Recent Posts

1

HFS ~ HTTP File Server / HFS v2.4, and security update By DANNY

« Last post by danny on August 09, 2025, 02:58:45 AM »

Thanks Leo!   A lot of your suggestions were incorporated into these new versions.  I really would have been lost without your help with it. 
I do like the idea of supporting the many installs of HFS2x, by providing an option for stable and secure.

And now we have the HFS2.4 template, able to run on our stable and secure version of HFS 2x.
Contributors:  Rejetto, DJ, Rapid, NaitLee, Mars, LeoNeeson, SilentPliz, Danny, Bmartino

Large Folder Capable!  No Slow Paging!   It has a non-blocking streaming list.
Also has auto-ban for excessive 404/login; that doesn't apply to logged-in users.
HFS native upload pages used for data integrity and many-files upload capacity.
It has browser native icons and native javascript, for saving data and going fast.

Consider this an HFS2.3 > 2.4 adapter, because most of the work in 2.4 was the template itself.
*the template is in the zip files with security-patched HFS from http://software.run.place

2

HTML & templates / Re: The Throwback (retro) template. With large folder and mobile support.

« Last post by danny on July 31, 2025, 09:43:19 PM »

New versions of Throwback are included in the .zip file with the security-patched editions of HFS.
https://rejetto.com/forum/index.php?topic=13703.0

3

HFS ~ HTTP File Server / Re: HFS2.x security update 'p5', yeah, here we go again...

« Last post by LeoNeeson on July 31, 2025, 04:22:45 AM »

Subject: Re: HFS2.x security update 'p5' on suggestion from forum admin
The suggestion that I got, was (paraphrase):  Disable the .exec macro, to help folks sleep better at night. 

Wait a second... a private message from the forum admin?!  (Rejetto) I demand proof, screenshots, and maybe even a signed affidavit from Rejetto himself! Jokes aside, I actually agree that disabling the .exec macro makes sense if it helps you sleep better at night.

These are new 2025 community editions built from a cleaned-up and stable version of HFS.

Just as a side note on your mention about a “community-edition of HFS”, I wanted to clarify something I’ve said in the past. The idea of creating a true community edition was more of a wishful thought on my part, meant to encourage the participation of other professional Delphi developers. In my view, to actually call it a “community edition”, we would need at least three or more experienced developers working together in sync, which, let’s be honest, is very unlikely to happen.

So while your work is valuable and commendable, and I sincerely appreciate your dedication, I believe it’s still more accurate to see it as your own version of HFS, just as Mars once released his own (some spare builds), and others have done too over the years. And if someday I release a version myself, it won’t be a community edition either, it’ll be just my own personal effort, same as yours is now.

Truth is, we’re each working on our own, doing our best to keep HFS alive, and that’s already a big achievement in itself. I just wanted to make that clear, and also to emphasize that in your version, you are entirely free to do whatever you believe is best, regardless of what I or Mars might suggest. That kind of independence is one of the great things about open source.

4

HFS ~ HTTP File Server / HFS2.x security update 'p5' on suggestion from forum admin

« Last post by danny on July 30, 2025, 10:30:16 PM »

The suggestion that I got, was (paraphrase):  Disable the .exec macro, to help folks sleep better at night. 

Although a collection of new filters still prevent macro run from remote... yet it is even more comfortable to know exactly what the .exec macro will do.
So, for "p5" (security patch level 5), the .exec macro function has been changed to make a log entry on-screen, and .exec does nothing else at all.

HFS2.3K_299p5 and HFS2.3N_301p5 are available http://software.run.place

P.S. 
The "K" has tighter timings ideal with the faster templates like throwback and stripes, or
The "N" has the language feature and longer timings to tolerate feature-filled templates.
These new 2025 editions are built from a cleaned-up and stable version of HFS.
Edit:  Now we might want to try for a community edition. 

5

HFS ~ HTTP File Server / Re: HFS v2.x By DANNY

« Last post by danny on July 24, 2025, 12:22:18 AM »

HFS2.3N is released
And the server you'd download from is running the same version of HFS2.3N

It has:
Added security filter from Leo (result is auto ban) for hfs-specific
Added security filters from me (result inactivated) for unspecified
Added Leo's skip the loop filter for graph workload (no load if feature unused)
Added Leo's skip the loop filter for limiter workload (reduced load if feature unused)
Shielded archive links (logged-in users may archive, bots cannot)
Removed version "M" bugged headers mod (to avoid disrupting the data flow)
Removed operationally reliant hardcoded external reference (was outdated)

6

HFS ~ HTTP File Server / Re: HFS v2.x By DANNY

« Last post by LeoNeeson on July 15, 2025, 07:25:35 AM »

Thanks to Leo for help in bypassing the always-on limiters, and this prevents freezes.

Thanks to Leo for updated code that blocks hfs-specific attack, in the .exe, without reliance on any particular template.

