I'm working on a web-based Flash application for a client which loads an external file from the same directory it is located in on the server. I use a URLRequest to load the file:
loader.load(new URLRequest("Config.xml));
Right now the Config.xml file uses chmod 644, which gives it public read access. However, the client would like to protect the configuration file so that it can't be downloaded by third-parties.
I'm thinking that it won't be possible to hide the file by removing public read permission (chmod 640) because then the Flash document, which is executed client-side, will be unable to read it. My tests seem to confirm this. Is there any way for a Flash app on the web to read a file from the server without exposing it to the public?
As others have already said, you can't do this. For the SWF to be able to load the file from the client-side it must be public.
A possible solution that might be good enough for your client is to embed the XML file contents in your HTML on the server side, for example as FlashVars or JavaScript output, then the SWF does not need to load the XML file directly and you don't need to make the file public.
For example:
Server-side PHP:
<?php
$xml = file_get_contents("Config.XML");
$encodedXml = rawurlencode($xml);
?>
<object type="application/x-shockwave-flash" data="my-flash.swf" width="550" height="400">
<param name="movie" value="my-flash.swf" />
<param name="FlashVars" value="config=<? echo $encodedXml ?>"/>
</object>
Client-side AS3:
var xml:XML = XML(stage.loaderInfo.parameters.config);
Of course someone could look at your HTML source and decode the XML themself, but any way you get the XML content into your SWF will expose that possibility, to varying levels of difficulty. You could make the encoding more obfuscated (url encoding is easy to spot) or encrypted to make it harder to find.
No. Flash is using a regular HTTP request to load the config file, so of course it can't get the file if it's not publicly-accessible.
What you could do is require authentication for the config file and include credentials in your URLRequest declaration. However, this still suffers from the weakness of someone sniffing the traffic to discover the authentication, and then running that request again with another tool.
Ultimately, you can't have it both ways: Either your config is accessible and insecure, or it's secure but unusable.
The short answer :
No, you can not do that.
The long answer :
No, you can not do that because, as you already know, Flash Player is a client-side technology, so it's exactly the same as a browser, and any file loaded by your SWF is accessible and visible for absolutely any person who has access to that SWF file, also forget about files access permissions which didn't has any effect in this situation.
Note here that you can use some encryption system to encrypt the content of that file and your SWF will decrypt it, but the problem here, is that you have also to encrypt your SWF file which, to my knowledge, is not a very reliable technique because SWF decompilers are really very efficient nowadays ...
...
Hope that can help.
A client side app (Flash or other) cannot read or load by itself any files from a server even from the server it's coming from. When it loads a public xml file, it makes a request for it and if the file has the right permission and the server knows how to serve that file, the request is granted and the file is served. This is very much so a server side operation so you can know see that when you say: "Flash runs client-side, so how would I take any advantage of a server-side solution?" this is a clear misunderstanding of how things work on client side and server side because if you do load a xml file then you do take advantage of a server side solution. Now this being said, how to do it when the file permission if turned of.
It is common to not allow access to files or directories on a server, in that case a client side cannot be granted access to those directly. So this is when you need to use a serve side technology to serve those files. Serve side technology like for example PHP can access all files on the server and make copy of them or change temporarily their permission etc ...
You can serve to your client side those forbidden files by simply writing a serve side script that would serve the file to you depending on some criteria you define (or none). The server side can change the permission allowing you to download it and then change it back, or it can copy the file and put it in a public accessible place and then delete it. You can also change the extension of your xml (to .whatever for example) and not provide a mimetype for it, even though the file is public the server won't be able to serve it, you can then make you serve side script change its extension for you on a per need basis. There's just hundreds of ways to do it including web services and even AMF and all that while the needed file is not publicly accessible. But yes you have to write server side scripts which is a VERY COMMON way to serve files to client side.
Related
I need to upload a file repeatedly by browser (automatic) and refresh time ask me for confirm.
How can i to POST form with a specified file?
Sorry my english
It would be nice if you make available what you already tried, then we know where you are getting stuck.
Basically if you need to upload a file to a remote server you will need a dynamic language like PHP, Python, etc.
You can't send files to a remote server using plain HTML.
For security reasons HTML itself won't let you send files to a remote webserver via <form> automatically.
For that feature you would have to have your webserver handle the form via a special file like for example <form action="exampleFormHandler.php" method="post">.
Placed at your webserver, this form-handling file would have to provide the sending of that very file then.
I am wondering if I can have a webpage where I can tell it to grab my file and put it in a directory, such as: "http://example.ex/folder". Meaning the file I provided is put into the "folder" folder.
Overall process:
Button says: "Import file"
I select a file, and my file is "text.txt"
It takes my file "text.txt" and adds it to the local system/directory of the website.
You can do this using JQuery File Upload and then adding a backend service that captures the file and saves it.
For example, here is a repository that has a basic Python (Flask) server integrated with JQuery File Upload that will take an uploaded file and place it on the server:
https://github.com/ngoduykhanh/flask-file-uploader
I'd put the rest of the code here, but it is a lot - and requires HTML, JavaScript and a back-end language (like Python).
