[dl-announces] DL 0.19 released

2021-12-01 Thread Yuri D';Elia 
DL 0.19 is now officially available for download at:

  https://www.thregr.org/~wavexx/software/dl/releases/dl-0.19.zip
  https://www.thregr.org/~wavexx/software/dl/releases/dl-0.19.zip.asc

dl 0.19: 2021-12-01
---

* Fixed various compatibility issues with PHP 8 (includes an update of
  the built-in PHP-Gettext to 1.0.12).
* Minimum required PHP version is now 7.0.
* Enforce display_errors=Off once logging is setup.
* Fix temporary ZIP file creation (thanks to @SQ-SEN).
* Fix spurious notices in basefuncs.php (thanks to Emanuele Rosati).
* Allow unicode filenames in ``dl-cli`` (thanks to @mjg).
* Lithuanian translation by Marius Švarcas.

Re: [dl-ticket-service] Notice: A non well formed numeric value encountered in /srv/www/dl/include/basefuncs.php on line 10

2021-03-16 Thread Yuri D';Elia 
Late to the party here 🕶

On Mon, Jun 04 2018, CHRIS CLEMSON wrote:
> PHP Warning:  Version warning: Imagick was compiled against Image Magick
> version 1797 but version 1798 is loaded. Imagick will run but may behave
> surprisingly in Unknown on line 0

This is a system error, but ...

> PHP Notice:  A non well formed numeric value encountered in
> /srv/www/dl/include/basefuncs.php on line 10

was just fixed in the current source.

Re: [dl-ticket-service] thunderbird 68 beta released

2019-09-18 Thread Yuri D';Elia 
On Mon, Sep 16 2019, John Crisp wrote:
>> Same request here: Yuri do you think to have enough time to make a
>> release for TB 68?

Due to the current circumstances, I'll have to abandon both the TB and
the Android clients for the time being. TB has proven to be a huge time
sink that I cannot follow reliably anymore, while the original developer
behind the Android client has left (the released Android client still
works, but recent android releases broke it).

I'm still supporting the DL server though, the command line client as
well as the "wx" windows GUI. I'm lagging in terms of available time,
but I'm actively using DL for a variety of reasons, so that's not going
away.

You're all right that the web pages and release notes should reflect
that and I'll do an update as soon as possible. I held off too much in
the hopes I could get it working again.

[dl-ticket-service] Status of the Thunderbird extension

2018-09-17 Thread Yuri D';Elia 
Hi folks, just want to put some words on the status of the Thunderbird
extension. As you probably noticed, it currently doesn't work on TB 60+.

TB 60 decided to jump on the new FF engine, and as Firefox with the 60
release, the following happened:

- TB 60 doesn't have the WebExtension APIs required yet to develop
  FileLink extensions.

  See https://bugzilla.mozilla.org/show_bug.cgi?id=1481052 TB 63
  "should" be the first TB version that includes the required API. At
  the time, the API is still being discussed.

- Despite knowing several extensions won't work with TB 60, they still
  decided to disable "Legacy extensions" by default. Note that,
  contrarily to Firefox, TB extensions won't have *anything* in common
  with other browsers or clients, so there's no rush for "WebExtension"
  compatibility here.

- TB also deliberately changed several APIs with TB 60, which they could
  have avoided. This broke existing "legacy" extensions exactly at the
  worst possible moment.

- Cherry on top, TB also removed the installation of the xpcom SDK,
  which caused Debian to drop most of the utilities *needed* to
  fix/rebuild the extensions.

Just like FF 60, I'm actually mad at how the transition was handled.
TB is clearly understaffed, but there's no excuse for such a poor
release handling. TB 60-62 will require a specific extension just for
the transition period, and that code will have to be trashed again for
TB 63.

Re: [dl-ticket-service] Not Acceptable error with SQL Server backup file

2018-09-01 Thread Yuri D';Elia 
On Fri, Aug 31 2018, Kelvin Smith wrote:
> If I put the file into a zip archive, everything works normally.
> However, I'd prefer to be able to send the file directly. Any ideas on
> what's going on?

By the error message, it's mod_security detecting the attachment as SQL
(which indeed it is), and blocking it on the basis that it might cause
an SQL injection. This happens before DL can process the attachment, so
this is not a problem on DL by itself.

You should be able to disable this specific case using
"SecRuleRemoveById" (using the appropriate ID as reported in the server
log) inside a  block or inside .htaccess (if allowed).

Look up SecRuleRemoveById or SecRuleEngine for more info.

Re: [dl-ticket-service] Logout problems

2018-05-18 Thread Yuri D';Elia 
On Fri, May 18 2018, Carsten Schulze wrote:
> I tested it with Chrome, Firefox and Edge, all the newest versions on
> different OS. When I close the "Logout Tab" and open a new Tab I'm
> logged in again without any credentials given!

Do you accept the authentication prompt during logout?

Re: [dl-ticket-service] Logout problems

2018-05-18 Thread Yuri D';Elia 
On Fri, May 18 2018, Carsten Schulze wrote:
> When I press the Logout link, I get a windows with a new
> Authentification Request. Now I cancel that and get the following
> message.
>
> Logged-out
>
> Close the browser to complete the logout. Ok, most people think they
> could close the current browser tab, but they really have to close the
> whole browser and reopen it again. That is not logical and no one
> understands why.
>
> Is there another way to destroy the login cache?

This only happens with http authentication.

Now, with most modern browsers (FF, Chrome for sure), you don't need to
close the browser. To invalidate the cache we have to feed the browser a
request which we deny. This results in the auth prompt that you see.

I was thinking of hiding it by performing a background request, and
according to my tests it still does invalidate the cache correctly, but
I didn't have time to implement it yet.

As far as I know, there's no other way to invalidate the auth cache. I'd
be happy to know if there is a better method.

On IE <= 7 though, the cache is never invalidated. You really *need* to
close the browser to logout.

Re: [dl-ticket-service] Working Nginx conf examples

2018-05-04 Thread Yuri D';Elia 
On Thu, May 03 2018, Jalo Ahonen wrote:
> If not then anyone having a working example of nginx-conf with naked
> domain (= exampledomain.tld) for dl-ticket ?
>
> My conf [using: dl 0.18.1] consisting of (nginx + subdomain +
> mysql[MariaDB]) works up to a point of: when trying to download a
> file/zip by using the link (sent in the email by dl-ticket) the result
> is: 502 Bad Gateway

Looks like a badly configured location match, or a broken
split_path_info setting more than a subdomain issue. The download link
does a double redirect, first to a .php page directly, then to the same
page but with an extra path appended.

required path_info quirks:

fastcgi_split_path_info ^(.+\.php)(/.+)$;
try_files $fastcgi_script_name =404;
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;

Likewise, when matching php page, ensure "location" is not just \.php$
but somethink like \.php(?:$|/).

* If you wonder why this double redirect is needed, is mainly to support
old browsers and CLI tools which don't properly support a supplied
filename in the content-type.

[dl-ticket-service] DL presentation at SFScon17

2017-12-21 Thread Yuri D';Elia 
Hi everyone,

I did a quick presentation for DL at SFScon17 a month ago. I noticed
today that both the video and presentation are online.

If you're interested or need some PR material, the presentation is in
English and lasts 15 minutes. Vimeo links here:

  https://www.sfscon.it/talks/dl-open-source-self-hosted-file-sharing-solution/

Re: [dl-ticket-service] Web interface doesn't send email to recipient in "Send link to e-mail" field

2017-12-06 Thread Yuri D';Elia 
On Wed, Dec 06 2017, Mark Pagnotta wrote:
> Finally, I pulled out trusty ktrace and traced the php process run by
> the webserver and that run by my console. The web interface never
> invokes the system's mailer, whereas running in the PHP console properly
> calls mailUTF8()->mail()->/usr/sbin/sendmail and everything works.
>
> Any pointers or tests for narrowing down the problem would be greatly
> appreciated.

Random thought: do you happen to have pulled the new apparmor-by-default
support in debian?

Or, any different setting between cli/php.ini and fpm/php.ini?

Re: [dl-ticket-service] Thunderbird addon and dl-wx client failing on certificate revocation check, browsers work fine.

2017-12-01 Thread Yuri D';Elia 
On Fri, Dec 01 2017, Mark Pagnotta wrote:
> The only strange thing is that the wx-dl client still gives me the same
> error. I assume it's caching the certificate somewhere, right? I'm not
> going to use the client but I can still check this more if you'd like.

I'm not sure here. At least on *nix, I don't see any CRL cache done
automatically by openssl.

Windows might have a different mechanism though, as there is a central
CRL cache. Or it might be a cached OCSP response?

> Anyway, this was totally my fault and I really appreciate the time you
> took to try and help me. (I can't believe my name is permanently
> attached to this thread...)

Hey, I make plenty of mistakes too, and CRL management *is* painful ;)
Don't worry.

Re: [dl-ticket-service] Thunderbird addon and dl-wx client failing on certificate revocation check, browsers work fine.

2017-12-01 Thread Yuri D';Elia 
On Fri, Dec 01 2017, Mark Pagnotta wrote:
> The command returned an ID and a URL. The ticket was created and the
> file stored on the server successfully. ("POST /rest.php/newticket
> HTTP/1.1" 200 0)

Then the server is correctly configured, no need to look further
server-side.

> Is there any other information I can dig up that may help narrow down
> the issue?

What's interesting here is that dl-wx is built using PyInstaller which
simply bundles python and openssl. There's nothing magic being done in
dl-wx.

But thunderbird is using libnss, which is completely independent. libnss
is also used by the matching firefox version, so if firefox works, I
don't expect issues with thunderbird.

As a suggestion, I would further try dl-cli, the python command line
client. First from your bsd system, then I would try the same client
under windows to replicate the same issue as dl-wx.

To run dl-cli (or dl-wx), install anaconda from
https://www.anaconda.com/. This will install also a bash terminal with a
pre-set path for the anaconda's python. From there, simply run dl-cli as
you would on *nix. The advantage here is that you're testing the same
setup as dl-wx.

Re: [dl-ticket-service] Thunderbird addon and dl-wx client failing on certificate revocation check, browsers work fine.

2017-11-30 Thread Yuri D';Elia 
On Thu, Nov 30 2017, Mark Pagnotta wrote:
>> rest.php needs some extra configuration server-side to forward
>> authentication credentials to PHP. Errors here are visible on the server
>> logs, not on the client.
>
> I thought I read in the docs that a blank page for rest.php was the
> desired result (if I have not protected the page, which I haven't). I
> don't see any errors in the server's logs. The page is being fetched and
> served properly.

Since you're using OpenBSD's httpd, which I never tried, look at the
apache sample configuration for guidance.

If you're not using http authentication, a blank page is ok, but not
sufficient. PHP might still need forwarding of HTTP_AUTHENTICATION to
work properly.

Try to make an "info" request using "curl". There's a sample request at
the bottom of RESTAPI.rst. If this works, then the server setup is OK,
and the problem is for sure in the client.

Re: [dl-ticket-service] Thunderbird addon and dl-wx client failing on certificate revocation check, browsers work fine.

2017-11-29 Thread Yuri D';Elia 
On Wed, Nov 29 2017, Mark Pagnotta wrote:
> "DL connection error: schannel: next InitializeSecurityContext failed:
> unknown error (0x80092012) - The revocation function was unable to check
> revocation for the certificate" If I uncheck the "Verify SSL
> certificate" box, it all works normally.

