misc

I'm honestly not sure. Deliberately no 3rd component is used to handle events. With version 0.99... it works. Not with the latest uniGUI version.

Hello, i am currently converting an old source (v0.99...) to the newest uniGUI components. The code can be compiled after some adjustments but unfortunately the portal does not run. The log is full of errors. Unfortunately I can't get any further and maybe someone in the community has already gone through something similar. Here are the logs: xxx.exe: 00001D4C: 17:08:17 [HandleFileRequest[127.0.0.1]]:Access denied: D:\dev\Win32\Release\HandleEvent. Here the logs from HTTP Command Event: 10.08.2020 17:08:17: [UniGUIServerModuleHTTPCommand]/127.0.0.1:8085/HandleEvent 10.08.2020 17:08:17: [UniGUIServerModuleHTTPCommand]Ajax=1 IsEvent=1 Obj=O0 Evt=cinfo ci=br=33;os=4;bv=84;ww=1920;wh=937 _S_ID=2tk8ISSGRS1069497FD _seq_=0 _uo_=O0 _f_=1 _fs_=401 _fst_=Unauthorized

Hi there, some of our customers are afraid about using RC4 in the cipher settings of our uniGUIServer. While the default from Indy10 (which is used in uniGUI) uses RC4 we tried to find a solution. In the OWASP (=open software security community) there is a cheat sheet about TLS Cipher Strings. We tried to implement the recommendations for a cipher string and we want to share this with you: Here is the link to the original document: https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet Please read sections "Scenarios" in the link above to understand the different strength of cipher strings. Option 1 is to hard code the different cipher strings and provide it with a simple function: function GetCipherList(AStrength: Integer): WideString; const cCIPHER_LIST_1: WideString = 'DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256'; cCIPHER_LIST_2: WideString = 'DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'; cCIPHER_LIST_3: WideString = 'ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA'; cCIPHER_LIST_4: WideString = 'AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA'; cCIPHER_LIST_5: WideString = 'DES-CBC3-SHA'; begin case AStrength of // Advanced Plus (A+) 1: Result := cCIPHER_LIST_1; // Advanced (A) 2: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2; // Broad Compatibility ( 3: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3; // Widest Compatibility (C) 4: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4; // Legacy (C-) 5: Result := cCIPHER_LIST_1 + ':' + cCIPHER_LIST_2 + ':' + cCIPHER_LIST_3 + ':' + cCIPHER_LIST_4 + ':' + cCIPHER_LIST_5; else Result := EmptyStr; end; end; procedure TServerModule.UniGUIServerModuleCreate(Sender: TObject); begin inherited; SSL.SSLOptions.CipherList := GetCipherList(1); end; Option 2 is to use a INI file and define the cipher string there. With this you are more flexible to quickly change the strenght and/or string itself. Comments welcome! Michael

What question from you? ...sorry just kidding about your post but I really do not know what you are asking or if you are asking at all. Maybe you should try to write whole sentences and try to add some more content.

I am getting the result with UniGUI 1.0.0.1390 For sure uniGUI does not take care about this. It looks like that the internet browser and/or Firewall settings on the client is blocking it on your machine. But if it is possible from server side you open it fro hackers.

ps. If you want to test it in your own environment just add this to your URL: If you test it in your project: http://<YOUR-IP>:<YOUR-PORT>/cache/<YOUR-PROJECT-EXE-NAME>/favicon.ico&%3Cimg%20src%3Da%20onerror%3Dalert(%22XSS-Attack%E2%80%9C)%3E If you create and run a Project1 test application: http://127.0.0.1:8077/cache/project1_exe/favicon.ico&%3Cimg%20src%3Da%20onerror%3Dalert(%22XSS-Attack%E2%80%9C)%3E

The following URL is a proof of concept XSS payload. In this instance, an alert popup has been executed. This attack is possible as the URL entered by the user is copied into the "Access Denied" page and executed as a script: http://127.0.0.1:8077/cache/project1_exe/favicon.ico&%3Cimg%20src%3Da%20onerror%3Dalert(%22XSS-Attack%E2%80%9C)%3E Our fix or solution for this: We use the HTTPCommand Event in ServerModule. First of all we decode the Request URL with the TURLEncoder. With this we receive the clear text of the URL. Second we Encode the URL with the THTMLEncoder. After this we check if the original URL (in clear text) is different to the HTMLEncoded URL. If yes there are forbidden HTML Tags and we overwrite the Result and Cancel the Request. With this we are save to recognize all kind of HTML Tags in URL. uses UniGUIVars, System.NetEncoding; procedure TUniServerModule.UniGUIServerModuleHTTPCommand(ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean); const cResponseText = '<HTML>Forbidden characters in URI! Request cancled.</HTML>'; var vURI1, vURI2: String; vURLEncoder: System.NetEncoding.TURLEncoding; vHTMLEncoder: System.NetEncoding.THTMLEncoding; begin inherited; try vURLEncoder := System.NetEncoding.TURLEncoding.Create; vHTMLEncoder := System.NetEncoding.THTMLEncoding.Create; vURI1 := vURLEncoder.Decode(ARequestInfo.URI); vURI2 := vHTMLEncoder.Encode(vURI1); finally vURLEncoder.Free; vHTMLEncoder.Free; end; if vURI1 <> vURI2 then begin AResponseInfo.ContentText := cResponseText; Handled := True; end; end; Michael

Hi, i have a question about the UniDBLookupComboBox: Is it possible to manually/programmatically open the dropdown of the component? Like you simulate the press on it so it opens the dropdown list. Thanks.

Hi Delphi Developer, something in this direction, i dont want to show a message that tells you how many records i have. On the paging bar, i want to display the record count. Can i access this component somehow? Thank you

Hi, i try to display the total record count of the current fetch from my unidbgrid. I display the grid with the weboptions and pagingEnabled=TRUE. I'd like to show the record count at the same location like the paging controls. Is that possible? Thanks

Hi, i'm not sure if it is possible to make a JS event (for example window.beforeClose) and call delphi code within this event? I need this for getting notified when the user closes the browser and/or browser window/tab. So basically i simply want to get noticed in the delphi code, when the browser-tab gets closed. thanks

Hi Abaksoft, thanks for your idea, i like it but i have one scenario that could break up the idea: For example, if the system crashes, the i have more numbers in the table as connection count, so i know, the system of one user has crashed. The problem is i dont know which users system, what if one users system crashes and the others is working fine and another is trying to log in a second time. cheers

Hi everyone, i'm having my project already set up, but i was thinking about the following. I want the a user-lock on login, that means, if a user is already logged in to the user-area or the user is logging in new, i dont want the same user to have another session. My idea is to add a field ('loggedIn') in my user-table of my database which i then use for the lock. BUT what if the session gets killed or the users database connection breaks up. Then i have a logged user which cant log in anymore. How do you handle this or whats your idea? Thanks

0.96.0.1068

Hello, i have a problem with a UniDBGrid with the following situation: Every time i make a SQL Call with "insert into" on my FireBird DB for the first time for a new user (of my cms, DB is not empty) and refresh the grid, the columns of my table are there but the entry is not. When i delete the entry (dbgrid is then empty) and make another call (insert into) and the same refresh method, the grid refreshes and i see the entry in the database. My Question is, is this the right way?: 1. SQL call: insert into... 2. Database.ExecuteDirect(..)... 3. DBGrid.DataSource.DataSet.Open; 4. DBGrid.DataSource.DataSet.Refresh; 5. DBGrid.Refresh; Do you have any other suggestions or ideas why it doesnt work on the first call?