Here is the documentation on JQuery File Upload: https://github.com/blueimp/jQuery-File-Upload
As a word of caution, DO NOT TRUST ANYTHING UPLOADED TO YOUR SERVER. Meaning, do not put it out on the open internet without some sort of authentication or checks in place to make sure only files you intend are uploaded. Otherwise, people will find it and upload scripts turning your device into a Bitcoin miner, spam relay, or bot host.
Instead of doing it this way, why not use SFTP to upload it to your server to host? At least that way you can lock down access.
I am building a flash application which requires loading of an xml file using URLLoader. While developing application in my local machine with flash professional I can easily load it by
private var myLoader:URLLoader = new URLLoader(new URLRequest("./com/assets/config.xml"));
When I publish the application and click on the html generated and the app loads on browser perfectly.
If I make a server (localhost:1111) that delivers the html file over browser on connect, the html file doesn't load the application (.swf).
While trying to debug it, I found that if I change the myLoader variable as below, the html file loads the swf properly.
private var myLoader:URLLoader = new URLLoader(new URLRequest("http://localhost:1111/com/assets/config.xml"));
I believe the SWF is making another GET request after the html loads on my browser, that is the reason the SWF doesn't work without the change.
Is there any way I can load the xml file in SWF before it gets delivered over browser. This is to avoid another call to the server. I appreciate any help in clarifying my understanding and suggestion for workaround.
If you want to upload your SWF and have users access the configuration XML, you will need to host the XML somewhere reachable by your users. Your local machine (localhost:1111) is not reachable by anyone other than yourself (outside of some unusual hosts tweaking on the user's machine).
When you set up hosting and a web-server to actually serve the file over HTTP, you will need to do a few things:
Set up a crossdomain file on the server to define which hosts are allowed to load your configuration XML.
Amend your application to load data from the server, e.g. new URLRequest('http://your_domain_or_ip/config.xml').
The reason you cannot retain your reference to the XML file as a relative ./com/assets/config.xml is because the SWF will only load files over the local filesystem if it is being viewed as a file in the filesystem vs inside a browser.
When the SWF runs, the URLLoader instance you create will perform a HTTP GET to load your XML file.
If you want to avoid performing additional GET requests to fetch the XML, you will have to compile the configuration into the SWF itself using the [Embed] meta tag.
I am using below code to display pdf file in HTML
<object data="data/file.pdf" type="application/pdf" width="300" height="200">
test.pdf
</object>
But In above code we have to specify path name and folder name so it is not so secure. Crawler can find this path, so using some algorithms(robot) it is very easy to download other file those are stored in that folder.
How to secure this, is there any option to prevent this from robots?.
You may do the following:
Password protect the page (with the server-side code).
Generate unique links like (/getpdf/some_random_string_or_md5_hash_of_random_string.pdf) for every PDF file (using server-side code) that will a) check for the current time and the validity of the random name generated (if it has expired or not) then b) will redirect to the source files (not really hiding the source because of the redirection) to be displayed or stream the PDF file content (this is more secure though could seriously add the load to the server).
Finally add robots.txt to the folder and hope that crawlers will follow restrictions it sets.
If the other files in the directory are not to be downloaded, ever, they shouldn't be in a directory that is available to the http server. You can use directory permissions in your http server (eg., config directives and .htaccess in Apache) to control access to directories. Only configure access for directories you need to expose to the web, and only store files in them that you want the web to access.
If you want to avoid including a path in the HTML, you will need to write some dynamic code (eg, php, asp, or any number of server-side options). Your code on the server would need to handle the request for the file and return the file's content manually.
:image => StorageRoom::Image.new_with_filename(path)
I have to get the path of the image. So far i have specified the path manually and it worked and now i have put in heroku but it shows Load Error - No such file present.
How can i get the path value of the local system using browse button.
Your problem may not be related to path names, but to the fact that Heroku has a read-only file system. If you try to write files onto disk in a Heroku app, it simply doesn't work -- the file will not be saved.
The exception is the "temp" directory. You can save files there, but they are not guaranteed to persist for longer than the duration of a single request.
Is the file you are trying to open actually saved in your Git repo? If so, it will be on the disk in your Heroku app, and you should be able to open it.
To see what the filesystem layout looks like on your Heroku instance, you can create a controller method like:
render :inline => Dir['**/*'].inspect
File.expand_path
Reference : http://saaridev.blogspot.com/2006/11/ruby-finding-absolute-path-of-running.html
You don't need the full path. As far as file path in the client machine is concerned for file uploads, the path is irrelevant as it poses security risks for the user.
Most modern browsers don't send the file path for file uploads. You could get the path using Javascript or Flash but still I don't see the logic behind doing this.
When a user clicks on the submit button the browser should at least send you the file name with the file data together with a bunch of other information like the mime type. Your web server would either write the file to disk or process it in memory assuming you have near infinite memory resources. Look at the RFC 1867 for file uploads for more on this.