delphi prevent access files from TwebBrowser - delphi

I use TEmbeddedWB (internet explorer activex) in my projects.
I want to prevent people from uploading files:
ex: goto gmail.com and then attch a file: Internet explorer opens the upload file windows that allows people to access local disk.
Is there a simple way to prevent this windows from being displayed ?
Regards

It sounds like you are trying to "sandbox" your app so that your users cannot access the local file system. Perhaps you're building an app that is hosted on Citrix with multiple users, and if one of them "breaks out" of the app, they can run rampant through the file system on the server.
I don't know if there is a simple answer to this particular question, but I recommend that you look at the total problem before trying to solve the individual issues, as you may find that there are just too many. For instance, in the browser ActiveX, you can also "view source". That probably opens Notepad on the server. From there, you can run rampant. Do you have CHM help? From the help window, you can also access the "open file" dialog. Do you allow the user to open/save files through your regular menus? Same issue. How about hyperlinks? If your About box has a hyperlink, that's an easy way to pop open a browser. Can the user enter an address for browsing in your embedded ActiveX? If so, can they enter things like: C:\WINDOWS\system32\cmd.exe

You could decouple the navigation, do it yourself, sanitize the HTML then display the sanitized version. Unfortunately you would have to do this for ALL resources and would need to handle the numerous JavaScript libraries. For basic HTML, look for <input type="file". This would at least catch the basic usage, but not the more advanced usage.
A simpler solution might be to limit what URL's the browser can navigate too and only allow URL's you know are safe.
Assuming you don't want them to browse the local machine, if you solve the "open file" problem the same issue exists if you have a "save file" dialog. You may have to close those loops by replacing the browser popup menu with one that does not have any "Save x As..." options.

Related

open an excel file located on the server instead of download it MVC

I'm building a Reporting web application right now with MVC3 and I've come up to a couple problems.
My goal is to have it able to generate and view Crystal Reports, SSRS reports, and Excel documents.
Right now I'm working on the Excel segment and I'm running into more trouble than I thought I would. First off, when I link directly to the file, it either opens inside the browser or it downloads it from the server and if the user makes changes it doesn't actually save it to the true file on the server.
I've tried both linking to the file directly using Razor and a ViewModel with the path to the document as well as directing it to an action that returned a File.
I've also tried linking it to a shortcut to the actual file thinking that if I could open the shortcut it would open the file the way I wanted it to and unfortunately it didn't really open at all.
The users already have access to the files on the server through a network drive, so as of right now they can go into the server, open the excel document, edit and save it no problem. I want to duplicate this effect through a link. The program already has a file browser built, so I can browse between the files and make links to the reports.
Thanks in advance!
Since they are apparently on a network drive, you can just link to the files directly, relative to the user?
For example: a link to file://///SERVERNAME/folder/
I tested it between two computers on the network, and that seems to work. However, you still get a popup asking that you want to do with the file, open or save. (both in firefox and IE)
Note: Yes, that many slashes seem necessary, lol

Open a file that is on a file server from a webpage?

I am working on an internal application. We have a website that displays all our SSRS reports for a group of work. I have been asked to see if I can link all the files (pdf, word, excel) for the group of work. These files are stored on a file server that users viewing the reports have access to. Each group has its own group of reports and shared files.
Is it possible to open the files (without downloading them) from a webpage? Meaning that they file is opened from the file server? I don't want people to download a copy of the file.
I am pretty sure this can work with IE because sharepoint does it. However, other browsers may have an issue.
EDIT: What I would like is to have a web page with links to the files. When they click on a link (say for a word doc), word will open the file that resides on the file server. Without out a local copy downloaded from the network share.
EDIT2: Please note, I know what I am asking is probably not possible in all browsers. I am more or less just making sure. It seems possible in IE using activeX, but out side of that browsers do a good job at keeping processes inside a sandbox.
3 options. Remember this is for an internal website.
link to the share using file://. This will have the side affect of downloading the file to be viewed. As long as user clicks open every time it should not be a big deal.
Use JavaScript and activeX to open word (excel, reader, ect) passing in the file path as a command line arguments. This works only in IE and in win7 (probably vista) user will get a pop up asking if it is ok for the activeX control to run.
Create a new protocol. openfile://. This would be set up to run an application that is installed on the client machine which would open the file. Since it is internal, the application could be installed on the machines without issues. This also requires a registry change.
I haven't picked one as this change is still being looked into but i figure I would update this in case someone runs into something similar.

