I have to upload one file from client using Button.I have to get the full client path.for example,
suppose, user uploaded a file from this local machines "d:\my files\docs\test.xml".So, now i want to get the same path("d:\my files\docs\test.xml") to proceed further.how do i get it?
i have used FileUpload1.PostedFile.FileName...But it is worked fine with IE and but not in Firefox...
So, Can you help me with this for Firefox and chrome...
Good Source:
http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx
Checkout the "File Upload Control" section near the bottom. quoted:
Additionally, the “Include local directory path when uploading files”
URLAction has been set to "Disable" for the Internet Zone. This change
prevents leakage of potentially sensitive local file-system
information to the Internet. For instance, rather than submitting the
full path C:\users\ericlaw\documents\secret\image.png, Internet
Explorer 8 will now submit only the filename image.png.
This would suggest it is possible if the site is trusted (in IE) / older browsers
No, it is not possible. Browsers do not allow that due to security restrictions.
If i could set which file I wanted from javascript, a hacker could take a lot of files from your PC.
So, asp.net or otherwise, getting the full client path in a browser is not possible.
http://www.ietf.org/rfc/rfc2184.txt and http://www.ietf.org/rfc/rfc2388.txt seem to be the relevant RFCs that discuss this. They are quite lengthy but what it boils down to is that you do indeed get a filename but not a path.
Browsers will follow these standards so through the standard browser interface there will be no way to get the information you want.
This leaves other techniques such as javascript, flash, silverlight, etc.
Javascript does all of its work through the browser object model so again by default won't help. Anything to do with playing with the file system is considered a security risk (do you want random pages looking through your file system?).
It is possible that you could create your own flash or sliverlight upload tool (or find one) that will allow you to collect richer information, I don't know much about those technologies. At the end of the day though I would expect them to follow similar rules about access to the client computer.
So the RFCs and there spirit which are likely followed everywhere says that no, you can't do this.
You could always ask the user for a path in a textbox though if it is important and just have them copy it in...
There seems to be ways to do it but at the same time it looks like it will only work if it is your machine. Here is a link that explains it.
http://www.codingforums.com/showthread.php?t=72288
The problem occurs because it is seen as a malicious script trying to access information that is not under its control giving the user a prompt. So unless this is for machines under your control or users who trust you then it isn't the best of ideas. Most users who see security risk alerts will always block them.
Related
We are currently looking at porting a enterprise silverlight application over to html5. The major roadblock that we have hit is the ability to open files from the user's local disk. Currently they have a document library which just links to files on their computer that they can open from within the app and view or print out. All that I read is that you can only access the local sandbox of the web app with the html5 file api's. We want to load these files from code.
Does anyone know of any workarounds to this?
Thanks
There is no way for html5 to access local file without user selection. But FSO: FileSystemObject works for IE and MAYBE could be regarded as a work around. But still there are some requirements to meet.
It is possible to use chrome's filesystem API to access files on a users local filesytem. So you'd have to be willing to make this a chrome only application.
Using java you can create a "Signed" applet which has access to the local filesystem. (if the applet is signed you can request filesystm permissions)
then there is a tutorial for accessing methods of your java code directly from javascript here: http://docs.oracle.com/javase/tutorial/deployment/applet/invokingAppletMethodsFromJavaScript.html
you should be able to perform something similar from silverlight.
There is no workaround in pure HTML5/Javascript. You need the use of plugins, such as Java or Silverlight (maybe you shouldn't port it after all). As for workarounds, HTML5 gives you an easy way drag and drop multiple files that you could transfer on the server and then display back to your users. Another workaround would be to install a custom agent (a software with only a tray icon) that would send the information about the current user "document library" to server and then again, you could display it back to the user.
Note: I've heard somewhere that browsers will eventually stop supporting plugins. http://www.howtogeek.com/179213/why-browser-plug-ins-are-going-away-and-whats-replacing-them/
Ya, I agree with Markain. However, if you were to limit your audience solely to chrome users, I daresay, you would most likely use some of your users. If Huazhihao is right, then your number of leaving customers should decrease but users who regularly use firefox won't be happy. Overall, I think that this will not work. Otherwise, there would be too many websites that trashed your hard driver (or at least wherever you have the rights to edit/delete files). I think it would be best if your product was setup to synchronize the file whenever an internet connection was detected and a change was made to the file. That way the user would not need to visit the website whenever the file was uploaded. If this is some kind of an error file, then it would be most beneficial if you were to make a link in the application that when clicked, would upload the file to the website and the website were to do whatever was necessary. If this is a purely online thing, then I don't see what business you would have looking through other peoples' files =-). Hope I helped!
I created a small JavaScript application for which I reused some (quite large) JavaScript resources that I downloaded from the internet.
My application runs in the browser like other interactive web applications but works entirely offline.
However, I intend to enter some private information in the application which it shall visualize. Since I cannot ultimately trust the JavaScript pieces that I downloaded, I wonder if there is a JavaScript option to make sure that no data is downloaded and, in particular, uploaded to the web.
Note that I am aware that I can cutoff the local internet connection or perhaps change browser settings or use an application firewall, but this would not be a solution that suits my needs. You may assume that the isolation of a browser instance is save, that is no other, possibly malicious, web sites can access my offline JavaScript application or the user data I enter. If there is a secure way to (automatically) review the code of the downloaded resources (e.g. because communication is possible only via a few dedicated JavaScript commands that I can search for) that would be an acceptable solution too.
You should take a look at the Content Security Policy (CSP) (see here and here). This basically blocks every connection from your browser to any other hosts, unless explicitely allowed. Be aware that not all browsers support CSP, which leads to potential security problems.
