rejetto forum

Software => HFS ~ HTTP File Server => Beta => Topic started by: rejetto on January 17, 2009, 01:45:36 PM

Title: Testing build #219
Post by: rejetto on January 17, 2009, 01:45:36 PM
NOTICE: this includes an important security fix.

download @ www.dovedove.it/hfs/hfs219.exe

what's new
+ easier way to restore options after "temporarily reset options"
- big security problem only for Win95/98/ME (not others): directory crossing www.rejetto.com/forum/?topic=6542
- {.mime.} was not working
- file properties: "add new" icon was enabled for root
Title: Re: Testing build #219
Post by: luckman212 on January 17, 2009, 05:11:17 PM
cheers!  thank you!!   ;D
also, this bug is still not fixed:
http://www.rejetto.com/forum/index.php?topic=6484.msg1039325#msg1039325
Title: Re: Testing build #219
Post by: maverick on January 17, 2009, 07:30:41 PM
also, this bug is still not fixed:
http://www.rejetto.com/forum/index.php?topic=6484.msg1039325#msg1039325

1.  I confirm the default template error - builds 218, 219 (maybe older builds too)
2.  It happens when the [upload-success] section is triggered
Title: Re: Testing build #219
Post by: Kremlin on January 20, 2009, 11:14:34 PM
Hi, it was I that actually reported this bug http://www.rejetto.com/forum/index.php?topic=6508.0 and just wanted to know if you were refering to 219 or 220  :)
Posted on: 20 January 2009, 23:30:11
I'm talking about a diferent bug report (the one in the link i pasted), and was asking rejetto about his response in it   ;)
Title: Re: Testing build #219
Post by: luckman212 on January 21, 2009, 12:16:47 AM
I was talking about build #219
Is there a 220 available?
I was not aware of it.
 :o
Title: Re: Testing build #219
Post by: Kremlin on January 21, 2009, 01:58:48 AM
220 is not yet released otherwise it would be available here in its apropriate place. If you read the linked topic you will unterstand that i was refering to the release 219 or the 220 yet to come.
Title: Re: Testing build #219
Post by: luca69 on January 22, 2009, 10:53:51 AM
Installed 219.
I noticed that a group can be used as account as well, but without any password!

Moreover, the same user name can be specified into the user list more than once
Title: Re: Testing build #219
Post by: maverick on January 22, 2009, 01:10:35 PM
I noticed that a group can be used as account as well, but without any password!

HFS will prevent anyone from loggin in with a group name

Quote
Moreover, the same user name can be specified into the user list more than once

That user would be a member of more than one group.  Here is more information about user groups from the wiki -> http://www.rejetto.com/wiki/index.php/User_groups
Title: Re: Testing build #219
Post by: Ranger on January 22, 2009, 01:27:36 PM
I noticed that a group can be used as account as well, but without any password!

HFS will prevent anyone from loggin in with a group name

Actually I just tested logging in with a group name and it works. The login button disappears. However no new folders appear that this group should see, but they now have access to a folder your not supposed to until you login. 
Title: Re: Testing build #219
Post by: maverick on January 22, 2009, 02:03:30 PM
I noticed that a group can be used as account as well, but without any password!

HFS will prevent anyone from loggin in with a group name

Actually I just tested logging in with a group name and it works. The login button disappears. However no new folders appear that this group should see, but they now have access to a folder your not supposed to until you login. 

I just tried logging in with a group name and it wasn't successful.  How did you login?  What password did you use at loggin?  (no password is set up for a group name so there is nothing valid you can put in the password field).   The login fails.

You must have logged in with a valid user name & password then by the way that account was set up after login redirected to a group which is the way it would work.  But that's not what is being talked about here.
Title: Re: Testing build #219
Post by: Mars on January 22, 2009, 02:56:19 PM
Quote
I noticed that a group can be used as account as well, but without any password!
TRUE