That would be surprising. Any change you could share (even privately)
the server URL? I just need to perform a connection, so no credentials
are necessary.

> The https://dl.company.com/rest.php gives me a blank page in all browsers.

rest.php needs some extra configuration server-side to forward
authentication credentials to PHP. Errors here are visible on the server
logs, not on the client.

What kind of web server and PHP setup are you using?

> If the issue is in my PKI, I think that Internet Explorer would fail in
> its connection attempt as well (inetcpl has the "check revocations"
> option enabled). I'm not sure what other troubleshooting I can do. I
> can't seem to get any more information on why the client and addon
> connections are failing.

AFAIK, the old dl-wx client was built with an ancient version of
openssl which didn't support SNI. But the current version available
online does.

I never had CRL problems before, but we could easily have a check.

Re: [dl-ticket-service] Re: Thunderbird addon problem

2017-10-25 Thread Yuri D';Elia 
On Wed, Oct 25 2017, Fulvio Fusco wrote:
>> Multiple instances of this issue exist:
>>
>>https://bugzilla.mozilla.org/show_bug.cgi?id=1051800
>>https://bugzilla.mozilla.org/show_bug.cgi?id=793118
>>
>
> I'm sorry, I can confirm this old issue... my attachments were taken
> from the network; with local files it's all ok.

It would be nice if you could take the time to add a comment to any of
those reports.

This issue likely affects several other extensions, but there was zero
progress in years.

Re: [dl-ticket-service] Thunderbird addon,problem

2017-10-24 Thread Yuri D';Elia 
On Tue, Oct 24 2017, Fulvio Fusco wrote:
> Hi,
> I've a problem with the Thunderbird addon: when I convert an attachment
> to DL
> - the ticket is correctly created on the server
> - the link in the email is correctly created
> - but the original attachment is not removed from the email.
> With previous versions of Thunderbird and of the addon up to a certain
> point it was all ok; I cannot say exactly when the malfunction started.

This is likely an old/new issue in Thunderbird itself.

Could the following be related?

  https://bugzilla.mozilla.org/show_bug.cgi?id=839043

It involves attachments coming from network drives.
Multiple instances of this issue exist:

  https://bugzilla.mozilla.org/show_bug.cgi?id=1051800
  https://bugzilla.mozilla.org/show_bug.cgi?id=793118

Re: [dl-ticket-service] Database problem

2017-10-11 Thread Yuri D';Elia 
On Wed, Oct 11 2017, Blair Alper wrote:
> I installed dl. When I got to creating a user, I get the message
> "cannot initialize database." I also get the same message when
> attempting to access the web interface. The database file exists and
> the permissions appear correct.

So you did initialize the DB using sqlite3 -init ... and then used
useradmin.php to create an initial user?

> /var/spool/dl
> drwxr-xr-x 2 www-data www-data 4096 Oct 10 21:06 data
> -rw-rw 1 www-data www-data 17408 Oct 11 07:09 data.sdb

Check that /var/spool/dl itself is owned by www-data.
sqlite needs to be able to create lockfiles in it.

> user and password to NULL in confwrap.php. Is there a missing step in
> the instructions about creating a database user?

The main steps are:

- create directories
- initialize the empty database (sqlite3 -init ...)
- create first user (using useradmin.php)

Re: [dl-ticket-service] Re: New Android client for DL available

2017-09-25 Thread Yuri D';Elia 
On Sat, Sep 23 2017, Amen em hat Ankh wrote:
> in that constellation Frank would never deal with URLs, usernames or
> passwords and no private data is transfered through the net when he
> down or uploads stuff, except the the one and only time when he
> registeres a new device.

How do you authenticate the device to be whitelisted though?

If I understand this correctly, you would first generate the QR
manually, then scan it right away. So being able to scan the code is
what grants you access. After scanning, a token is sent to the server to
be whitelisted.

However, you'd need to validate the new device manually as well
in order to be different than simple password authentication. Hashing
hardware information is useless if I can eavesdrop the connection, as I
can impersonate any token you provide. You need to share a secret with
the server first.

[dl-ticket-service] DL 0.18.1 released

2017-09-06 Thread Yuri D';Elia 
DL 0.18.1 is now officially available for download at:

  https://www.thregr.org/~wavexx/software/dl/releases/dl-0.18.1.zip
  https://www.thregr.org/~wavexx/software/dl/releases/dl-0.18.1.zip.asc

dl 0.18.1: 2017-09-06
-

* Fix upgrade script and incompatibilities when using MySQL.
  Thanks to Daniel Berteaud.

[dl-announces] DL 0.17 released

2017-09-04 Thread Yuri D';Elia 
DL 0.18 is now officially available for download at:

  https://www.thregr.org/~wavexx/software/dl/releases/dl-0.18.zip
  https://www.thregr.org/~wavexx/software/dl/releases/dl-0.18.zip.asc

Changes since 0.18-rc2:

- Updated French translation by Daniel Berteaud
- Updated German translation by Clemens Egger
- Refreshed dl-wx (support for grants, rebuilt binary for SNI support)

dl 0.18: 2017-09-04
---

Major new features:

* Support for multiple file uploads in both tickets and grants. When multiple
  files are attached, a Zip archive is automatically created with the contents.
  The PHP "Zip" extension is now required.
* Grants are now reusable. With the new defaults, senders are no longer
  restricted to a single use/file per grant, but can keep reusing the same link
  as needed. The grant, just like a ticket, is then automatically expired when
  left unused for a certain amount of time.
* Tickets generated while using a grant are now split into a separated
  "Received files" page. The "All tickets" page reserved to administrators
  still shows all tickets combined and color-coded.
* A new Android client is now available: ``PokéDL``.

Enhancements:

* The ticket and grant expiration parameters have been streamlined for common
  usage patterns, becoming mostly self-explanatory.
* When using a grant, the user can now attach a comment alongside the uploaded
  file/s. The comment is sent back to the grant owner in the notification.
* Tickets now show the generating grant ID in the edit/detailed view.
* The grant comment assigned during creation is now shown in both the tooltip
  of the grant list and in email notifications involving grant usage.
* Ticket/grant passwords were previously always included in notifications. The
  password sending policy can now be controlled at creation time, and defaults
  to sending the password only when automatically generated.
* The subject prefix in email notifications can now be customized.
* ``dl-wx`` now allows to generate grants.
* General ``dl-cli`` overhaul:

  - dl-cli now runs under both python 3 and python 2.7, preferring python 3
  - The password can be read from an external command using ``passcmd``
  - Public-key pinning is now supported through the ``fingerprint`` option
  - Multiple files can now be uploaded in a single ticket (for efficiency,
dl-cli generates a Zip archive locally before uploading)
  - When generating a grant, the email address is now optional if available
in the configuration file
  - The ConfigObj module is now required

Bug fixes:

* Tickets generated while using a grant were incorrectly calculating the expiry
  from the grant *creation* time, resulting in premature expiration. Ticket
  expiry is now calculated starting at actual *upload* time.
* Download of files larger than 2GB would previously fail when using DL with
  MySQL or Postgres. Fix by Daniel Berteaud.
* Ticket and grant invalid access or invalid password attempts are now logged.
* Left-clicking on the ``dl-wx`` tray's icon on Linux now works as expected.

Other changes:

* The minimum required PHP version has been raised to 5.5 or higher.
* Important PHP settings are now preset in the bundled ``htdocs/.htaccess``
  file for the Apache/mod_php combination.
* Simplified Chinese translation by Guangyu Dong.
* Russian translation by Олейник О.В.
* The Thunderbird add-on has been updated to support Thunderbird 52.
* The Windows ``dl-wx`` executable has been rebuilt with SNI support.

Please note: DL 0.18 requires a database schema update! Please read the
database upgrade procedure in the README!

Re: [dl-ticket-service] New Android client for DL available

2017-08-23 Thread Yuri D';Elia 
On Tue, Aug 22 2017, Daniel Berteaud wrote:
> Those who will configure the software: yes, most likely. But not
> necessarily those who will use it. What this means is that a advanced
> user can install and configure the app initially with no issue, and
> then has this dilemma. He can either uncheck the "unknown sources"
> checkbox, which will prevent any further update of the app, or let the
> checkbox, and expose non experienced users to more risks.

Is it actually possible for android devices to be somehow setup or
managed by an institution in bulk?

For example, even if PokeDL was available in the Play Store, do you know
if there's a way to preset the app settings for you server directly
during install?

Re: [dl-ticket-service] New Android client for DL available

2017-08-22 Thread Yuri D';Elia 
On Tue, Aug 22 2017, Daniel Berteaud wrote:
>> However, if some other Android developer that has already experience
>> with the play store wants to step in and help us, I will not oppose
>> it. I understand the convenience.
>
> I unfortunately have no experience with this. It's just that asking
> users to allow unsigned apps to get this is not very appealing, and
> not something I'd recommend to non experienced users.

I know, I totally understand that and we do have the same problem here.

My hope is to manage to attract some more Android developers. Nobody
here did any Android development before, getting the client working on
Android 4 and forward has been a major burden.

The fact that we have to pay premium to release a completely open app to
our colleagues adds insult to injury.

Re: [dl-ticket-service] New Android client for DL available

2017-08-22 Thread Yuri D';Elia 
On Tue, Aug 22 2017, Daniel Berteaud wrote:
>> Once the client has received enough testing, we're planning to
>> distribute it directly on F-Droid.
>
> That seems great. Any chance to see it on the Play Store ?

I'm personally opposed to the Play Store, and to the entire
Google/PlayStore ecosystem in general.

However, if some other Android developer that has already experience
with the play store wants to step in and help us, I will not oppose it.
I understand the convenience.

[dl-announces] New Android client for DL available

2017-08-11 Thread Yuri D';Elia 
Thanks to Johannes Martin, there's now an (experimental) Android client
for DL.

PokéDL (all phuns intended™) allows to send files through sharing
intents: share to “PokéDL” to generate a ticket, and then share the
resulting URL with anything else.

PokéDL currently requires at least Android 4.4+ (KitKat). You can see a
basic introduction and download the APL (a debug build) at:

https://www.thregr.org/~wavexx/software/dl/pokedl.html

PokéDL can talk with any DL server version 0.10 and onward, but requires
DL 0.18 or greater when sharing multiple files at once. Multiple
accounts on different servers are also supported.

We're interested in feedback and testing, which has been proven to be
quite hard across the various Android versions. Please report any issue
directly on GitHub:

https://github.com/DownloadTicketService/PokeDL/issues

Once the client has received enough testing, we're planning to
distribute it directly on F-Droid.

[dl-ticket-service] DL 0.18 RC2 available

2017-08-09 Thread Yuri D';Elia 
DL 0.18 release candidate 2 (v0.18-rc2) is now available:

  https://github.com/DownloadTicketService/dl/archive/v0.18-rc2.zip
  https://www.thregr.org/~wavexx/tmp/dl-0.18-rc2.zip (with pre-built 
localization)

Changes since RC1:

* The subject prefix in email notifications can now be customized.
* Updated Spanish translation from Roberto Salgado
* The minimum required PHP version has been raised to 5.5 or higher.

Officially requiring PHP 5.5 allows us to cleanup some old code, drop
the bundled PasswordHasher and remove work-arounds for magic_quotes_runtime.

We plan to release 0.18 on the 28th of August (two weeks from now).

