Flash Player 10 specifies:
"Redirects to policy files outside the originally requested domain will
continue to cause policy files to be
ignored by Flash Player."
Is there a way to access policy files outside the domain?
I don't fully understand your question.
A policy file on a given domain (no matter the exact path) can only give access on that domain and subdomains.
Using Security.loadPolicyFile, you can load it from an arbitrary URL on that domain, but you cannot grant access to domain B with a policy file from domain A.
Edit:
If you could give access to B from A, being the owner of A, this whole policy thing would be pointless. You would serve the swf from A and serve a policy file that grants access to B from A, so why have policy files anyway?
I don't know about flash, but you can load any javascript you want by dynamically adding script tags to the page, or even including them into your page at load time. Just add append a tag to the end of head with the script URL you need to load. But you should do this only if you trust the script.
You can load policy files from anywhere using:
Security.loadPolicyFile(url:String)
Related
Strange question but hopefully its possible.
we have files in the root of our site (/files) these are uploaded through the main cms side of the website (/admin) and to be accessed by people who have access to the (/school) directory.
At the moment, if you have the direct link URL EDIT TO THE FILE you can gain access to the file
the files folder has its own web.config file with some rules, is there a way i can add some of my own authentication within the web.config to only allow requests that come from the School folder to have access to the files?
In my head i would have a piece of VB code that does something like this:
If (Request.UrlReferrer <> Nothing) Then
If Page.Request.UrlReferrer.ToString.Contains("/School/") = True Then
???
End If
Else
Response.Redirect("index.aspx")
End If
I've tested this in a simple page and it seems to work okay.
Well, I would assume that the users who can use school folder are memembers of a secuirty role called School (or some such).
thus, any user not a member of school can't use the pages (or files) in the school folder.
Since you want the SAME restricitons for the folder files, then use the same web.config to secure the files folder.
That will mean only users who can use the shools folders will also be the same group of people that only use the files folder.
Now the above will not stop members of securty role "school" from typing in any valid URL to the files folder. So, if you want to prevent this, then I would suggest that for all files up-loaded, you create a folder inside of files folder based on their PK row in the membership table (Memebership.ProviderKey).
Then what you would do is turn off all role groups rights to the files folder. I perfer not EVER allowing a direct URL to files.
Remember, only IIS respects the IIS security settings and provider for a web based URL. Code behind is 100% free to load, read, write, use, play with ANY file via code behind. Code behind uses plain jane FULL path names - and those path names and file names used by code behind does NOT care nor use IIS security settings. Only web based URL's dish out by IIS respect and use the IIS security settings you have for the schools folder. So, copy the web.config for schools over to files, and you are done.
But, code behind? it does not care nor use those settings at all.
So, code behind does NOT use nor respect nor care about IIS security settings. IIS role membership ONLY applies to the asp.net pages and web based URL's. But, code behind is a 100% free to get and grab any file on the system - even files outside of the wwwroot path name of the web site.
So, as a 2nd level and better security?
I would not allow ANY URL's to the files folder.
You then display a grid or list of files on the web page, and code behind for the download button can then go read/get the file (you can use TransMitFile to download that file)
So, best approach is to not allow ANY valid URL's to the files folder.
However, for now, since you only want people who can use the schools folder also be the SAME people that can use the files folder? Then just use the same web.config for both folders - only those people with role of "school" will thus have use and rights to the files folder.
From the information you provided, then you don't really need any code changes - only to take the security settings from the school folder web.config, and copy that to the files folder, and you should be done.
Now, it is possible that the schools folder is not secured by using IIS security and roles - but then again, that would a epic face plant and horrible design choice.
I've run into a problem using Moodle 3.2. I'm uploading mp3-files to be played in a quiz. I have the license to use those files for that specific purpose, but I am not the owner. Thus, I would like to ensure that nobody without a Moodle account can access these files.
However, the path to the files can be extracted from the source code and once you have the path, anybody can access the file. Is there any way to protect the file so only registered users can access it, even if they have the direct path?
Thank you so much!
All the best
Dom
EDIT: I've learned that files actually are encrypted by login - I just had the login cookie remaining in several browsers and thus was able to access them.
Are the files served by moodleinstallation/pluginfile.php/? This would include login/permission checks
For example,on website www.A.com,I use native client filesystem,and save a File named file1.txt. And on website www.B.com, i access the same pexe by using CORS.But the website www.B.com create its own file.Not the same one on website www.A.com. And on my local computer, I find out in the \Google\Chrome\User Data\Default\File System directory, there are two directories named 001 and 002, obviously, they are created by www.A.com and www.B.com.I want to know how to share file between www.A.com and www.B.com
As you've found, the Pepper Filesystem (which is equivalent to the JavaScript DOMFilesystem) is per-origin to the module embedder, not the origin of the pexe. There is no way direct way to share the file.
One possible workaround is to embed your pexe using an iframe. That way it would always use the filesystem origin of the iframe.
Suppose the URL http://example.com/test.php. If I type this URL on the browser address bar, the PHP code is executed, and its output is returned to me. Fine. But, what if instead of executing it, I wanted to view it's source as plain text. Is there a a way to issue such request?
I believe that there must be some way, and my concern is that some outsider could retrieve sensitive code, such as configurations file, by guessing it's location. For example, Joomla instalations have a configuration.php on it's root folder. If someone retrieves such file as plain text, then these database credentials have been seriously compromised. Obviously, this could be prevented with proper permissions, but it's just too common to just issue 0777 as everything permissions and forgetting about access denials.
For PHP: if properly configured, there is no way to download it. File permissions won't help either way, as the webserver needs to be able to read the files, and that's the one serving contents. However. a webserver can for instance be configured to serve them with x-httpd-php-source, or the PHP/webserver configuration may be broken. Which is why files which don't need direct access (db config, class definitions, etc.) should be outside the document root, so there is no way those files will get served by accident even when the webserver config is incorrect / failing. If your current hoster does not allow you to store files outside the document root, switch hosting a.s.a.p.
There is a way to issue such request that downloads the source code of http://example.com/test.php if the server is configured to provide a URL to do so. Usually it isn't, so usually there is no way to issue such a request.
I've got an HTTP service I defined in Flash Builder, via the "Data Services" tab. I've got an absolute URL in there right now.
What I really want is to not define a path that includes a domain name at all--I want the service to simply call an absolute path that's on the same domain as whatever domain the SWF was served from... can I do that? When I got rid of the base URL and then gave an absolute URL path (e.g., /roster/deleteMember), Flex Builder complained that "File does not exist." Well, of course it doesn't exist, it isn't a file, it's a URL to a service call--there is no corresponding file on the filesystem.
Can anyone advise me how to do that? If I change the domain name, it wipes out all the parameter definitions for the methods, so I have to go back to each method and setup the parameters again. Rather a headache.
Now, I would have thought this would work. from the adobe documentation:
The configuration files sometimes contain special {server.name} and {server.port} tokens. These tokens are replaced with server name and port values based on the URL from which the SWF file is served when it is accessed through a web browser from a web server. Similarly, a special {context.root} token is replaced with the actual context root of a web application.
So, if you specify the endpoint as
http://{server.name}:{server.port}/{context.root}, then
automatically on runtime, the variables are set by the flashplayer depending on where you've been downloaded the application.
Sounds great... but it's not working for me. I can't even set those values in the Flash Builder Data Services tool. Here's a recording of what I'm getting.
http://screencast.com/t/MTk0NzNiYzY
I'm not sure it's possible from the DS window.
If you were doing it in code, you could use Application.application.url to get where the swf had been loaded from.