If I allow users to upload PDF documents (and only PDFs) is there any way a malicious user could include some executable script within or attached to the doc? What about standard word documents? What are some best practices if this is a requirement? (sorry that's totally 3 questions I know - but they all apply! ;))
I am using thoughtbot's paperclip plugin and I believe you can restrict by file type.
Whether or not something is "executable" matters less than whether or not you try to execute it. A file is just a sequence of bytes. Code is only dangerous if it's actually executed - the mere act of transferring a file, as long as the destination of that file is safe, is not something that can really cause harm. What could cause harm is if you are somehow invoking the uploaded file as a command, or passing it through some form of rendering engine that would accept directives from the file to execute actions.
Who are you trying to protect?
If it's yourself - you'll be fine, as per Dav's answer. The danger comes from trying to execute or open code on the server. So unless your server automates opening the file in Adobe you're cool.
If it's you're users then you're in trouble. Adobe Acrobat is a hive of 0-day pdf exploits (as explained in the comments on Dav's answer). Most to All can be mitigated by using an alternate pdf viewer like Foxit but you can't control that. If you wanted to protect your users from PDF exploits and Word Macros you've got a serious challenge. Virus Scanners can detect Word macros; but not Adobe exploits (not all of them anyway).
Related
I am writing an application for iOS and a requirement I have been given is to remove files securely from the file system that may be given to my app from other applications (think 'Open in...'). These files are placed in a temp folder accessible to my app, but I'd like to securely delete these files once I have encrypted them in my own documents folder via the standard protection APIs. Any idea how to do that?
Quotes from the paper linked to by Bavarious:
We found that none of the available software techniques for sanitizing individual files were effective.
Overall, we conclude that the increased complexity of SSDs relative to hard drives requires that SSDs provide verifiable sanitization operations.
I'm not sure the flash memory in iPhones supports these operations, but if they do I'm pretty sure that Apple will have to make them available through their API and I haven't found anything in the API for this.
So basically it doesn't seem to be possible. Perhaps you could file a bug report with Apple and ask them to fix something like this.
I think you're better of looking into the possibility to encrypt the file before saving it.
First of all, I'm not a hacker :)
We're doing a project where we'll award points to users for visiting certain groups of sites.
Obviously there are major privacy concerns, but we have no interest in actually knowing where they've been, just as long as the program we create can check the history and through an algorithm, rank the site/user.
This would be a downloadable application and we'd tell the user how it worked, since transparency is vital.
Now, with that in mind, is there a way for a local program to access the Cache/History of a browser and make a list out of it?
I've read that Firefox uses SQLite to compile their History, which could potentially be parsed using Adobe AIR.
At the same time, Adobe AIR has access to the filesystem, so it could probably check if the usual IE temporary folders have any files stored. If so, try to read the URL they were downloaded from?
I know all of this sounds very dodgy, but try to keep an open mind :)
Thank you all for your help.
Not a full answer to your question, but you might be interested in the CSS History hack. If you already KNOW the sites you want to rank, you will be able to find out which sites the users visited.
Good thing you said something about a LOCAL program, because there are surely ways to read out the SQLite database from Mozilla and IE's history and you can find plenty of implementations using your favorite search engine.
Particularly easy to use are Nirsoft's utilities MozillaHistoryView and IEHistoryView which you could script to output CSV and parse that file afterwards.
I need to generate a report/printout programmatically.
My app currently uses FastReport to build a report, consisting of text, images, tables etc.
It does not bind to any database. Everything is built programmatically.
However, the finished report does not look the same in PDF and RTF, and the old code is generally very complicated.
Are there any better tools to programmatically make a printout or report? Preferably one that outputs PDF and DOC.
In my opinion you've already got the best! I've used QuickReports, Piparti (early ReportBuilder), Crystal(!) and ReportBuilder and I've written a few reports by sending commands direct to the printer. As far as I'm concerned FastReport is much better (although I haven't tried Rave - nor will I).
Is it a recent version of FR? The PDF output for us is fine.
They have some good examples of writing reports through code on their website I believe and if you're looking at re-writing all the reports in A.N.Other reporting product why not, instead, use the opportunity to re-write the reports in a more maintainable way using FR? (Assuming that's possible, of course). Perhaps a cleaner approach to the code of the report generation will make it easier for the FR converter to create the RTF/DOC output...
I've never had much luck generating decent RTF versions of reports from commercial report writers. The only decent output I got was through lovingly hand coding every report using hundreds of '{','}' and '\' and spending days reading the RTF specs. Never again!