Quote
HFS will prevent anyone from loggin in with a group name
FALSE

a)create an account with no password

b)Attribute the rights of access for a directory for this account only

c)convert this account as a group

d) you can go in the folder with the account(group) name and blank password

e) if you uncheck the group for this account, give it a password , and convert it as group

f) password box is masked
(don't forget to save every time :D )

f) you can now go in the folder with the group name and the new password ( leave blank and you can't log)


optionsdlg.pas
Quote
function ToptionsFrm.saveAccountProperties():boolean;
...
a:=@tempAccounts[lastAccountSelected];
a.enabled:=accountEnabledChk.checked;
a.pwd:=pwdBox.Text;
a.noLimits:=ignoreLimitsChk.checked;
a.redir:=redirBox.Text;
a.link:=split(';', trim(accountLinkBox.text));
a.group:=groupChk.Checked;
uniqueStrings(a.link);
result:=TRUE;
accountsBox.invalidate();
end; // saveAccountProperties

a.pwd:=pwdBox.Text;

   the password is saving every time you save an account, when you change an account to a group , the old password is not cleared. :)


sorry maverick, but I agree the other man  ;)
Title: Re: Testing build #219
Post by: Ranger on January 22, 2009, 03:39:33 PM
Thanks Mars, followed your steps and group login isn't a problem anymore.
Title: Re: Testing build #219
Post by: maverick on January 22, 2009, 06:18:11 PM
Quote
HFS will prevent anyone from loggin in with a group name
FALSE

Those words are from rejetto.
http://www.rejetto.com/forum/index.php?PHPSESSID=d2f5aeuucksujmgplin9q6aub2&topic=6198.msg1037132#msg1037132

Quote
a)create an account with no password

b)Attribute the rights of access for a directory for this account only

c)convert this account as a group

d) you can go in the folder with the account(group) name and blank password

e) if you uncheck the group for this account, give it a password , and convert it as group

f) password box is masked
(don't forget to save every time :D )

f) you can now go in the folder with the group name and the new password ( leave blank and you can't log)

optionsdlg.pas

function ToptionsFrm.saveAccountProperties():boolean;
...
a:=@tempAccounts[lastAccountSelected];
a.enabled:=accountEnabledChk.checked;
a.pwd:=pwdBox.Text;
a.noLimits:=ignoreLimitsChk.checked;
a.redir:=redirBox.Text;
a.link:=split(';', trim(accountLinkBox.text));
a.group:=groupChk.Checked;
uniqueStrings(a.link);
result:=TRUE;
accountsBox.invalidate();
end; // saveAccountProperties

a.pwd:=pwdBox.Text;

   the password is saving every time you save an account, when you change an account to a group , the old password is not cleared. :)
sorry maverick, but I agree the other man  ;)

I'm going to have to study this.  Is this the expected procedure and behavior or is what you are saying to me is a bug. ???

Title: Re: Testing build #219
Post by: Mars on January 22, 2009, 06:41:57 PM
I'm creating a "group" checkbox, so that you tell HFS you mean to use that account as a group.
This way
1. you won't need to enter an impossible password, HFS will prevent anyone from loggin in with the group name
2. i can create some GUI facilities for groups only

You are right but as it is not a bug, I would say rather that it is an important neglect of rejetto concerning the functioning of hfs :D
Title: Re: Testing build #219
Post by: rejetto on January 23, 2009, 01:13:40 PM
Hi, it was I that actually reported this bug http://www.rejetto.com/forum/index.php?topic=6508.0 and just wanted to know if you were refering to 219 or 220  :)

you can see my post is dated 2 days after the publishing of this build, so NO, this is not your build ;)
Title: Re: Testing build #219
Post by: rejetto on January 23, 2009, 01:16:21 PM
also, this bug is still not fixed:
http://www.rejetto.com/forum/index.php?topic=6484.msg1039325#msg1039325

1.  I confirm the default template error - builds 218, 219 (maybe older builds too)
2.  It happens when the [upload-success] section is triggered

oh, so sorry guys, it's that i still have to watch your latest bug reports. i published this build in a hurry because of the security problem!
it's fixed now, just wait for the new build.
it was actually a double problem: the default template had an error, and HFS was not sturdy enough to handle it. Both solved.
Title: Re: Testing build #219
Post by: luckman212 on January 23, 2009, 01:30:25 PM
cool , I am glad to hear it  :) :)
Title: Re: Testing build #219
Post by: rejetto on January 23, 2009, 02:47:52 PM
I'm going to have to study this.  Is this the expected procedure and behavior or is what you are saying to me is a bug. ???

a bug! a serious bug...
fixed in next build