Thanks, Danny, for the acknowledgment, I appreciate it.

My only contribution was two small code tweaks, which I’ve shared here in case anyone is interested in reviewing or using them.

Keep up the good work!
Cheers,
Leo.-

7

Programmers corner / Code tweaks for HFS 2.3 users

« Last post by LeoNeeson on July 15, 2025, 07:24:24 AM »

Hello everyone!

One of the pillars of open source software is, without a doubt, promoting transparency — the ability to compile the source code yourself (along with verifying its security and understand its functionality). This becomes even more important when we're talking about an HTTP file server. That's why, whenever I collaborate on something, I always try to make my contributions public.

In this case, I want to publicly thank Danny, who recently shared his own customized version of HFS in this thread. I haven't reviewed his changes in depth — I've only briefly tested his version — but I did help him with two small improvements that I’m sharing here in case anyone finds them useful.

Thanks to Leo for help in bypassing the always-on limiters, and this prevents freezes.

That specific tweak is simply the following code (Danny is using an older build: HFS 2.3k, but it's the same and could be used on other versions as well). Personally, I haven’t been able to reproduce any issues that this is supposed to fix, but technically the change should have a positive effect.

The following is a portion of 'main.pas' in 'hfs2.3m.src.zip'
Add the line marked in red, after line 5061 in 'main.pas'

  with objByIp(data.address) do
    begin
    if speedLimitIP < 0 then limiter.maxSpeed:=MAXINT
    else limiter.maxSpeed:=round(speedLimitIP*1000);
    if limiter.maxSpeed < MAXINT then
    if conn.limiters.indexOf(limiter) < 0 then
      conn.limiters.add(limiter);
    end;

Thanks to Leo for updated code that blocks hfs-specific attack, in the .exe, without reliance on any particular template.

This change is simple: it bans the IP of any user attempting to execute a macro via the URL (which is the cause of the vulnerability described in this other thread), even though a similar IP ban could already be implemented using macros in a template. Personally, I think this may not be very effective nowadays, since many ISPs assign dynamic IPs (often even changing the subnet), or because proxies can bypass this entirely. Still, it’s one more layer of protection that might interest some users.

The following is a portion of 'main.pas' in 'hfs2.3m.src.zip'
Add all these lines, around line 5091 in 'main.pas'

Code: [Select]

  if anyMacroMarkerIn(conn.request.full) then
    begin
    data.disconnectReason := 'Possible security threat';
    add2log('Hack attempt blocked: '+ansiToUTF8(conn.request.url));
    getPage('ban', data);
    conn.reply.mode := HRM_DENY;
    if not isBanned(conn.address, data.banReason) then
      begin
        i := length(banlist);
        setlength(banlist, i+1);
        banlist[i].ip := conn.address;
        banlist[i].comment := data.disconnectReason;
      end;
    exit;
    end;
These were my only two contributions. The rest of the build reflects Danny’s personal choices and ideas.


Anyone is free to compile HFS (there are many users who have already done it), and if you're not sure how, you can check out the tutorial here. That’s all for now. I'm closing this topic since its purpose was simply to share this. If I ever need to add something else, I’ll ask a moderator to reopen it.

Cheers, 
Leo.-

8

HFS ~ HTTP File Server / Re: HFS v2.x By DANNY

« Last post by danny on July 11, 2025, 10:06:03 PM »

Speedup: 
locate hfs23-K-patched3.zip and you can test it out. 
http://software.run.place
It is running that same copy of HFS2.3K, with the macros on.

Thanks to Leo for help in bypassing the always-on limiters, and this prevents freezes.  Also, I raised the console TTL so the UI stays responsive. 

 Edit:  For round 3:  Thanks to Leo for updated code that blocks hfs-specific attack, in the .exe, without reliance on any particular template.  So, you can use any template that you want to.
 
Included in the zip file is now the legacy default template for HFS2.3M, and I have altered it slightly, so it can run well on the security-patched edition of HFS2.3K.  There is the unicode font added to the stylesheet, some necessary size adjustment, and it does not overwork the system icon code.

9

HFS ~ HTTP File Server / Re: HFS v2.x By DANNY

« Last post by danny on July 09, 2025, 12:30:32 AM »

For patched version of HFS2.3K, I've added many layers of defense. . . and *Might have solved/reduced the gigabit freeze problem. 
http://software.run.place
locate hfs23-K-patched.zip and you can test it out. 
The site to download it, is running that same copy of HFS2.3K, with the macros on. 

10

HTML & templates / Re: Stripes, the template for simple and easy. Updated for security.

« Last post by danny on July 05, 2025, 08:25:59 AM »

There is a vulnerability in HFS 2.3 and 2.4 that has been fixed
New versions of Stripes are included in the .zip file with (click here) the security-patched editions of HFS.