[dl-ticket-service] DL 0.18 RC1 available

2017-08-03 Thread Yuri D';Elia 
The first release candidate of DL 0.18 has been tagged (v0.18-rc1) and
is now available at:

  https://github.com/DownloadTicketService/dl/archive/v0.18-rc1.zip
  https://www.thregr.org/~wavexx/tmp/dl-0.18-rc1.zip (with pre-built 
localization)

We moved the DL project to it's own organization to facilitate upcoming
projects. The new official GitHub URL is:

  https://github.com/DownloadTicketService/

which now contains "dl" and "dl-docker", which can be used to generate
Docker images automatically.

DL 0.18 RC1 is used for coordination and is expected to be stable, but
currently lacks translations and updated user guides. Any help in this
front would be greatly appreciated.

DL 0.18 has been one year in the works and contains major changes:

* Support for multiple file uploads in both tickets and grants. When multiple
  files are attached, a Zip archive is automatically created with the contents.
  The PHP "Zip" extension is now required.
* Grants are now reusable. With the new defaults, senders are no longer
  restricted to a single use/file per grant, but can keep reusing the same link
  as needed. The grant, just like a ticket, is then automatically expired when
  left unused for a certain amount of time.
* The grant comment assigned during creation is now shown in both the tooltip
  of the grant list and in email notifications involving grant usage.
* When using a grant, the user can now attach a comment alongside the uploaded
  file/s. The comment is sent back to the grant owner in the notification.
* Tickets generated while using a grant were incorrectly calculating the expiry
  from the grant *creation* time, resulting in premature expiration. Ticket
  expiry is now calculated starting at actual *upload* time.
* Tickets now show the generating grant ID in the edit/detailed view.
* Tickets generated while using a grant are now split into a separated
  "Received files" page. The "All tickets" page reserved to administrators
  still shows all tickets combined and color-coded.
* The ticket and grant expiration parameters have been streamlined for common
  usage patterns, becoming mostly self-explanatory.
* Ticket/grant passwords were previously always included in notifications. The
  password sending policy can now be controlled at creation time, and defaults
  to sending the password only when automatically generated.
* Ticket and grant invalid access or invalid password attempts are now logged.
* Download of files larger than 2GB would previously fail when using DL with
  MySQL or Postgres. Fix by Daniel Berteaud.
* Important PHP settings are now preset in the bundled ``htdocs/.htaccess``
  file for the Apache/mod_php combination.
* Simplified Chinese translation by Guangyu Dong.
* Russian translation by Олейник О.В.
* The Thunderbird add-on has been updated to support Thunderbird 52.
* General ``dl-cli`` overhaul:

  - dl-cli now runs under both python 3 and python 2.7, preferring python 3
  - The password can be read from an external command using ``passcmd``
  - Public-key pinning is now supported through the ``fingerprint`` option
  - Multiple files can now be uploaded in a single ticket (for efficiency,
dl-cli generates a Zip archive locally before uploading)
  - The ConfigObj module is now required

Please note: DL 0.18 requires a database schema update! Please read the
database upgrade procedure in the README!

Re: [dl-ticket-service] Max file size in MySQL DB

2017-07-27 Thread Yuri D';Elia 
On Thu, Jul 27 2017, Daniel Berteaud wrote:
> I don't know for the other DB types. I'll try to send a PR if I find
> some time.

Thanks a lot for the debugging and PR, merged.

[dl-ticket-service] Re: Help test the upcoming DL 0.18

2017-07-13 Thread Yuri D';Elia 
On Thu, Jul 13 2017, Yuri D'Elia wrote:
> I'd love to make a release for DL 0.18. The largest features I was
> aiming for (reusable grants, multi-file uploads) are complete and
> reasonably tested. We used these features for months now, I have to say,
> I'm quite pleased on how grants work. They should always been this way.

I forgot to mention that Roberto Salgado (aka DRoBeR) has been working
on a Docker image for DL:

https://hub.docker.com/r/drober/dl/

I don't personally use Docker, but I'd like to make the integration as
smooth as possible, so if there's any problem feel free to ask here.

Re: [dl-ticket-service] Help test the upcoming DL 0.18

2017-07-13 Thread Yuri D';Elia 
On Thu, Jul 13 2017, Mike Morris wrote:
>> Please note: DL 0.18 requires a database schema update! Please read the
>> database upgrade procedure in the README!
>
> is this update backwards compatible, or is the .18 testing a one way trip?

This one is one way. The upgrade script shifts the expiration times and
default values of the old tickets grants. Going back will cause tickets
and grants close to their expiration time to expire too soon because of
the shift.

The way I do it, I generally take a full copy of the production system
(db+spool) and use it for testing.

[dl-ticket-service] Help test the upcoming DL 0.18

2017-07-13 Thread Yuri D';Elia 
I'd love to make a release for DL 0.18. The largest features I was
aiming for (reusable grants, multi-file uploads) are complete and
reasonably tested. We used these features for months now, I have to say,
I'm quite pleased on how grants work. They should always been this way.

I'm not planning to add more for this release. Only bug fixing. Aside
for testing, check if there is any rewording or phrases you don't like
before starting the translation in various languages.

One of our colleagues here has started work on a prototype Android
client. The client works using sharing intents: you share to DL (which
does the upload), and then it prompts to share the URL. Pretty slick.
The code is very crude (no async, no UI yet), so if you want to help,
please get in touch.

The current major changes since DL 0.17 are:

* Support for multiple file uploads in both tickets and grants. When multiple
  files are attached, a Zip archive is automatically created with the contents.
  The PHP "Zip" extension is now required.
* The grant comment assigned during creation is now shown in both the tooltip
  of the grant list and in email notifications involving grant usage.
* When using a grant, the user can now attach a comment alongside the uploaded
  file/s. The comment is sent back to the grant owner in the notification.
* Tickets generated while using a grant were incorrectly calculating the expiry
  from the grant *creation* time, resulting in premature expiration. Ticket
  expiry is now calculated starting at actual *upload* time.
* Tickets now show the generating grant ID in the edit/detailed view.
* The ticket and grant expiration parameters have been streamlined for common
  usage patterns, becoming mostly self-explanatory.
* Ticket/grant passwords where previously included in email notifications.
  The password sending policy can now be controlled at ticket creation time,
  and defaults to sending the password only when automatically generated.
* Important PHP settings are now preset in the bundled ``htdocs/.htaccess``
  file for the Apache/mod_php combination.
* Simplified Chinese translation by Guangyu Dong.
* Russian translation by Олейник О.В.
* The Thunderbird add-on has been updated to support Thunderbird 52.
* General ``dl-cli`` overhaul:

  - dl-cli now runs under both python 3 and python 2.7, preferring python 3
  - The password can be read from an external command using ``passcmd``
  - Public-key pinning is now supported through the ``fingerprint`` option
  - Multiple files can now be uploaded in a single ticket (for efficiency,
dl-cli generates a Zip archive locally before uploading)
  - The ConfigObj module is now required

Please note: DL 0.18 requires a database schema update! Please read the
database upgrade procedure in the README!

[dl-ticket-service] Sending password in notications?

2017-07-11 Thread Yuri D';Elia 
I'm adding a switch in order to include (or not) the password in email
notifications with a checkbox under the password field.

What should be the new default in your opinion?
Send, or not?

So far it has always been included in all emails.

We could leave it off, and switch the checkbox on (send) when you press
the 'generate' button, assuming you want some ephemeral password as an
additional protection. Typing wouldn't switch it on by default.
But maybe this is too smart.

Re: [dl-ticket-service] CSS & JS update

2017-07-11 Thread Yuri D';Elia 
On Tue, Jul 11 2017, Mike Morris wrote:
>> Would someone be interested by a bootstrap-themed interface? I could give it
>> a quick try if there's any chance it gets merged.

As I wrote in the PR, I'd be good too, as long as it doesn't massively
abuse padding like bootstrap loves to do...

There's so much empty space in web pages today... :/

> I certainly would. Personally I don't care... but these days I get
> pushback from people when the app isn't "modern" and "pretty"... even
> regardless of how functionality compares.

Part of the PHP code in dl though is not really "modern" ;)
There are some parts I would scrap nowdays, and just require JS on the
web interface (this would clean-up the code s much).

I realized I started this thing 10 years ago, even before using cvs :/

[dl-ticket-service] Updated addon for Thunderbird 52

2017-04-11 Thread Yuri D';Elia 
I've released an updated addon for Thunderbird 52: 0.17.2, which is
pending review on AMO. This is just a compatibility update.

If you don't want to wait, you can get the updated addon at:

https://www.thregr.org/~wavexx/software/dl/thunderbird.html

Re: [dl-ticket-service] installing DL without SSH access to the server?

2017-03-20 Thread Yuri D';Elia 
On Sun, Mar 19 2017, KEINE ANTWORTADRESSE wrote:
> I need help installing DL on a web server I don't have SSH access to. Is
> installing and using DL in this setting possible?

Not necessarily, but it heavily depends on what you can do on the remote
site.

> I FTPed the DL files to the web server, created a spool directory
> outside of the public directories, modified config.php and so on.

Be sure to check the permissions of the spool directory!

> I have a mySQL database with phpMyAdmin access. I used the provided SQL
> script to setup the db tables. I probably failed inserting a row for an
> admin/user in the relevant table.

Sounds good. You only need to add at least one user in order to login.
This is usually done by useradmin.php, but you can add a temporary
"admin" user directly with the following SQL:

  INSERT INTO user (name, pass_ph, role_id)
  VALUES ('admin', 
'$2a$08$CdNJQJcfdXXY/A99pccq5.EuxCoUGZJbOFZfFf1NFRSR7pxPal0Vy', 1);

the password, in this case, is "test"

[dl-ticket-service] Revamped grant support

2017-01-07 Thread Yuri D';Elia 
The current master finally contains *both* the ability to perform
multiple uploads and the same grant re-use logic as currently used in
tickets (see https://github.com/wavexx/dl/issues/14).

I had to rework the way the submit forms are built, in order to reduce
clutter. The new forms allow to set the expiry logic just as "automatic
/ single use / no expiration / custom", where "custom" brings out the
verbose parameters.

In the new grant form, this setting is available twice: one for the
grant, and one for the resulting ticket. Both default to automatic,
which means "use server defaults".

With the new logic and defaults, grants effectively create a reverse
upload channel that can be used as many times as needed. Since the
creator is always in control, abuse (if any) can quickly be quenched.

In the grant upload form, the ticket parameters are now called "upload
parameters" for clarity. Tickets created via grants are now tracked, and
my plan is to move those in a separate "uploads" page, so you can
quickly see what you're sending vs what you received. An alternative
would be to list each upload under the respective grant in the "active
grants" page.

The UI is unfinished in places, but if you want to see some changes in
behavior, it would be a good idea to give it a spin. There's a DB
upgrade in the way, so don't run this on production systems. Stuff might
change and break. During upgrade, for existing systems, the expiration
logic of existing grants is preserved.

[dl-ticket-service] Support for multi-file uploads

2016-12-05 Thread Yuri D';Elia 
Long overdue, but it's now possible in the current master branch to
upload more than a single file when creating a ticket and especially
when using a grant.

Upgrade should be painless and fully retrocompatible, so I'd appreciate
some testing and feedback.

