HFS v2.x security update By DANNY

[danny]

Hi Leo!  Thanks for the reply.  Thanks for the compiling guide! 

Patched edition available at http://software.run.place

[LeoNeeson]

Hi Leo!  Thanks for the reply.  Thanks for the compiling guide! 

Patched edition available at http://software.run.place
Macros are disabled.  New Throwback15 template added.

Is there a way to do New Folder with macros off?

Hey Danny! It's nice you did your custom version. I'm glad you liked and found my guide to compiling HFS helpful. The following message below is what I wrote yesterday before going to sleep (replying your original message), which I'll leave here anyway...

Hi Leo!  Thanks for the reply. 

Is it possible to get a patched copy of HFS 2.3K, 2.3L or even 2.3M?
The "K" and "L" withstand gigabit slightly better than the "M" version.
However, I don't need 2.4 because it locks up under gigabit load.

So, file download location of patched HFS 2.3 ?

• Officially, there isn't a "patched" version of ANY version of the whole version 2 (since Rejetto, is now focused on the new version 3), nor do I have any (personal) version ready to share (if I had it, I would gladly share it, but I still have nothing ready).
• Unofficially, anyone can compile HFS from the source code and modify it to avoid this vulnerability. You'd need a copy of 'Turbo Delphi' or some later version, though. You can check my tutorial "How to compile HFS" if you wish.
  

Sadly, I don't have the time to continue with this anymore, at least for the foreseeable future. I only have like 10 or 20 minutes a day to reply to messages, and programming just takes up way too much time – time I don't have right now. It's not a lack of motivation, but circumstances beyond my control (my parents' health), that are keeping me from continue working on this. I just can't give you any date on when I'll have free time again to get back to this, but don't lose hope!. And thanks for your hosting offer, I appreciate it.

You can try some of the other 'code change' suggestions I've left on this thread (if you want to compile the source code yourself, but you will be on your own with this), or, even better, use another "fork" (unofficial version) of HFS, like any of the options described in this thread. But, what version you choose is totally up to you. The easiest option right now is to just stick with any -official- HFS version 2 (preferably the latest), with macros disabled for now. Or, you could always upgrade to HFS 3 to make Rejetto happy!

[danny]

For patched version of HFS2.3K, I've added many layers of defense. . . and *Might have solved/reduced the gigabit freeze problem. 
http://software.run.place
locate hfs23-K-patched.zip and you can test it out. 
The site to download it, is running that same copy of HFS2.3K, with the macros on. 

[danny]

Speedup: 
locate hfs23-K-patched3.zip and you can test it out. 
http://software.run.place
It is running that same copy of HFS2.3K, with the macros on.

Thanks to Leo for help in bypassing the always-on limiters, and this prevents freezes.  Also, I raised the console TTL so the UI stays responsive. 

 Edit:  For round 3:  Thanks to Leo for updated code that blocks hfs-specific attack, in the .exe, without reliance on any particular template.  So, you can use any template that you want to.
 
Included in the zip file is now the legacy default template for HFS2.3M, and I have altered it slightly, so it can run well on the security-patched edition of HFS2.3K.  There is the unicode font added to the stylesheet, some necessary size adjustment, and it does not overwork the system icon code.

[LeoNeeson]

Thanks to Leo for help in bypassing the always-on limiters, and this prevents freezes.

Thanks to Leo for updated code that blocks hfs-specific attack, in the .exe, without reliance on any particular template.

Thanks, Danny, for the acknowledgment, I appreciate it.

My only contribution was two small code tweaks, which I’ve shared here in case anyone is interested in reviewing or using them.

Keep up the good work!
Cheers,
Leo.-

[danny]

HFS2.3N is released
And the server you'd download from is running the same version of HFS2.3N

It has:
Added security filter from Leo (result is auto ban) for hfs-specific
Added security filters from me (result inactivated) for unspecified
Added Leo's skip the loop filter for graph workload (no load if feature unused)
Added Leo's skip the loop filter for limiter workload (reduced load if feature unused)
Shielded archive links (logged-in users who can delete may archive, bots cannot)
Removed version "M" bugged headers mod (to avoid disrupting the data flow)
Removed operationally reliant hardcoded external reference (was outdated)

[danny]

The suggestion that I got, was (paraphrase):  Disable the .exec macro, to help folks sleep better at night. 

Although a collection of new filters still prevent macro run from remote... yet it is even more comfortable to know exactly what the .exec macro will do.
So, for "p5" (security patch level 5), the .exec macro function has been changed to make a log entry on-screen, and .exec does nothing else at all.

HFS2.3K_299p5 and HFS2.3N_301p5 are available http://software.run.place

P.S. 
The "K" has tighter timings ideal with the faster templates like throwback and stripes, or
The "N" has the language feature and longer timings to tolerate feature-filled templates.
These new 2025 editions are built from a cleaned-up and stable version of HFS.
Edit:  Now we might want to try for a community edition. 

[LeoNeeson]

Subject: Re: HFS2.x security update 'p5' on suggestion from forum admin
The suggestion that I got, was (paraphrase):  Disable the .exec macro, to help folks sleep better at night. 

Wait a second... a private message from the forum admin?!  (Rejetto) I demand proof, screenshots, and maybe even a signed affidavit from Rejetto himself! Jokes aside, I actually agree that disabling the .exec macro makes sense if it helps you sleep better at night.

These are new 2025 community editions built from a cleaned-up and stable version of HFS.

Just as a side note on your mention about a “community-edition of HFS”, I wanted to clarify something I’ve said in the past. The idea of creating a true community edition was more of a wishful thought on my part, meant to encourage the participation of other professional Delphi developers. In my view, to actually call it a “community edition”, we would need at least three or more experienced developers working together in sync, which, let’s be honest, is very unlikely to happen.

So while your work is valuable and commendable, and I sincerely appreciate your dedication, I believe it’s still more accurate to see it as your own version of HFS, just as Mars once released his own (some spare builds), and others have done too over the years. And if someday I release a version myself, it won’t be a community edition either, it’ll be just my own personal effort, same as yours is now.

Truth is, we’re each working on our own, doing our best to keep HFS alive, and that’s already a big achievement in itself. I just wanted to make that clear, and also to emphasize that in your version, you are entirely free to do whatever you believe is best, regardless of what I or Mars might suggest. That kind of independence is one of the great things about open source.

[danny]

Thanks Leo! 

A lot of good suggestions were incorporated into these new versions. 
I really would have been lost without your help with it. 

I do like the idea of keeping compatibility with existing installs of HFS, by providing an option for secure and sturdy.
More than a "museum of feature requests" has been secured so far, and approximately 1800 times, because people do like and want HFS2.3. 

An example of some of the work is the old default template, now updated for the speed to support today's internet connections.