Reviewing the library code might be difficult because there are many ways to mask such code pieces.
Find it yourself by watching your browser's network activity while your application is in action.
There are more than enough tools to do this. Also, if you know how to use netstat command line tool, it is readily shipped with windows.
Here is one cool chrome extension which watches the traffic of the current tab.
https://chrome.google.com/webstore/detail/http-trace/idladlllljmbcnfninpljlkaoklggknp
And, here is another extension which can modify the selected traffic.
https://chrome.google.com/webstore/detail/tamper-chrome-extension/hifhgpdkfodlpnlmlnmhchnkepplebkb?hl=en
You can set the filters and modify all requests/responses happening in your page.
If you want to write an extension to block requests yourself, check this answer out.
Is there a way to get the physical path with Javascript (or any other library) where the user saved the file he/she downloaded from my Web Application?
No, having such a feature would be a security flaw.
Only Google Chrome support the filesystem-API, but i'm not sure if a website can use this Api.
More informations.
No, unless he/she tells you where they saved it, or unless you control the user of the application's computer. This is a silly question if you think about it logically, do you not think there might be few very major security concerns if you were able to very easily spy on the internals of users computers?
This has been asked a lot of times already: I need to get the full file path via a web-page. The use case is an application running on the same machine as the browser (i.e. the application starts a local HTTP server and fires up the browser.) File-paths are of course valid and the same for both client/server now. The use case it that the user selects a file and then the server process does some computation on it, and the input files are typically large (read: several GiB in size.)
The easiest thing would be to directly access the path using , but for security reasons, this is disabled. I'm looking now for the least intrusive workaround to this problem. The target browser in question is Chrome. I'm fine if the user has to click "accept" once on some security warning, as long as I can ensure that it won't appear again.
Do I have to write an extension, NSPlugin, can I use some special header magic to mark my page as "local", is there some security setting I can set? The less the client has to do the better, and I would prefer some "click here to allow access ..." solution above everything else. Can I directly install an extension from the server process that would do this (after the user clicks accept?)
Is it possible to do this with a Java applet/Flash? That would be the easiest solution, and clients are guaranteed to have Flash installed (as it is bundled in Chrome...)
You can create Java applet for tasks like this and self-sign it. User will have to allow it to run, but then you will be able to access applet's function that will return file path string via Javascript.
Clearly file io on the client's system is forbidden from JavaScript. If this wasn't the case it would be absolutely trivial to hack every web browser that visits your website.
Battlefiled 3 is controlled though the browser. To do this EA wrote a browser extension for the top three browsers. But that's resource intensive. If you just care about chrome you can use an addon, and for that i suggest using the NPAPI.
And as MOleYArd said, Java is a good solution and probably more common than an extension or addon.
I have sensitive files to download to users, and each user is permitted to download a given file exactly once. If the download fails, I want to permit the re-download, but not otherwise.
It's not sufficient to rely on logging/processing the file download request at the server - I need to know deterministically when the file is complete and in place at the client, since many of my users work in an environment with frequent connectivity drops.
The most straightforward way for this to work would be if the browser exposed a "file saved" event from the Save As... dialog that could be wired to a JavaScript function on the download page (which could post back to the server). But, intuition suggests there might be security holes if browsers exposed this functionality, as it sneaks somewhat outside the sandbox. I'm not sure this is even possible.
I found several other questions in this area, but nothing about this problem specifically.
Any ideas?
Edit: I should not have used the word "security" in the original question, sorry for triggering the red herrings.
Edit 2: My "security" phrasing misled folks into offtopic technical security issues, but both of you confirmed my suspicion that "no, there's no browser support for that." I'm marking the first commenter with the answer since his first sentence had what I was looking for. Thanks all.
This is a good solution:
http://gruffcode.com/2010/10/28/detecting-the-file-download-dialog-in-the-browser/
It basically works by setting a cookie in the reponse header of the downloaded file, so javascript periodically can check for the existence of this cookie...
There's no such browser event in JavaScript and even if there was you can not trust the user's browser to provide security for you.
You're better off using a GUID to generate a unique URL for each download. You can then for example:
let the URL be valid only for a specific time period
allow transfers only from a specific IP address associated with the unique URL
let your server-side code detect when the content for a unique URL has been fully transferred and then invalidate the URL.
Let me clarify the last bullet. Say you're using Java - you will in.read(buffer) and out.write(buffer) in a loop until EOF. If the client disconnects you will receive an IOException during out.write() and will be able to tell a successful download from an interrupted one. On other platforms, I'm sure there are ways to tell whether the connection was lost or not.
EDIT: You could actually fire a browser event using the trick outlined in the accepted answer of one of the questions you linked to. That would however not be a reliable solution to limit the number of downloads.
Why is it important that the file can be downloaded "exactly once"? Once the file is downloaded it could be copied, so is there really a security issue with letting the same user download the file more than once?
If not, could you do something like this:
Generate a unique URL to download a given file. (Use a GUID to obsfucate if necessary)
Associate that URL with USER INFO (browser type, IP address, etc) AND A TIME WINDOW. Only allow downloads from that user and during the window.
The window should be long enough for the user to notice the transfer failed and to re-try once or twice, but no longer.
The end result is:
You can be reasonably sure the file is only being downloaded by the intended recipient.
You can be sure that recipient can only download the file during a short window.
The same user could download the file more than once, but who cares? It's no different than making a local copy of the first file.
If you're really worried about it, log each download request and run a scheduled report for files that were downloaded more than once. If anything looks fishy you can then examine security logs, talk to the user, etc.