[dl-ticket-service] DL 0.17.1 released

2016-05-01 Thread Yuri D';Elia 
DL 0.17.1 is now officially available for download at:

  https://www.thregr.org/~wavexx/software/dl/releases/dl-0.17.1.zip
  https://www.thregr.org/~wavexx/software/dl/releases/dl-0.17.1.zip.asc

This release also fixes compatibility with Thunderbird 45.
The addon is already available on AMO, and can additionally be
downloaded from here as well:

  
https://www.thregr.org/~wavexx/software/dl/releases/thunderbird-filelink-dl-0.17.1.xpi

dl 0.17.1: 01/05/2016
-

* Filenames are now sanitized more aggressively when received. This avoids
  browser/client failures when receiving files that contain illegal characters
  for the current platform (which might be legal in another).
* Filenames containing multibyte characters could previously result in
  unexpected truncation; they're now handled correctly.
* The uploaded filename is included in grant notifications.
* The Thunderbird add-on has been updated to support Thunderbird 45.
* In the ticket details, the full timestamp of the download is now shown.
* Minor code and documentation fixes.

[dl-ticket-service] Thunderbird 45 issues

2016-04-16 Thread Yuri D';Elia 
I was informed that the TB extension didn't work properly with TB 45.
The fix looks easy, so I made a fix release (0.17.1) available here for
testing:

https://www.thregr.org/~wavexx/tmp/thunderbird-filelink-dl.xpi

I'd be happy if you could give it some testing, especially for older
versions of TB (<38) that I no longer have at hand.

Thanks!

Re: [dl-ticket-service] Enhancing upload grants

2016-04-08 Thread Yuri D';Elia 
On Fri, Apr 08 2016, Kelvin Smith  wrote:
> 1) Have a box for entering text that would be sent along with the upload
> notification to me.

I logged this here:

https://github.com/wavexx/dl/issues/35

> 2) Allow users to create their own upload-only account. This should be
> something the owner can decide whether or not to enable, but if I had
> this, then people who want to send me files wouldn't have to ask me for
> a grant first. Notification of the upload would be sent to a standard
> account specified in the configuration.

I too have this problem as of late. For some people I had ongoing
conversations with, generating grants over and over has been annoying.

My idea was to make grants work more in the same spirit as tickets: have
an usage count / time to last usage / total time limit, as for tickets.

If you wanted to give someone a permanent way to exchange files with
you, you would create a "permanent" grant, like you do for tickets.
Otherwise, the grant would default to "unlimited files" (just use the
grant again), with automatic expiry as soon as it's no longer used for a
month.

For existing setups that like the old behavior, you could just set a "1
upload" limit default.

I've logged this here, as this is not exactly a "new" idea:

https://github.com/wavexx/dl/issues/14

but there's increasing pressure in our institute to tackle at
least it within a few months.

Re: [dl-ticket-service] How best to resend ticket after initial creation

2016-04-02 Thread Yuri D';Elia 
On Sat, Apr 02 2016, Mike Morris  wrote:
>> The password is hashed for both, so you can only check whether it
>> matches against the user/ticket, but you cannot recover it.
>
> Ahhh, of course. So keeping a separate table of emails the ticket was
> issued to, and their password, is definitely overkill.

Adding tracking at least of the email address is something that I'd like
to implement eventually. Knowing which email address has downloaded your
ticket, besides being nice to know, allows to have finer-grained
permissions of a ticket expiry (as in: do not expire until *all*
addresses have downloaded at least once).

> My "use case" is not about the large file capabilities, but more the
> security. I'm sending confidential docs 1 at a time to an audience of 50
> people or so, who request them occasionally. Most of my tickets will
> probably be permanent, and I will reissue them several times a month as
> requests come in.  Having a history of who I sent to would be an
> interesting exercise for me to track, that's all. Some of them are docs
> that don't change much over time, people just lose their copy, or get a
> new PC or something and don't have it anymore.

DL was always more aimed at ephemeral transfers. That is: the main goal
is automatic cleanup. You might use that to your advantage in this case.

Do you use linux and/or have some basic scripting knowledge?

If yes, I would actually send individually-generated tickets (one per
address) to each recipient, with a random password for each, ~30 days
fixed expiry and 1 download limit. You have "dl-cli.py" to generate a
ticket on the fly from the command line.

This would have some advantages:

- the password is not shared
- the ticket becomes useless if not acted upon
- you know which users downloaded the document (in this scenario, the
  automatic download notification might already be enough!).

Which makes more sense if you want to encourage users to act on it. In
this case the remainder is necessary to renew the credentials as well.

If your aim is really to have a fixed document URL with a shared
password, maybe an https DAV server would make more sense. You just
upload the document and setup a password for it. Incidentally, there's
also a thunderbird extension to use a WebDAV server for attachments,
although I never used it personally. It might also fit the bill.

Re: [dl-ticket-service] How best to resend ticket after initial creation

2016-04-01 Thread Yuri D';Elia 
On Fri, Apr 01 2016, Mike Morris  wrote:
>> There's no track of which e-mails a ticket as been sent to. When you put
>> a list of addresses, DL just composes a list of emails and sends them in
>> one go for you, nothing fancy.
>
> Actually, that's pretty fancy compared to what I was doing :-)

The "fanciest" option is really the Thunderbird extension:

  https://www.thregr.org/~wavexx/software/dl/thunderbird.html

[just posting here in case you missed it]
I rarely use the web interface myself.

>> But there's one catch. When creating the ticket, the password is known
>> and is generally included in the email.
>>
>> When editing a ticket, the password is no longer known to DL.
> That's a big problem... security vs convenience, again!!!
>
> How much trouble would it be to store the ticket password encrypted with
> same algo as user passwords?

The password is hashed for both, so you can only check whether it
matches against the user/ticket, but you cannot recover it.

>   * Resending essentially identical emails... (copy the URL definitely
> works; I can copy/paste the comments too... so this is just a "nice
> to have" now that I think about it)
>   * Being able to get a list of addresses to which a ticket has been sent

Just curious here: why do you need to resend? I understand if you missed
one address, but from the above I feel there's something more going on.

Re: [dl-ticket-service] How best to resend ticket after initial creation

2016-04-01 Thread Yuri D';Elia 
On Fri, Apr 01 2016, Mike Morris  wrote:
> Hi,
>
> Thanks to the authors for this handy tool!
>
> Most of the GUi is pretty self-explanatory, but perhaps I've missed this:
>
> * Is there currently a way to enter a new email address to send a 2nd
> copy of the ticket to, after the initial send? I expected to see an
> email address field on the Edit Ticket screen, but it's not there.

There's no track of which e-mails a ticket as been sent to. When you put
a list of addresses, DL just composes a list of emails and sends them in
one go for you, nothing fancy.

The easiest option would be to send the link yourself (copy the download
link and you're set).

> Or is there a formal Enhancement Request process I could follow?

What we could add is another field "Resend e-mail to", which makes it
clear that you're sending a *new* email to the requested addresses.

But there's one catch. When creating the ticket, the password is known
and is generally included in the email.

When editing a ticket, the password is no longer known to DL.

Re: [dl-ticket-service] Problem with Thunderbird Set up

2015-12-15 Thread Yuri D';Elia 
On 10/12/15 22:45, Yuri D'Elia wrote:
> But maybe it's easier to fix an InternalError then, once you see where
> it's originating.

I've added it. It's under an  block, which
_requires_ Rewrite to work.

This way, it's not going to fail for irrelevant configurations, and it's
going to signal a real error if mod_rewrite is disabled.

Re: [dl-ticket-service] Problem with Thunderbird Set up

2015-12-10 Thread Yuri D';Elia 
On 10/12/15 21:54, Seb Francis wrote:
> What I was suggesting is that you include such an .htaccess file with
> the distribution, and then people will not need to edit httpd.conf if
> they happen to use fcgi.  And it shouldn't hurt in the case where fcgi
> is not used.

RewriteRule might be disallowed in .htaccess though.

But maybe it's easier to fix an InternalError then, once you see where
it's originating.

Any opinions from others?

>> Note that mod_fcgi buffers the upload into memory, unfortunately.
>>
> Yes, it's a shame, although there are other advantages that fcgi brings
> so we stick with it.

fcgi definitely brings major advantages, I don't know why mod_fcgi
wasn't updated to fix this problem in so many years.

This was actually my major issue with apache before I started looking
elsewhere even for low-load servers.

Re: [dl-ticket-service] Problem with Thunderbird Set up

2015-12-10 Thread Yuri D';Elia 
On 10/12/15 20:21, Seb Francis wrote:
> Thanks for your reply Yuri.  I had read this already, but on re-reading
> I found the reason why it wasn't working: I'm using mod_fcgi and this
> doesn't pass Basic Auth properly.
> 
> I added an .htaccess file with the following:
> 
> 
> RewriteEngine on
> RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
> 
> 
> Now it's working fine :)
> 
> It might be good idea to include this in the distribution.  As far as I
> can see it wouldn't hurt, regardless of whether fcgi was used.

Ah but it's in there ;)

http://www.thregr.org/~wavexx/software/dl/README.html#apache-fastcgi

Note that mod_fcgi buffers the upload into memory, unfortunately.

Re: [dl-ticket-service] Problem with Thunderbird Set up

2015-12-10 Thread Yuri D';Elia 
On 10/12/15 18:12, Seb Francis wrote:
> I've installed the latest Addon in Thunderbird but am unable to add the
> storage service.  This is what I am entering in the Set up Filelink dialog:
> 
> REST URL: http://dl.burnit.co.uk/rest.php
> Username: My username (which is an admin account)
> 
> When I click "Set up Account", Thunderbird immediately says "An error
> occurred while setting up the account!" and does not prompt for a password.
> 
> Is there anywhere I can see a log of more information to get a clue what
> is going wrong here?

There are a few things to check:

http://www.thregr.org/~wavexx/software/dl/thunderbird.html#troubleshooting

Re: [dl-ticket-service] Display images inline

2015-09-16 Thread Yuri D';Elia 
On 16/09/15 17:03, Daniel Berteaud wrote:
> Hi
> 
> I often use DL to share a simple screenshot, or another "single use"
> image. I think it'd be great for image attachments to be displayed
> inline when someone follow the link (+ buttons to download it). This
> way, most of the time, the image won't be downloaded at all, instead of
> ending in the Download folder just to be seen once ...

It was like that originally (we actually _force_ the download). Since a
"view" counts as a download, and since we force the client not to cache,
you cannot even "save as" if you set "1 download" as a limit.

I think there's room for improvement though. Since you can easily check
for the limit, we can just serve image/* filetypes immediately.

I don't think we even need to put a button to download the image.

Would you file an issue with github for this?

Otherwise I'll just forget.

Re: [dl-ticket-service] Automate install extension 0.17 in thunderbird

2015-09-13 Thread Yuri D';Elia 
On 11/09/15 22:37, Gerald wrote:
> Hi all,
> I manage almost 20 PC (win7 pro) and I would like to automate the
> installation of DL for Thunderbird 0.17. I already use WPKG to deploy other
> plugins in thunderbird (quickfolders, lightning...), just by copying the
> folders after unzipping the xpi in C:\Program Files (x86)\Mozilla
> Thunderbird\extensions
> 
> I tried for "DL for thuinderbird" but without success. Is there a way to
> automatically install it? 

I'm afraid I have no idea on how WPKG works, I never deployed
thunderbird sitewide to help you.

But DL for thunderbird doesn't require anything special in that regard.
When doing development, I also just unpack the extension in the
extension directory.

> And next step, a way to automate the creation of a filelink storage service
> using DL?

As for most extensions, it just uses preference keys to store the
configuration settings.

