rejetto forum

version 2.4

rejetto · 455 · 152199

0 Members and 2 Guests are viewing this topic.

Offline dj

  • Tireless poster
  • ****
    • Posts: 279
  • 👣 🐾
    • View Profile
    • PWAs
you added the mime type for mkv (works with chrome)

why not add

 .mp3 audio/mp3
 .mp4 video/mp4
(.m3u8 application/x-mpegURL)
« Last Edit: June 11, 2020, 04:44:21 AM by dj »


Offline NaitLee

  • Tireless poster
  • ****
    • Posts: 164
  • Computer brained boy
    • View Profile
    • A Normal Webpage
Maybe the "sha256" macro can be used to encrypt passwords easily.
The sha256 result can be sent to client, then just slice some of its result with some rule and offset password bytes in some way?
To encrypt new password with old pass, we need a method to get it. As well as the oldpass-newpass-newagain form, may need this.
Check out my template and PHFS ;)


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13310
    • View Profile
in the version of silentpliz using stunnel, he introduced a tab on the main page to manage the creation of such a certificate,

hfs will handle the certificate when it support https.
making it just for the password-change it is too much, and there would even be a design problem: the change is a tpl-only feature at the moment. If you move even one bit to the server, then you move also the [ajax...] part, for consistency, for good design.
In the meantime it can be done as a plugin/tpl. You have {.exec.} and you can call openssl.
I was considering making a plugin for https, with nginx, openssl, and possibly letsencrypt. Sadly I have little time now.

The sha256 result can be sent to client, then just slice some of its result with some rule and offset password bytes in some way?

the password is to be communicated to the server, not to the client. And there's no way to solve this problem only with hashing, that i know.

you added the mime type for mkv (works with chrome)
why not add

agreed
« Last Edit: June 11, 2020, 09:25:46 AM by rejetto »



Offline NaitLee

  • Tireless poster
  • ****
    • Posts: 164
  • Computer brained boy
    • View Profile
    • A Normal Webpage
Should this thing be fixed? It's still there.
Additionally, in Wine/Linux HFS only shows the IP 127.0.0.1.

Because of the quotes added in a fix, now the filename on download have no problem with Chrome.
But in Firefox appears to have the quote attached before and after.
Snapshot shows the Firefox version 79.0a1 (Nightly), a quote after extension made the judge of filetype not matched, with double extensions.
And in Firefox ver 69.0.2 (on GNU/Linux), the filename always comes with _underlines_ before and after.
« Last Edit: June 12, 2020, 03:55:10 PM by NaitLee »
Check out my template and PHFS ;)


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13310
    • View Profile
Should this thing be fixed? It's still there.

well, why not. I don't use linux and I'm not going to do it. You? :) Anyone can contribute.

Because of the quotes added in a fix, now the filename on download have no problem with Chrome.
But in Firefox appears to have the quote attached before and after.

aaargh. Ok, i've changed solution. No more double quotes, i will instead encode commas (and semicolons).
I just tried with chrome and firefox a file with a space, and comma and semicolon. All well with the next release.
Thanks for reporting.


Offline danny

  • Tireless poster
  • ****
    • Posts: 273
    • View Profile
During testing, I was really happy to see proactive (self-repair) error messages such as 'busy' which lasted only a second and then it had repaired itself. 
Awesome!

Here are some more examples of proactive/automated error handler.
Code: [Select]
[overload]
{.if not|%user%|{:{.if|{.%url% = /.}|{:{.disconnect.}:}.}:}.}{.add header|Cache-Control: no-cache, max-age=0.}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<META HTTP-EQUIV="Refresh" CONTENT="3;URL=./">
<TITLE>Overload</TITLE>
<body bgcolor="black" text="white" alink="white" link="white" vlink="white">
<center><h2><br>High traffic mode engaged.</h2>Returning to previous page after overload has cleared.</center></body></html>

[max contemp downloads]
{.add header|Cache-Control: no-cache, max-age=0.}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<META HTTP-EQUIV="Refresh" CONTENT="3;URL=./">
<TITLE>Downloads</TITLE>
<body bgcolor="black" text="white" alink="white" link="white" vlink="white">
<center><h2><br>There are ongoing downloads.</h2>More available <i>after</i> current downloads finish.</center></body></html>

[not found]
{.if|{.match|*.php*;*.js;*.py;*.vbs*;*.exe|%url%.}|{:{.disconnect.}:}.}{.add header|Cache-Control: no-cache, max-age=0.}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<META HTTP-EQUIV="Refresh" CONTENT="1;URL=../">
<TITLE>404</TITLE>
<body bgcolor="black" text="white" alink="white" link="white" vlink="white">
<center><h2><br>You have found the 404 page.</h2>Redirecting.</center></body></html>

[deny]
{.if not|%user%|{:{.disconnect.}:}.}{.if|{.match|*.php*;*.js;*.py;*.vbs*;*.exe|%url%.}|{:{.disconnect.}:}.}{.add header|Cache-Control: no-cache, max-age=0.}<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"><html><head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<META HTTP-EQUIV="Refresh" CONTENT="1;URL=../">
<TITLE>Denied</TITLE>
<body bgcolor="black" text="white" alink="white" link="white" vlink="white"><center><h1><br><br>No</h1></center></body></html>

[ban]
{.disconnect.}
« Last Edit: June 14, 2020, 06:43:49 PM by danny »


Offline dj

  • Tireless poster
  • ****
    • Posts: 279
  • 👣 🐾
    • View Profile
    • PWAs
After trying to change password with default tpl and rc3 (rc2 works fine)
Does this only happen to me?



in my template change password works and will be sent base64 encoded to the server
« Last Edit: June 13, 2020, 04:30:37 AM by dj »


Offline NaitLee

  • Tireless poster
  • ****
    • Posts: 164
  • Computer brained boy
    • View Profile
    • A Normal Webpage
Does this only happen to me?

