / Re: HFS is crashing

« on: June 25, 2021, 09:29:53 AM »

Main reason for crashes was a TreeView that recreated during monitor disconnects.

Does your computer have a monitor or it's headless?

12

HTML & templates / Re: The "Takeback" template - A different & modern taste

« on: February 09, 2021, 11:22:09 AM »

...
@Rapid has a version of HFS 2 that splitted server and client code. Have a try on that?

I'm just trying to split.
One of the problems is that macroses are rely on client side

13

HFS ~ HTTP File Server / Re: Question about passing the original IP address through to the HFS logs

« on: December 16, 2020, 06:25:43 AM »

I currently use an nginx reverse proxy and can pass the connecting ip.  I tried this with Apache and was never successful.

As a side note, HFS is always going to show the connection coming from the proxy IP address, but in HFS you can turn off logging of that connection and instead record the IP of the GET requests, which is what nginx passes and likely the address your interested in. 

An added bonus to using a reverse proxy is it can easily be setup to use free Letsencrypt SSL certs and the HFS server can remain standard HTTP.

Here's what you need nginx to pass in a custom header:

X-REAL-IP - $remote_addr
X-Forwarded-For $remote_addr
Host $host
X-Forwarded-Proto $scheme

https://rejetto.com/forum/index.php?topic=13059.msg1064448#msg1064448 - to get real IP in logs

14

HTML & templates / Re: How to Speed up Rendering

« on: December 09, 2020, 06:47:45 AM »

Could you make a benchmarking for my latest version also?
I've made many optimizations in macros parser...
https://github.com/drapid/HFS/releases

15

HFS ~ HTTP File Server / Re: 4K screens problem

« on: November 16, 2020, 01:39:27 PM »

Latest Delphi has new components  TImageCollection and TVirtualImageList:
http://docwiki.embarcadero.com/RADStudio/Rio/en/Supporting_high-DPI_images_with_the_Image_Collection_and_Virtual_ImageList_components

I've switched to them, and added several 32x32 icons - and menus looks much better now.

But we need to support HiDPI also in web-client side.
Maybe we should make 2 icon-sets and request images based on web-client resolution? Somewhat like Lo and Hi res.