The *required* keys are:

mail.cloud_files.accounts.account[N].type = DL
mail.cloud_files.accounts.account[N].displayName = DL
mail.cloud_files.accounts.account[N].restURL = [URL]
mail.cloud_files.accounts.account[N].username = [username]

where [N] is the index of the first available "filelink" account
(usually 1). [URL] and [username] need to be filled correctly.

There are other keys, but they're populated automatically on the first
usage.

I assume there are ways to preconfigure settings if you already have a
sitewide install.

Hope this helps.

Re: [dl-ticket-service] Installation

2015-08-27 Thread Yuri D';Elia 
On 27/08/15 17:41, Uwe Luedecke wrote:
> Hello,
> 
> I've installed and configured dl 0.17 on my webspace.
> I've manually ran the sql script for creating tables in my existing database.
> I've created the user name="admin" with pass_ph="password" and Role_ID=1
> directly manually in the database, because I've no access to the filesystem
> and can't run the php scripts to add a user.
> As Webpage I see the login page, but I'm not able to login. If I fill in the
> user and password nothing happens. The login screen is still there.
> 
> Is it a problem with the manually created admin user, because I've filled
> the password in clear text. I've seen in the source code, that it will be
> hashed if you run the add script, or is it only for the md5 hash?
> 
> How can I go forward that dl will work in my enviroment?

pass_ph should be a bcrypt hash.

You could put an md5 hash in pass_md5, and it's going to be migrated to
bcrypt on login.

Upgrading without shell access is going to be a problem currently, though.

Re: [dl-ticket-service] Always EN

2015-07-25 Thread Yuri D';Elia 
On 25/07/15 14:33, Michlman wrote:
>> Are you using a release straight from git/github maybe?
> 
> Yes!
> Now i changed the release and all works fine!

You can keep using the git releases as well, but you have to generate
the locale data with a command before:

http://www.thregr.org/~wavexx/software/dl/README.html#development-releases

Re: [dl-ticket-service] Always EN

2015-07-25 Thread Yuri D';Elia 
On 25/07/15 13:37, Michlman wrote:
>> When you click on the language on the top-right corner, does it actually
>> change the language?
>>
> No, i can click what i want, always EN.

Are you using a release straight from git/github maybe?

Re: [dl-ticket-service] Always EN

2015-07-25 Thread Yuri D';Elia 
On 25/07/15 11:49, Michlman wrote:
> Hallo!
> 
> The webinterface from DL is always set to EN and i can`t change to DE.
> I am using DL 0.17. In my config.php i set $defLocale = "de_DE".
> In my browser the language is also set to de-DE.

Hi,

When you click on the language on the top-right corner, does it actually
change the language?

Re: [dl-ticket-service] useradmin.php

2015-07-21 Thread Yuri D';Elia 
On 21/07/15 04:11, John wrote:
> When I try to execute the following command:
> 
> php useradmin.php add "admin" "true" "change me"
> 
> (I did it with and without quotes) I get a 500 Unknown command error. Is
> there anyway to add a username and password directly to the database or
> useradmin.php file?

Hi John, where and how did you write the command?
The error message looks weird to me.

[dl-ticket-service] DL 0.17 released

2015-06-27 Thread Yuri D';Elia 
DL 0.17 is now officially available for download at:

  http://www.thregr.org/~wavexx/software/dl/releases/dl-0.17.zip
  http://www.thregr.org/~wavexx/software/dl/releases/dl-0.17.zip.asc

This release pushes some unreleased changes, along with a fix for the addon on 
Thunderbird 38. The addon has been subitted for review and will be eventually 
available on AMO. Meanwhile, you can also fetch the release here:

  
http://www.thregr.org/~wavexx/software/dl/releases/thunderbird-filelink-dl-0.17.xpi

Release news:

dl 0.17: 26/06/2015
---

* Login attempts are now logged.
* Log messages are now more uniform, always including the remote address and
  username (when available).
* The Thunderbird add-on has been updated to support Thunderbird 38.

Re: [dl-ticket-service] Re: Thunderbird Add-on with password and expiry

2015-06-27 Thread Yuri D';Elia 
On 06/22/2015 06:05 PM, Peer Tavori wrote:
> For all practical cases a yes/no switch in the *default* settings should
> work well: "ask for passwd/expiry on upload" yes/no; 
> The dialogue for passwd/expiry could be a modal part (same as web) just
> before the upload. The user should have the option to use the defaults (no
> passwd).
> 
> So people could decide to turn it off entirely or being asked and bypass
> quickly if not needed.

I just fixed the addon for TB 38 and *darn*, developing extensions for
TB is just painful: outdated documentation, broken examples, no
debugging, no real "API" to work against...

I'm pretty sure doing an extension for Outlook would turn out to be less
frustrating.

Re: [dl-ticket-service] Thunderbird Add-on with password and expiry

2015-06-22 Thread Yuri D';Elia 
On 06/22/2015 03:19 PM, Peer Tavori wrote:
> Is there a possibility so set the password (and if, possible, the expiry)
> from the Thunderbird add-on? 
> If not, how much effort would it be to extend the Add-on? 
> Could I do it myself? (Never created any TB Add-on, so I know only very
> little about the idiosyncrasies involved, just that mozilla are doing their
> very own thing)
> Or are you planning to do that (i.e. give the Add-on the same capabilities
> as the Web frontend)?

It should be do-able by the add-on, the only question though is
where/when to ask.

I was planning to add the *default* settings in the preferences (in the
attachment/upload/dl settings).

I could prompt for settings/password when the ticket is uploaded, but I
guess this would not be the desired action 99% of the time. You don't
want to be prompted at *every* file attached.

Any ideas on how would you like it to behave?

Re: [dl-ticket-service] Enhancing grant message

2015-06-22 Thread Yuri D';Elia 
Hi Kelvin, sorry for the slow reply.

On 06/12/2015 10:21 PM, Kelvin Smith wrote:
> A customer of mine had difficulty finding the grant message to upload a 
> file to my DL installation, because the message was flagged as spam and 
> diverted to the recipient's spam folder. As I look at a message, I 
> understand why: It has only whatever text one has typed in the "Message" 
> box, plus the link. That makes it look a lot like the "Try this, it 
> works! As seen on TV!" spam that annoys us all.
> 
> 1) Is there any way for me to put some standard text of my own choice 
> into the message? Perhaps it could say something like,

Allowing grant messages to be customizable is something that needs to be
done. Right now they're hard-coded into htdocs/include/msg.php

> While you might have something like this as a default, ideally this 
> should be something I as the owner can alter.

I agree. Right now they're still like this because they play well with
gettext/translations and the message itself changes a bit depending on
the options, but some sort of text template needs to be done.

> 2) I just noticed that the grant message has a From address of "ticket 
> service ". I would have expected it to use the 
> address where notification of the upload is sent. An address like this 
> probably makes it more likely to be identified as spam.

Which grant message? There's the one containing the grant link, and then
you have the notification that the grant has been used.

Re: [dl-ticket-service] Re: Installation

2015-05-21 Thread Yuri D';Elia 
On 05/20/2015 10:33 PM, Peter Buettner wrote:
> Yes, $masterpath is set properly. The misconfiguration was in php.ini.
> 
> session.autostart was enabled. After setting this to 0 all works fine.

That's good to know, I'm going to mention that in the README.

Re: [dl-ticket-service] Installation

2015-05-20 Thread Yuri D';Elia 
On 05/20/2015 12:40 AM, Peter Buettner wrote:
> Hello,
> 
> after installing with your description i get the login page. 
> After login as admin the "admin page" appears. I can klick what i want,
> every time i was send back to the login page.  Do you have any idea what is
> going wrong?

Do you actually reach the "New ticket" page, or it just goes back to the
login page?

Is $masterPath in the configuration file set properly?

Re: [dl-ticket-service] Logout requires login

2015-03-25 Thread Yuri D';Elia 
On 03/25/2015 02:56 PM, Carsten Czerner wrote:
>> If I understand correctly we could just show another regular page (with
>> some logout text), and *then* perform the logout (maybe just with a
>> meta-refresh on the correct url).
>>
>> This should work, but you will still get the prompt afterwards.
>> Well.. I guess it's a step forward?
> 
> Yes,
>
> that would help me and the normal user. I hope they will ignore the 
> login promt if the underlaying page told them to close the tab!

Noted (https://github.com/wavexx/dl/issues/27)

Re: [dl-ticket-service] Logout requires login

2015-03-25 Thread Yuri D';Elia 
On 03/25/2015 01:41 PM, Carsten Czerner wrote:
> Hi,
> 
> thanks for your replay, I understand the problem.
> 
> But, coundn't we use a Ajax request to update and display the "Logout 
> success" and call the the admin.php afterwards?
>
> This will inform the user to close the tab or to reload ist pressing 
> STRG + R?

If I understand correctly we could just show another regular page (with
some logout text), and *then* perform the logout (maybe just with a
meta-refresh on the correct url).

This should work, but you will still get the prompt afterwards.
Well.. I guess it's a step forward?

Re: [dl-ticket-service] Logout requires login

2015-03-24 Thread Yuri D';Elia 
On 03/24/2015 11:24 AM, Carsten Czerner wrote:
> Hi,
> 
> I have a strange behavior with the "Logout" function. When I try to 
> logout, the server asks me to re login, that alwayes failes. When I 
> cancel the "Authentication Dialog" the correct message was displayed 
> "Please close the window ...". The other functions like "New Ticket" or 
> "Active grants" work correctly!
> 
> Why is there a authentification dialog when I try to logout?

It's a "known" issue. At least, I couldn't make it work better than
this, so if anybody else has some experience, please read on.

This happens when you have HTTP authentication active. In this
situation, /admin.php is protected by the web server itself, which sends
a WWW-Authenticate header. The browser caches the credentials for
/admin.php and uses them for each request.

To perform a *true* logout, I actually have to make the browser *fail*
authentication at least once in order to make it forget the credentials.
I cannot redirect it outside /admin.php, since this would prevent the
credentials to be forgotten entirely.

If I didn't do that, you could just browse again to admin and you would
still be logged in as the previous user.

This ends up in this weird "logout" limbo, where you *need*
authentication, but I keep telling the browser it's wrong. As you saw,
if you cancel, you can actually see the content of the page - which is
*already* sent to the browser, but it's never displayed.

I also have this issue, since I'm also using HTTP authentication
everywhere. I could add an extra redirect *after* the authentication
failed, but you would still see a prompt at least once. Confusing.

Maybe there's a trick we could use to stop the prompt to appear will
still removing the credentials from *some* recent browsers?

[dl-ticket-service] DL 0.16 released

2015-01-22 Thread Yuri D';Elia 
DL 0.16 is now officially available for download at:

  http://www.thregr.org/~wavexx/software/dl/releases/dl-0.16.zip
  http://www.thregr.org/~wavexx/software/dl/releases/dl-0.16.zip.asc

dl 0.16: 22/01/2015
---

* The database connection is automatically re-established when timed out after
  slow uploads/downloads (affects systems not using sqlite).
* dl-cli can now prompt for a password when left unspecified in the
  ``~/.dl.rc`` configuration file.
* Added Japanese translation by Teruo IWAI.
* Dutch user-guide translation by Maarten Schoonman.

[dl-ticket-service] Android client development

2015-01-17 Thread Yuri D';Elia 
Is there any developer in this list with android development experience?
I'd like to implement a simple "DL" client for Android using the "share"
intent.