No, me too.

Seems it's jQuery failed to handle something.
A lot of lines of script was put into a VM with many <br>.
Check out my template and PHFS ;)


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13310
    • View Profile
sorry guys, i've broken the ajax() function with address ?~ajax instead of /~ajax  :(


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13310
    • View Profile
sorry guys, i've broken the ajax() function with address ?~ajax instead of /~ajax  :(

actually, only ?mode=section&id=ajax is good, because the folder path is important. I had forgot. Too many years have passed. Added a comment in the source to remember. ;D

Anyway, next release will revert the 'files' to 'selection' and accept the 'unauthorized' section, to help tpl to be compatible with 2.3.
To tell if the tpl is compatible with 2.4 i will introduce a dedicated method, that is, a mandatory section [api level] with a number inside. For now the number is 2.
Code: [Select]
[api level]
2
This is a method that we can use also in the future if we have breaking changes.

WOuld someone of you template makers please give a look at this preview and tell me that the news are working well for you? Thanks
https://drive.google.com/file/d/1cpNFwGlYcBZIEFObFo1_WFsyKlquU_6E/view?usp=sharing


Offline dj

  • Tireless poster
  • ****
    • Posts: 279
  • 👣 🐾
    • View Profile
    • PWAs

Offline danny

  • Tireless poster
  • ****
    • Posts: 273
    • View Profile
had to update, if bad password, refresh page
reverted change to delete script for selection vs files.

Cool new bonus found!  HFS2.4 is now compatible with UTF-8 template so you can put icons as a regular text character in the template.  Very efficient!!  So, please default {.set ini|use-system-icons=no.} for HFS2.4

request:  please don't use "api level" for censor because, for the future, it could be bad if .exe automatic update suddenly changes server-owner's template at random times.  That conflicts .exe updates, because api-level moving target is not feasible for production server.  Your previous idea of banning the [unauthorized] section was much better. 

I chose to continue omitting the [unauthorized] section because it is never reached due to diy /~login page.  Therefore, it seems fine to let the 404 handler filter and redirect the missing page.  There was in fact, no use for unreached [unauthorized] section.

Bug:  {.if|!%user%|{:howdy stranger:}.} worked in HFS2.3, fails in HFS2.4.  Need to double-check the ! reverse logic shortcut.
For Throwback, I replaced previously working !%user% with currently working not|%user%  And, that is okay.

auto-ban not achievable, so Security Feature Request:  Need a menu/limits  option to limit bad login flooding/attack/volume to 5 per hour (or "x number per hour).   
« Last Edit: June 14, 2020, 06:58:34 PM by danny »


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13310
    • View Profile
Cool new bonus found!  HFS2.4 is now compatible with UTF-8 template files (and maybe more?) so you can put icons as a regular text character in the template.  Very efficient!!  Please default {.set ini|use-system-icons=no.} for HFS2.4

I will surely change that in the future but it's too early.
def settings should match the def tpl, and it still using the system icons.

Quote
request:  please don't use "api level" for censor because, for the future, it could be dreadful if .exe automatic update suddenly changes server-owner's template at random unannounced times.  That is in conflict with .exe updates.  The api-level moving target is not feasible for production server.  Your previous idea of banning the [unauthorized] section was much better. 

You are right about automatic updates, it can be a disrupting experience. I don't really have a better solution a this moment.
Maybe it's better if tpl change is not force, and let the server unable to login people until the admin acts? What's worst? IDK.
Anway, banning [unauthorized] is exactly the same thing. You update and you get the error and are switched to default tpl. I don't understand why you think there is a difference. Probably you are not thinking of old tpl, but of tpl that were adapted for 2.4

Quote
I chose to continue omitting the [unauthorized] section because it is never reached due to diy /~login page. 

indeed, you are talking about 2.4-aware tpl.
Of course they will work.
But you will have to comply. In 2.3 the [unauthorized] section is sent when the credentials fail, i think. The documentation is bad about it, tells nothing.
I tried to have a "smart" method, but got sick of it. Sometimes explicit declaration is better than euristhic methods.

Quote
Bug:  {.if|!%user%|{:howdy stranger:}.} worked in HFS2.3, fails in HFS2.4.  Need to double-check the ! (reverse logic shortcut), because it faulted a bit.

i just tried. It never worked. It is just not supported and I don't think someone said it is. It's not in the documentation either.
I also warned you about this error in your tpl in another forum thread.
Make a better test in 2.3, that one of yours is probably fooling you {.if|!1|wrong|good.}

Quote
auto-ban not achievable, so Security Feature Request

this request is in to-do since forever and will likely be addressed soon. Anyway i don't see why you say "not achievable".
« Last Edit: June 14, 2020, 07:56:58 AM by rejetto »


Offline rejetto

  • Administrator
  • Tireless poster
  • *****
    • Posts: 13310
    • View Profile
https://github.com/rejetto/hfs2/releases/download/v2.4-rc04/hfs.exe

there is a slight difference with the exe from few posts ago, now the def tpl has the [api level]. It is necessary for people who decide to edit the tpl.