A lot of it appears to be down to the order you add the text/lines/fonts/styles etc to the report and the RTF generator can find it difficult to get the best rendering - I think.
You can try Rave Reports.
It has built in components to generate PDF, RTF and HTML documents.
And also it comes free.
For non-database printing needs, FastReport already works (code-based reporting), but for direct printing of Documents you could consider the very-thorough ExpressPrintingSystem from developer express, which is a true delphi printing system, not a reporting system.
Also if you need to create a print documents, almost like a word processor, and then print those word-processor-like documents, consider TRichView. It supports .DOC files, something you asked about.
Some day you might need a banded-report generator again and if you do, FastReport really is the best.
I am re-engineering a windows application to be ported to web. One area that has been worrying is 'printing'.
The application is data intensive and complex reports need to be generated. The erstwhile windows application takes advantage of printer APIs and extends sophisticated control to the users. It supports functions like page break, avoiding printing on printed parts of the sheet (like letterhead), choice of layouts and orientation, etc. Please note that these setting are not done only while printing, they are part of report definition sometimes.
From what I know, we cannot have this kind of control while printing web pages. I am in a process of identifying options at my disposal. While I prefer to first look into something that will help me print from raw web pages, following are other thoughts:
Since reports can also be exported to .xls & .pdf versions, let user download one and print directly. This however limits my solution to the area of application that have export feature.
Use Silverlight (4.0) for report layout definition and print. I think Silverlight 4.0 (in beta right now) provides adequate control over the printer. I have so far been avoiding the need of any RIA plugin.
Meticulously generate reports on web with fixed dimensions. I am not sure how far this will go.
Please share practices that can be applied easily in my scenario.
For reporting in the past on the web, using .NET, I like to generate PDF, Excel, Word or CSV files. I really like iTextSharp which allows for creating of PDF's.
Word can accept HTML, so that is usually quote easy. For more control you can get into the Word interops http://nishantrana.wordpress.com/2007/11/03/creating-word-document-using-c/, but they left me frustrated. Not for implementation, but I felt the clean up was poor.
CSV are great for raw data dumps and that is it.
For HTML, you can get nice control using a style sheet targeted to print media. There are just certain things you cannot control, like browser header and footer.
Flash also has better print controls than plain HTML, though you might not know it since these features are rarely used by flash developers. Almost everyone should have Flash installed these days, so it's not like Silverlight where there's a good chance of someone needing to install a plugin (doubly so for a beta version). I am not sure how the Flash printer APIs compare to Silverlight's printer APIs and if they give you the level of control you need, but their documentation is public so you can look into it.
Also I think exporting to PDF is a good idea. I don't see why you can't extend this to cover all places that would need to print a report. Basically instead of printing directly from the windows app running on their desktop, the same exact code runs on your server and generates a PDF that they can then print themselves.
I don't think you're going to have much luck trying to do it with raw HTML unfortunately. For one of our clients, we went with the "generate PDF" route and it worked out quite well. PDFs have the additional advantage that you don't have to print them out: you can just email them to the boss/accountant/whatever saving a bit of paper.
PDF is the way to go, if you want absolute control over printed output. As bonus, you can also provide the option to download PDFs in your application.
With HTML, you are at the mercy of user's browser settings for page size, margin and how page breaks will be handled.
this is quite a difficult topic by all accounts. I am building a website that requires users to upload large (multi-GB). What is the best way allow users to upload a file on a website and allow the file upload to be resumed should it fail? What is the way to write this in rails?
Any ideas greatly appreciated.
Max.
No browsers support resuming uploads.
From my Googling, Flash doesn't seem to, either.
Though I don't know enough about Java to say it's impossible, there don't seem to be any pre-rolled upload solutions that support this method.
In short, you would have to code your own out-of-browser/plugin solution. If that is not feasible, you may have to abandon this feature. Sorry!
EDIT: Actually, after using a better search query, here's a Java solution that seems to support this through partitioning the initial file: JumpLoader. Here is the documentation page for resuming downloads. Best of luck! (You will note that there are purchase links - this is only for an unbranded version, and for the source code. You can use the JumpLoader branded version for free.)
No browser support this, In fact this cannot be done over HTTP.
You will have to write your own java applet, ActiveX control or WPF browser application to achieve this. Any of this will speak to a TCP server listening on the server side to achieve pause-and-resume upload of file.
Six years since you asked, but for future viewers, take a look at ResumableJS. It uses HTML5 File API to break uploads into chunks. They also include a RoR example for accepting the upload.