The basic idea that an user could just click the "share" icon and select
DL as one of the options. The client would then generate a ticket using
the content, and prompt again for sharing the _resulting_ URL.

For example, you could go to the gallery, select an image, click share
-> DL -> another share prompt -> email -> the URL is inserted into the
body as text.

This is how "Send Reduced" works
(https://f-droid.org/repository/browse/?fdfilter=camera&fdid=mobi.omegacentauri.SendReduced),
and works quite well once understood. It doesn't "plug" into any
application in particular, and allows the URL to be shared through
chat/sms/you name it.

I've been fantasizing about implementing such a client for a while now.
Does anybody have a better UI/idea on how to implement this?

Re: [dl-ticket-service] request feature

2014-12-19 Thread Yuri D';Elia 
On 12/19/2014 09:30 AM, MOKRANI Rachid wrote:
> Hi,
> 
> For a new dl release :
> 
> 
> -  it should be very nice if we can send multiples files in
> the same ticket.

There is some work going on under this front.

I've filed an issue to keep track on this:

https://github.com/wavexx/dl/issues/15

> -  If I send a ticket with multiples recipients as
> a...@aa.com, b...@bb.com,
> c...@cc.com . Actually I know only that my file was
> download but  I never know who download it.

There are a couple of ways to implement this behavior, with the simplest
being generating N tickets (one for each email) with the same content.

I have to say this is pretty low in the priority queue.

> -  Add quota users - for preserve disk space.

Yes, this is important. I also filed an issue to keep track of that:

https://github.com/wavexx/dl/issues/13

[dl-ticket-service] Encrypted tickets

2014-12-16 Thread Yuri D';Elia 
I've been pondering over this for a while, but since I'm a bit tight on
time, I'll drop this for discussion.

The current idea behind a password-protected ticket is to prevent that
access is granted if the ticket ID/url is discovered by other means.

The ticket/grant ID space is already pretty large, and the ID is
generated using a pseudo-random salt, so that's quite unlikely that an
URL is discovered by chance. But given that IDs are potentially reused,
password protection offers an additional guarantee.

However, password protection doesn't offer anything beyond that. An
administrator can reset the password, as well as recover the data given
the ticket ID by just looking at the spool.

It would be very nice to use symmetric encryption in this case. When the
file is received, we could use a symmetric block cypher mode such as
aes-xts to encrypt the file backed-up by the ticket. We could use the
known password hash for validation instead of validating the content, so
there's nothing "special" required to support it.

This would offer a pretty strong guarantee for the user. A
password-protected ticket cannot be recovered without a password. On a
potential security breach, the attacker won't be able to look at the
content either. On the downside, if the password is lost, the content is
lost as well. An administrator cannot help.

I was looking at PHP libraries, but I couldn't find any library that
offers a convenient (seekable!) API to perform aes-xts on a file. I'm
reluctant to use external tools, as this would complicate furthermore
the setup and/or reduce the chance that this would be a *standard*
feature in a DL installation, and not something that would be easily
skipped.

Any hint would be appreciated.

[dl-ticket-service] DL 0.15 released

2014-11-28 Thread Yuri D';Elia 
DL 0.15 is now officially available for download at:

  http://www.thregr.org/~wavexx/software/dl/releases/dl-0.15.zip
  http://www.thregr.org/~wavexx/software/dl/releases/dl-0.15.zip.asc

dl 0.15: 28/11/2014
---

* File names with special and/or UTF-8 characters are now correctly preserved
  on all browsers.
* Added Dutch translation by Maarten Schoonman.

Re: [dl-ticket-service] Nginx + rest.php

2014-10-25 Thread Yuri D';Elia 
On 10/24/2014 06:04 PM, "Jan B. Kolář" wrote:
> I tested your config, it's working with one little problem. If I remove 
> header that I send before, browser (Firefox) not asking for credentials 
> on "rest.php" file. I can use Thunderbird  extension without problem - 
> that mean it's working. But browser don't show up username/password window.

I will rectify this sentence. The username/password prompt is requested
by the web server when using external authentication only.

> I know it's problem of Nginx, but maybe you can help me with with 
> another little think. With your setup, if I try to enter /include/ 
> directory, I always get back url "/include/=404" and my browser said, 
> that server is redirecting to itself.

Probably a missing space in the try_files directive.

Re: [dl-ticket-service] Nginx + rest.php

2014-10-24 Thread Yuri D';Elia 
On 10/24/2014 02:10 PM, Amen Ankh wrote:
> 192.168.---.--- - testuser [24/Oct/2014:13:22:42 +0200]
> "POST /dl/rest.php/newticket HTTP/1.1" 200 122 "-" "dl-wx/0.11" "-"
> 
> You're right... with version dl-wx 0.11 it works perfectly.. tested
> with 2,6Gig file... thanks a lot.

The REST protocol was broken in 0.11 to fix possible CSRF attacks.
It's backward compatible, but not forward.

That being said, Thunderbird should then also work.
I've updated the Nginx example on the webpage and for the next release.

Re: [dl-ticket-service] Nginx + rest.php

2014-10-23 Thread Yuri D';Elia 
On 10/23/2014 02:36 PM, Amen Ankh wrote:
> Tested on Windows 7 64 Ultimate, nginx-1.7.1.3-RedKnight + PHP Farm
> 
> In the Browser : works excellent
> 
> In the WX Client via Rest : DL service error
> 
> access.log:
> 192.168.---.--- - testuser [23/Oct/2014:13:48:56 +0200]
> "POST /dl/rest.php/newticket HTTP/1.1" 401 5 "-" "dl-wx/0.10" "-"

Is this dl-wx 0.10, or did I forget to update the version in the User-agent?

You need at least 0.11.

Re: [dl-ticket-service] Nginx + rest.php

2014-10-22 Thread Yuri D';Elia 
On 10/17/2014 07:36 PM, "Jan B. Kolář" wrote:
> Dear all,
> 
> I can't figure out how to set up Nginx for "rest.php" authentication to 
> work. I'm using Nginx+PHPfpm and MySQL as backend (I want use "Internal 
> authentication"). Web interface is working fine - I can log in without a 
> problem.
> 
> But I can't use integration with Thunderbird, because "rest.php" file is 
> always returning "401 Unauthorized" without asking for username and 
> password (no login dialog appear). I can't find any help in manual.
> 
> My Nginx config part for "rest.php" file is:
> 
> location = /rest.php {
>fastcgi_pass_header Authorization;
>fastcgi_pass unix:/var/run/dl.smurv.cz-fpm.sock;
>fastcgi_index index.php;
>include fastcgi_params;
>}

I just tried a stock DL 0.15 using nginx on Debian.
When installed as a subdirectory, I could get DL to work with the following:

location ^~ /dl {
  # Protect the include directories
  location ~ ^/dl(?:/|/.*/)include {
  deny all;
  } 

  index index.php index.html;
  try_files $uri $uri/ =404;
  
  # Enable PHP
  location ~ \.php(?:$|/) {
  include fastcgi_params;

  # Set maximum body size (should be the same as PHP's post_max_size)
  client_max_body_size 512M;

  # Setup PATH_INFO
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  try_files $fastcgi_script_name =404;
  
  set $path_info $fastcgi_path_info;
  fastcgi_param PATH_INFO   $path_info;
  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  
  fastcgi_index index.php;
  fastcgi_pass unix:/var/run/php5-fpm.sock;
  }
  }   

Notice the order of the location directives to protect the include directories, 
and also the PHP location matching ``\.php(?:$|/)'' in order to allow PATH_INFO 
to route requests properly.

After that I didn't need to forward any header explicitly, and it works fine.
Let me know if this helps.

Re: [dl-ticket-service] Nginx + rest.php = solution founded

2014-10-20 Thread Yuri D';Elia 
On 10/20/2014 12:01 PM, "Jan B. Kolář" wrote:
> Dear all,
> 
> so I checked source code by myself and find solution for my problem with 
> Nginx + rest.php (see previous emails).
> 
> I don't know why, but Nginx need one more header in 401 response. So I 
> edited "include/fatal.php" file and added one line (bold):
> 
>> function httpUnauthorized()
>> {
>> *header('WWW-Authenticate: Basic realm="My Realm"');*
>>   header("HTTP/1.0 401 Unauthorized");
>>   exit();
>> }
> 
> Without this header, Nginx is not asking for credentials on "rest.php" 
> file, so it was not possible to use dl with Thunderbird.

This doesn't cause any harm, but shouldn't be required at all.

Re: [dl-ticket-service] Nginx + rest.php

2014-10-20 Thread Yuri D';Elia 
On 10/18/2014 08:22 PM, Amen Ankh wrote:
> Same Problem here,
> 
> dl cant be used via rest.php and (dl-wx) on Windows with NGINX+PHP-Farm.
> Testet with dl-wx-0.10-win32 and dl-wx-0.11-win32. There is no Error
> output in error.log (PHP+NGINX) :testet with tail.

Could somebody send me their full nginx configuration?
I can try to configure it here to see what's the problem.

The configuration found in the readme was sent to me, so I assume it
should be relatively straightforward to fix.

> By the way i am thinking about programming a clinet by my self on
> dotnet/MONO to bypass the giant python client 30,93 MB Memmory Usage on
> Standby and 20.1 MB Application Folder Size!!!

Yeah, the client on windows bundles the entire python runtime +
wxpython, but there's not much I can do about it. It's a long time (10+
years) that I stopped programming on windows.

If you could provide a dotnet client it would definitely be nicer
(especially for the UI).

Re: [dl-ticket-service] Nginx + rest.php

2014-10-17 Thread Yuri D';Elia 
On 10/17/2014 07:36 PM, "Jan B. Kolář" wrote:
> My Nginx config part for "rest.php" file is:
> 
> location = /rest.php {
>fastcgi_pass_header Authorization;

I have no experience with nginx.
If the headers are not forwarded by default, I would assume:

  fastcgi_pass_header X-Authorization;

is also needed. If you're using DL 0.14 the log should also contain some
extra info.

[dl-ticket-service] DL 0.14 released

2014-10-16 Thread Yuri D';Elia 
DL 0.14 is now officially available for download at:

  http://www.thregr.org/~wavexx/software/dl/releases/dl-0.14.zip
  http://www.thregr.org/~wavexx/software/dl/releases/dl-0.14.zip.asc

Changes from RC1:

- None

Complete release notes:

dl 0.14: 16/10/2014
---

* Fixed broken ``Content-Length`` header with the Apache/mod_php/mod_deflate
  combination, which would prevent downloads to be resumed.
* The built-in skin has been updated.
* The skin can now be customized and set in the configuration file.
* A word-around has been found to allow PHP 5.4-5.5 to upload files up to 4GB
  (note that starting with PHP 5.6 there is no upload size limitation).
* Logging of server-side errors has been improved.

Re: [dl-ticket-service] [Patch] make the style directory configurable

2014-10-09 Thread Yuri D';Elia 
On 10/02/2014 05:44 PM, Daniel Berteaud wrote:
> I'll try to take a look when I have some time. Any ETA for next stable
> release ? (IMHO, this change may deserves a new tarball)

Let me know when you give it a spin.
I've installed it here and I didn't notice any problem.

[dl-ticket-service] DL 0.14 rc1 (beta) is available

2014-10-03 Thread Yuri D';Elia 
The first release candidate of DL 0.14 is available for download at:

  http://www.thregr.org/~wavexx/tmp/dl-0.14-rc1.zip

Besides other changes, DL 0.14 now does extensive logging of all error 
conditions server-side. Previously DL would just return an HTTP error code, 
without further information for the administrator.