Capturing folder path from Windows Explorer

I would like to add to a Delphi application a way for the user to call Windows Explorer (possibly using something like ShellExecute, perhaps).
However, and this is where I need some help, please, the application would need to capture ^H^H^H^H^H^H read the folder path that the user navigates to while within Windows Explorer.
Is it possible to obtain this information from Windows Explorer?
[edit: If not possible, or unrealistic, my fallback plan is to provide a separate "Browse for folder" button, to allow the user to select the folder first, then they can launch the Window explorer afterwards].
Thanks for any advice.
PhilW.
I dont know your exact needs, but most likely, this is not the way to go. For details, Microsoft developer Raymond Chen has written a blog post about this. What you should do, I think, is to embed an explorer browser control in a custom form in your own application.
For letting a user browse to and select a folder, I use TOrtusShellBrowseFolder.
Ortus Shell Components
Can't you just use the TOpenDialog? From Delphi Help:
Description
TOpenDialog displays a modal Windows dialog box for selecting and opening files. The dialog does not appear at runtime until it is activated by a call to the Execute method. When the user clicks Open, the dialog closes and the selected file or files are stored in the Files property.
if OpenDialog1.Execute then
filename := OpenDialog1.FileName;

Zope external editor with upload-on-save (Notepad++ prefered)

We are doing webdevelopment with Zope.
The web-editor is just horrible. No syntax highlighting, no in-text-tabs, nothing you can work with.
I installed Zope External Editor. It is now possible that I click the "use external editor" button on every element and it creates a temporary file and opens it in Notepad++, awesome.
But one important thing fail: it doesn't save back to Zope when I save the file. I still have to copy the code back to Zope manually.
I also searched for syntax highlighting extension for chrome/firefox at least to highlight the code (but I prefer Notepad++ with upload-on-save).
Can someone help me with that?
Did you also download the ExternalEditor Helper application?
Your browser should open the helper application, which will then open the editor (which you can specify in the configuration, see last point below). This is important because the helper application is responsible for sending changes back to Zope, which it does by keeping an open WebDAV session while you are editing.
You should download the latest helper app here: http://plone.org/products/zope-externaleditor-client
From that page:
Under Windows: Install the windows binary executable.
Open your page in your web browser and click on the link 'edit with external application'
Associate the file with Zope External Editor and make it permanent (first time only)
The file is opened in the editor defined in windows registry with certain editors, a message will ask whether the edition is terminated or not;
keep it until you closed you file and say yes.
If you want to change your default editor for certain content types , or if you want to add proxy parameters, open Zope External Edit in your program files menu and change your local user configuration.
The best option is to not develop Zope applications through-the-web anymore.
Use proper python packages, and you'll get to use your favourite tools without difficult integration with the server.

How Can I Automatically Execute A Link In Internet Explorer

I am trying to create an application to print documents over the web. I have created my document, and made a web page with a meta refresh tag, along the lines of this:
<meta http-equiv="refresh" content="3;http://example.com/download.epl2" />
I specify that the document has a content-type of application/x-epl2, and I have associated .epl2 files on my computer with a program that silently sends them to the printer.
I have put the website into my trusted sites zone.
Currently Internet Explorer pops up the "Open, Save, Cancel" dialog box with no option to automatically open the file.
Is there a setting in IE6/7/8 that I can use to have IE just open the file without prompting?
EDIT
The actual content of the file will differ based on the job, but essentially it is text that follows the Eltron Programming Language.
EDIT
I have accomplished this in both Chrome and Firefox by choosing "Automatically Open Files Of This Type From Now On"
EDIT
The machines this program will be used on will effectively be kiosks that are limited to only accessing my website from their web browsers, so I'm not worried about rogue websites sending documents to my printers.
EDIT
I am using PHP to generate the documents and HTML on the server side, though I expect the solution to be language agnostic.
I would expect that not to be possible, because then you could stumble onto a site that automatically loads and prints a 5000 page document or something, which would not be good.
If you always had a secret desire to develop a custom URL protocol (I know I do), this might be a good excuse to do it. ;-)
http://msdn.microsoft.com/en-us/library/aa767914%28VS.85%29.aspx
There are 1-2 prompts when opening such a link for the first time in IE, but you can choose to automatically open them after that.
I would use javascript to make this happen.
Javascript Window Open
EDIT
Since you have control of the windows box you could use an automate script process to interact with the print window.
autoit3: ControlClick
Write a small utility program that does nothing but send the file passed to it on the command-line to the default system printer.
Then, edit the registry under HKEY_CLASSES_ROOT to associate this program with the .epl2 filetype.
I don't have time to investigate it for You, but there were lots of exploits that could be helpful. Using ie6 without certain fixes seems helpful.
Also there should be an option called "Automatic prompting for file downloads". I use Linux nowadays so I can't chceck if it helps. I found it in some docs.
I'm on a Mac at the moment, but if this is possible in IE I would imagine this page holds the answer to it (or at least hints at it) http://support.microsoft.com/kb/883255
I believe what you're looking for is a setting in Windows, not IE:
Microsoft Support: Not Prompted to Specify Download Folder for File
Try using an older version of IE. Security was looser in the older versions and since it's a non-issue, this could be the quickest solution.

Resources