The new default is to log all errors to PHP's error log if $logFile is left 
unconfigured (that is, errors are always logged). If syslog or a file is being 
used for logging, the log will now also include errors with the appropriate log 
level.

DL 0.14 does not introduce database changes. Rollback to the previous version 
is safe.

Release notes so far:

dl 0.14:
---

* Fixed broken ``Content-Length`` header with the Apache/mod_php/mod_deflate
  combination, which would prevent downloads to be resumed.
* The built-in skin can now be changed in the configuration file.
* A word-around has been found to allow PHP 5.4-5.5 to upload files up to 4GB
  (note that starting with PHP 5.6 there is no upload size limitation).
* Logging of server-side errors has been improved.

Re: [dl-ticket-service] [Patch] make the style directory configurable

2014-10-02 Thread Yuri D';Elia 
On 10/02/2014 05:44 PM, Daniel Berteaud wrote:
> I'll try to take a look when I have some time. Any ETA for next stable
> release ? (IMHO, this change may deserves a new tarball)

The fix for mod_php+mod_deflate is also significant.
I can announce an rc1 right now...

Re: [dl-ticket-service] [Patch] make the style directory configurable

2014-10-02 Thread Yuri D';Elia 
On 11/24/2013 02:47 PM, Daniel Berteaud wrote:
> Attached is a patch to configure the "style" directory (default being
> the provided style). The rational behind this is that I deploy dl
> packaged as a RPM (BTW I can send send the spec file if someone is
> interested), so I don't want to edit files directly as it would be
> overwriten on next update.

Finally merged, with changes.

There is some interaction with the code expecting the style/static data
to be available under the web server root in some circumstances. I made
the "$style" parameter to be a directory name under style/[default].

This would allow multiple skins to co-exist, just in case we will allow
to set the skin on a per-user basis. Ideally the listings should also be
generated from the skin, but I didn't have the time right now to do this.

I also merged the new skin from RustyPixel, which is now the new
default. Comments appreciated.

Re: [dl-ticket-service] Re: Thunderbird 32

2014-09-30 Thread Yuri D';Elia 
On 09/23/2014 10:37 AM, Michael Bunk wrote:
>> I have found the problem,
>> it is the paramater magic_quotes_gpc=On which differs from you indication.
>> Unfortunately another virtual web site on the same web server, Apache/2.2.16
>> (Debian), needs  the value "On" .

Which PHP version is this?

>> For some reasone newticket post command works but newgrant fails with such a
>> setting.

With PHP 5.6 this setting is not even available anymore, so I'm even
reluctant to look into it. Software relying on magic_quotes_gpc is
broken by design.

>> I tried to override the parameter with the option
>> php_flag magic_quotes_gpc Off within .htaccess  
>> and/or php.ini in the /dlticksvc/ directory but it didn't work
>> Have you any hints in how to achieve this overriding?

>From the PHP manual:

| The magic_quotes_gpc directive may only be disabled at the system
| level, and not at runtime. In otherwords, use of ini_set() is not an
| option.

> Try to set the flag in the apache config directly instead of .htaccess:
> 
> http://stackoverflow.com/a/11539059/2725226

which with mod_php this would have the same limitation.

With suPHP (http://www.suphp.org/) you can have a separate environment
(including a different php.ini), which would allow you to run both
side-by-side.

Of course, this is for old PHP setups.

With a more recent PHP version you could directly use php-fpm to the
same extent.

As a last resort, you can run DL with a different apache process, and
then use a reverse proxy from the main server to make it invisible. It's
a heavy-handed approach, but it *will* work.

Re: [dl-ticket-service] Re: Thunderbird 32

2014-09-20 Thread Yuri D';Elia 
On 09/19/2014 03:18 PM, Luca Casavola wrote:
> I have installed on Thunderbird  31.1.1 ( not 32, I was wrong ) .
> After setting up the DL account with my internal server I was able to produce 
> the link from thunderbid but I got an erro when I tried to produce a grant
> On thunderbird I got the message on the status bar:
> Cannot generate a new grant
> On the console error the  are no errors.
> On the server side i got the info ( from webserver 's error.log )
>  PHP Notice:  date_default_timezone_set() [ href='function.date-default-timezone-set'>function.date-default-timezone-
> set]:
> Timezone ID '' is invalid in 
> ...
> but it should not be related with the issue since I got it for each dl 
> request.
> Instead , from webserver 's access.log I got :
>  "POST /dlticksvc/rest.php/newgrant HTTP/1.1" 400 204 "-"
> "thunderbird-filelink...@thregr.org/0.13 Lightning/3.3"
> I presume there is some error on the POST request.
> How can investigate on it.

I assume here generating a grant from the web interface works.

Since you seem knowledgeable, can you please try if:

  ./dl/client/dl-cli.py -g ran...@example.com

works from the command line?

Also, it would be helpful to know which configuration do you have on
your server (apache, php-fpm, mod_php, etc) and which configuration
example did you follow from the README to set it up.

Re: [dl-ticket-service] Thunderbird 32

2014-09-20 Thread Yuri D';Elia 
On 09/19/2014 03:25 PM, Tanstaafl wrote:
>>> is availabale a workaround to install Dl 0.13 add on thunderbird 32
>>> or do we need wait for the next coming release?
>>
>> I updated the minimum version on the mozilla addon website to 32.*.
>>
>> [On a related note, I truly hate these meaningless version numbers that
>> Mozilla has started to use]
> 
> Thunderbird will NOT auto-update beyond the ESR major version of Firefox 
> - in this case, 31...
> 
> If someone has 32, they downloaded and installed it manually from the 
> NON RELEASE channel...

I figured, though I looked at TB32 and there are no plans to change the
filelink interface anyway.

Re: [dl-ticket-service] Thunderbird 32

2014-09-19 Thread Yuri D';Elia 
On 09/19/2014 11:46 AM, Yuri D'Elia wrote:
> On 09/19/2014 09:59 AM, Luca Casavola wrote:
>> Hi all,
>> is availabale a workaround to install Dl 0.13 add on thunderbird 32
>> or do we need wait for the next coming release?
> 
> I updated the minimum version on the mozilla addon website to 32.*.

I also regenerated the stand-alone version:

http://www.thregr.org/~wavexx/software/dl/thunderbird.html

Re: [dl-ticket-service] Thunderbird 32

2014-09-19 Thread Yuri D';Elia 
On 09/19/2014 09:59 AM, Luca Casavola wrote:
> Hi all,
> is availabale a workaround to install Dl 0.13 add on thunderbird 32
> or do we need wait for the next coming release?

I updated the minimum version on the mozilla addon website to 32.*.

[On a related note, I truly hate these meaningless version numbers that
Mozilla has started to use]

[dl-ticket-service] Default DL Style

2014-09-16 Thread Yuri D';Elia 
I received the following pull request in github:

https://github.com/wavexx/dl/pull/8

Looks fine to me (actually "better" than the current), and I was
thinking of pulling it along with the "configurable style" patch sent by
Daniel Berteaud a while ago.

Since the OP didn't respond, maybe some of you could know the origin of
those icons and/or replacements that we could pull in?

Re: [dl-ticket-service] Packaging of dl for inclusion in Fedora / EPEL

2014-08-08 Thread Yuri D';Elia 
On 08/07/2014 08:05 PM, Greg Bailey wrote:
>> So as I understood the bug report, it was finally accepted?
> 
> Yes, it's in there now.  It's in the "testing" repo for Fedora 19, 
> Fedora 20, and EPEL 6 (CentOS 6, RHEL 6, etc.)
> 
> It's in the regular (non-testing) repo for EPEL 7 (RHEL 7, CentOS 7), 
> and Fedora 21/rawhide.

Awesome :)

> I can push it to the regular non-testing channels for Fedora after 
> another day or 2.  For EPEL, the wait time is longer (another 2 weeks) 
> unless a Fedora packager gives positive feedback on the RPM, in which 
> case it may be possible to promote it sooner.

There's no rush, I just wanted to know if there was anything required on
my part.

I'm wondering now where I should advertise/announce DL releases.
In the past I relied a lot on freshmeat/freecode. Since now it's
officially gone, the only channel left is either this mailing list or
github.

Somehow I was never able to find anything by searching through github
unless it's already *quite* popular. There's too much noise and
unimplemented/half-not-working stuff. Plus, it's not really useful for
users, as opposed to developers.

What's popular these days to find software, aside from random searches
and the stackexchange network?

Re: [dl-ticket-service] Packaging of dl for inclusion in Fedora / EPEL

2014-08-07 Thread Yuri D';Elia 
On 07/31/2014 04:36 PM, Yuri D'Elia wrote:
>> I'm putting the finishing touches on RPM ingredients to submit dl as a 
>> package for Fedora and Fedora EPEL (for RHEL, CentOS, etc.).

So as I understood the bug report, it was finally accepted?

[dl-ticket-service] DL 0.13 released

2014-07-31 Thread Yuri D';Elia 
DL 0.13 is now officially available for download at:

  http://www.thregr.org/~wavexx/software/dl/releases/dl-0.13.zip

Changes from RC1:

* Updated translations (French/German/Spanish/Czech).
* The "select all" checkbox didn't work properly and was fixed.

Thanks to all the testers, translators and contributors.

Complete release notes:

dl 0.13: 31/07/2014
---

* The "Active tickets/grants" pages for administrators now show only their own
  tickets, like for normal users. Other tickets are visible in the new "All
  tickets/grants" pages.
* Upload progress information is now implemented client-side using HTML5/JS,
  which is both more responsive and waives any PHP configuration/version
  restrictions.
* Ticket/grant/user listings can now be sorted by clicking on the table header.
* The date/time format can now be customized.
* Spaces in uploaded file names are now correctly preserved.
* The REST interface can now be used with the built-in authentication method
  without additional configuration *also* when using apache/fcgi.
* The REST interface now supports a method to generate grants.
* The Thunderbird add-on now includes a new menu command (under "Tools") and a
  new toolbar icon in the composer window to generate and insert grants in the
  current message.
* Added Brazilian Portuguese and Czech localizations (thanks to Guilherme
  Benkenstein and Jan Štětina).
* Minor bug/cosmetic fixes.

DL 0.12 is the last release offering an upgrade path from DL 0.3. Version 0.13
can only upgrade from 0.4 and above. If you have an old installation, you'll
need to perform a two step upgrade using an earlier release.

Re: [dl-ticket-service] Packaging of dl for inclusion in Fedora / EPEL

2014-07-31 Thread Yuri D';Elia 
On 07/30/2014 06:31 PM, Greg Bailey wrote:
> Hi Yuri (and others),
> 
> I'm putting the finishing touches on RPM ingredients to submit dl as a 
> package for Fedora and Fedora EPEL (for RHEL, CentOS, etc.).
> 
> I maintain a few other packages in Fedora so hopefully I've covered most 
> of the "gotchas".  :)
> 
> I've checked for existing submissions and it doesn't appear that anyone 
> else has started this effort yet?  I'd like to confirm that's the case 
> before going too much further.
> 
> Yuri, would you be open to including the RPM .spec file in the repository?

I have no problem with that, as long as there's somebody willing to
maintain it :). It's a long time I didn't touch Fedora/RH, so I couldn't
really help anybody with the spec.

Just as a note, Debian generally suggests to have the packaging
infrastructure as a different project unless it's a core Debian package.
For example, it's common practice to patch sample configuration files
and documentation to their actual installation paths without affecting
the source package. No idea if that's considered good practice or not
also in Fedora. (I'm telling just because I maintain a few packages in
Debian).

As for the code, I would suggest to use 0.13:

http://www.thregr.org/~wavexx/software/dl/releases/dl-0.13.zip

I'll write the announcement soon.

Re: [dl-ticket-service] Re: Authentication accepts any username / password combination

2014-07-30 Thread Yuri D';Elia 
On 07/30/2014 12:40 PM, Edi Füllemann wrote:
>> I got the last translation today and I was planning to make a release,
>> so it would be nice to confirm that 0.13 is fine.
> 
> It seems to be fine. See my previous post.

Herrlich!
I'll release 0.13 shortly.

Re: [dl-ticket-service] Authentication accepts any username / password combination

2014-07-30 Thread Yuri D';Elia 
On 07/30/2014 09:58 AM, Yuri D'Elia wrote:
> Did you change or set the value of $authRealm in your configuration file
> maybe?
> 
> I just tried this on 0.12 but couldn't reproduce it somehow.

I'd also like to mention that if you could try this on the 0.13 RC1 it
would be great:

  http://www.thregr.org/~wavexx/tmp/dl-0.13-rc1.zip

I got the last translation today and I was planning to make a release,
so it would be nice to confirm that 0.13 is fine.

Re: [dl-ticket-service] Authentication accepts any username / password combination

2014-07-30 Thread Yuri D';Elia 
On 07/30/2014 09:25 AM, Edi Füllemann wrote:
> I updated from 0.10 to 0.12 and realized that any username / password is
> accepted by the web frontend. The installation is configured to use internal
> authentication. First I suspected the upgrade process somehow went wrong and
> tried a fresh install. But the problem persisted. When I login with a
> fantasy username, it gets even added to the database.
> 
> After trying to follow the logon process in the source with my limited php
> knowledge, I suspect the software is using external authentication instead
> of internal.
> 
> I could fix the problem for now by commenting out the following part of the
> function userLogin in include/admfuncs.php. This is where the external
> authentication is done an new user accounts added.

Did you change or set the value of $authRealm in your configuration file
maybe?

I just tried this on 0.12 but couldn't reproduce it somehow.

[dl-ticket-service] New mailing lists

2014-07-08 Thread Yuri D';Elia 
I created two new mailing lists for DL:

* dl-announ...@thregr.org
* dl-translat...@thregr.org

"dl-announces" is a *read-only* list for those who are only interested
in project updates. The only posts will be about official, security and
RC release availability. No discussions and no other posts allowed.

A few people requested this already. You can unsubscribe from this list
through  and re-subscribe to
 as you like.

"dl-translators" is for the language translators coordination. It will
contain translation requests with extra details (such as the one
previously sent individually). Official translators are already
subscribed, but the list is otherwise open for anybody interested.

Instructions have also been added to the official documentation:

http://www.thregr.org/~wavexx/software/dl/README.html#general-support-mailing-list

[dl-ticket-service] DL 0.13 release candidate 1 available

2014-07-08 Thread Yuri D';Elia 
The DL 0.13 RC1 can be downloaded from:

  http://www.thregr.org/~wavexx/tmp/dl-0.13-rc1.zip

or downloaded from git. The RC is expected to be identical to the final
release, except for final translation updates and any eventual bug-fix
found while testing.

You are encouraged to help by testing the RC if possible.

dl 0.13: ??/??/2014
---

* The "Active tickets/grants" pages for administrators now show only
their own tickets, like for normal users. Other tickets are visible in
the new "All" tickets/grants" pages.
* Upload progress information is now implement client-side using
HTML5/JS, which is both more responsive and waives any PHP
configuration/version restrictions.
* Ticket/grant/user listings can now be sorted by clicking on the table
header.
* The date/time format can now be customized.
* Spaces in uploaded file names are now correctly preserved.
* The REST interface can now be used with the built-in authentication
method without additional configuration *also* when using apache/fcgi.
* The REST interface now supports a method to generate grants.
* The Thunderbird add-on now includes a new menu command (under "Tools")
and a new toolbar icon in the composer window to generate and insert
grants in the current message.
* Added Brazilian Portuguese and Czech localizations (thanks to
Guilherme Benkenstein and Jan Štětina).
* Minor bug/cosmetic fixes.

DL 0.12 is the last release offering an upgrade path from DL 0.3.
Version 0.13 can only upgrade from 0.4 and above. If you have an old
installation, you'll need to perform a two step upgrade using an earlier
release.

[dl-ticket-service] Thunderbird updates

2014-07-08 Thread Yuri D';Elia 
I just completed a series of updates to DL to allow the generation of
grants from the REST API.

This was done mainly to support generating grants directly from
Thunderbird. The new add-on adds a new command (under Tools), and a new
toolbar item (that you have to drag-in manually) that generate a new
grant and insert the URL in the current message automatically.

Screenshot here:

  http://www.thregr.org/~wavexx/tmp/thunderbird-grant.png

If you want to test the new add-on, here's a pre-release:

  http://www.thregr.org/~wavexx/tmp/thunderbird-filelink-dl.xpi

To test it though you'll need to update DL to the current git's master
branch of course.

Likewise, the command lile clients have also been updated to generate
grants. "dl-cli -g [address]" will now generate and print a grant.

By the way, the current DL icon in the Thunderbird extension (which is
also used in several other places) sucks. Any help here would be
appreciated.

Re: [dl-ticket-service] Re: "cannot access spool directory" error: how to find web server user?

2014-05-21 Thread Yuri D';Elia 
On 05/16/2014 08:54 PM, Yuri D'Elia wrote:
> On 05/16/2014 01:58 PM, Maddox Flower wrote:
>> Thanks for the reply, Yuri! Unfortunately, I am still not able to access to 
>> spools directory. Here's the output of
>> $> ps axuw | grep apache
>> apache   26077  0.0  0.0 131484  3204 ?S13:36   0:00 
> <..>
>> Is that ok? I've gone through the whole setup once more (after removing the 
>> /var/spool/dl directory and the dl directory in my websites httpdocs). Still 
>> the same error :-(
> 
> It's running as "apache". Try "chown -r apache [spool]".
> 
>> What about ownership / group / permissions of the 
>> /var/www/vhosts//httpdocs/dl directory, are they important at 
>> all?
>>
>> Can this have anything to do with the  entry? This is supposed to 
>> be in my /etc/httpd/conf/httpd.conf file, right? I am a bit confused about 
>> the mod_php. Is this module loaded by apache (v2.2.15) by default?

Were you able to solve the issue?

Re: [dl-ticket-service] Re: "cannot access spool directory" error: how to find web server user?

2014-05-16 Thread Yuri D';Elia 
On 05/16/2014 01:58 PM, Maddox Flower wrote:
> Thanks for the reply, Yuri! Unfortunately, I am still not able to access to 
> spools directory. Here's the output of
> $> ps axuw | grep apache
> apache   26077  0.0  0.0 131484  3204 ?S13:36   0:00 
<..>
> Is that ok? I've gone through the whole setup once more (after removing the 
> /var/spool/dl directory and the dl directory in my websites httpdocs). Still 
> the same error :-(

It's running as "apache". Try "chown -r apache [spool]".

> What about ownership / group / permissions of the 
> /var/www/vhosts//httpdocs/dl directory, are they important at 
> all?
> 
> Can this have anything to do with the  entry? This is supposed to 
> be in my /etc/httpd/conf/httpd.conf file, right? I am a bit confused about 
> the mod_php. Is this module loaded by apache (v2.2.15) by default?

Apache and PHP can be configured in many ways. mod_php is usually the
default/recommended choice. In this configuration, PHP runs as the same
user/group as apache.

DL has two parts you need to care about: the htdocs directory
(/var/www/vhosts//httpdocs/dl in your case) and the spool
(/var/spool/dl).

htdocs needs to be readable _only_. By the error that you're getting,
this is already readable so that's fine.

The spool needs to readable _and_ writable as well by the apache user.
A "chown -r apache /var/spool/dl" should do it.

I think I suggested a chgrp before (which is what I usually do), but
then you should look into which group apache is running at (Group line
in the apache configuration file in the simplest case). Generally on
Debian/Ubuntu is www-data, on RedHat/Centos you need to check.

Re: [dl-ticket-service] "cannot access spool directory" error: how to find web server user?

2014-05-14 Thread Yuri D';Elia 
On 05/14/2014 07:45 AM, Maddox Flower wrote:
> Looking into /etc/passwd, I am seeing users such as
> apache:x:48:48:Apache:/var/www:/sbin/nologin
> abo-admin:x:1:503::/var/www/vhosts/:/bin/false

I would guess then that the web server is running as "apache" here.

> $> ls -la /var/spool
> ...
> drwxrwx---  3 abo-admin psaserv 4096 14. Mai 00:42 dl

Everything else is correct. But the spool directory needs to be writable
by apache.

I would guess a:

  chgrp -r apache /var/spool/dl
  chmod g+ws /var/spool/dl

would do the trick, but if you want to know exactly under which user
apache is running at, run something like:

  ps axuw | grep apache

to know the user exactly.

Re: [dl-ticket-service] Re: Setting up Thunderbird with DL

2014-04-22 Thread Yuri D';Elia 
On 04/22/2014 02:33 AM, Kelvin Smith wrote:
>> On 4/16/2014 4:31 PM, Kelvin Smith  wrote:
>>> Thank you for responding. I don't get a prompt from browsing directly to
>>> rest.php, but in further testing, I found the problem was that I was using
>>> https: rather than http:. Once I changed that, it set up properly, and is
>>> now working. Thanks!
>>
>> But wouldn't the correct fix be to get the https: (secure) link working 
>> rather than simply switching to an UNSECURED link?
> 
> It would if I could secure the link. Unfortunately, my SSL certificate
> doesn't cover additional subdomains. At this point, my use of this doesn't
> merit buying an additional cert.

You can run DL under a sub-directory under the main domain if you want
to, just in case you are interested. There is no restriction on the
location. You just need to tweak the "masterPath" accordingly.

I personally don't use a subdomain either, for the same reason (ssl
cert). I just created a redirect from dl.example.com => example.com/dl/

The examples are provided for a subdomain setup, but that's just for
convenience.

Re: [dl-ticket-service] Changing maximum upload size

2014-04-22 Thread Yuri D';Elia 
On 04/20/2014 06:51 AM, Kelvin Smith wrote:
> I've got another problem with my new installation of DL. My website 
> currently has a maximum upload size of 10 MB. I'd like to increase that 
> to 500 MB, and I changed both upload_max_filesize and post_max_size in 
> php.ini in the root directory of my dl subdomain, as directed in your 
> Readme file. It seems to have no effect; DL is still reporting that the 
> maximum file size is 10 MB, which largely defeats the purpose of having 
> DL available.
> 
> Any ideas on what I'm missing to get the new maximum size to work?

php.ini is usually located elsewhere.

In debian/ubuntu, it's somewhere in /etc/php5/[current backend]/php.ini
Creating a new empty php.ini in the document root will not set those
variables.

In RedHat/Centos it should be directly in /etc/.

If you can tell us what web server are you using (apache?) and php
module/version (mod_php I assume?) it would be helpful.

  1   2   3   >