I need to be able to allow users to choose a folder on their computer and upload the whole contents to a web site.
It needs to be cross browser and platform compatible. HTML5 can be required.
I have read a lot about the limitations of the different browsers and that Chrome is the only one that really allows folder uploads.
I can place some requirements on the users, but not a lot.
I have also looked at JSZip and thought about zipping the client folder before uploading, but don't know how to get the selected folder from the user.
I forgot that I had posted this question and asked it differently recently. There was an answer posted. Here is that thread:
Browser Folder Uploading
Related
I'm working on a chrome extension that scrapes pages and downloads images within the page. However, I've run into a sort of roadblock.
Since the extension is designed to download several files at once, I'd like for the user to be able to click the 'Download' button, select a folder, then download all the images to that folder.
So far, the only thing I've seen that might be of use is the saveAs option in chrome.downloads.download(). However, it would be very tedious for the user to have to select a location and confirm for every file. Is there a way I can have the user select a folder, then just download all the files to that specific folder?
Let me know if I need to include any specific code. Figured it wasn't very important, since I don't even have code pertaining to this question currently.
Unfortunately you cannot. Your options are
Ask the user each time
Save the files to the downloads folder set by the user or a sub folder
Although much more complicated you could use native messaging and have native code communicate with the extension. You could then wait for the extension to complete the download and then send a message to your native host with the full path. Then your native host can move the file to where you want.
Currently I'm building a local serach engine for network drives that is going to be used in our company.
The search engine is build on top of Solr and Tika. I've build an indexer that indexes Samba-shares over the network which works great and indexes all the directories that are given in a configuration file. However that is not really relevant.
The current problem we have is that the web interface that connects to Solr and delivers the search results will try to serve local file:// files that are links to the files with a absolute or Samba path. But serving file://'s are of course disallowed by browsers like Google Chrome. The error that Chrome gives is:
Not allowed to load local resource: file:///name/to/file.pdf
Which is obvious and logical, however I want to work around that issue and serve 'local' files to our users. Or at least open an Explorer window with the given path.
I was wondering if this is even possible or if there is a workaround available? The server that is going to serve these files is running on Apache or Tomcat (doesn't matter).
Alhtough opening file://'s seems pretty much impossible without the use of browser-specific plugins, I created a workaround by specifying a custom URI-handler combined with a Windows specific application that will open explorer.exe with the given directory.
This is by far not the ideal answer to my question, but I think it is a decent workaround for an intranet search application.
Streaming the file from your application to the browser is a much better idea from a usability and security perspective.
By assigning a MIME type to the stream, the user's browser can decide how best to open and display the file to the user.
By streaming from you application, control of the data can be maintained. The location of the file on you server is not revealed and proper authentication, authorization and auditing are easily achieved.
Assuming Java based upon your use of Solr and Tika:
http://www.java-forums.org/blogs/servlet/668-how-write-servlet-sends-file-user-download.html
We have our application stored on our server, it is an .exe file. The download page is only accessible from our site - using cookie authentication in PHP. I know there are better methods but there is a long story behind this...so I'm moving on. The issue is that the actual url of the .exe has been leaked and is appearing on other websites. What is the best method to protect a link to a file, not the page itself. That is where I'm having issues. I can make it difficult to get to the download page (with the link) but don't know where to begin to make sure the link is only accessible from our site... Is .htaccess (preventing hotlinking) the best way to go?
Yes, .htaccess is probably best. Find any online post about protecting images from hotlinking, the first in my google search looks like a nice and easy auto-generator you can use. Just change the image extensions to exe, or keep them if you want them protected too.
I want to let users (i.e. anyone who signs up for an account) upload and download video and text documents. I have been researching the security issues regarding letting users upload files, but everything I can find on the subject assumes that users will only upload images.
Are there any security issues specific to letting users upload videos and text documents? Is security a lot more difficult when users can upload files at video size? Are there any particular file extensions I should look out for?
The problem is this: If you let users upload videos, images and text files, some of them will try to upload viruses, server-side scripts and other malicious code. Such code will then expose your site's users to what ever 'bad things' those users uploaded, within the context of your own site.
If you allow such uploads, you must be very careful that you are only saving files of the actual types you planned on - and not by looking at the file extension, either. You also must make sure those files are placed in locations where execute/script permissions are disabled.
Virus checking is a must - but it is not at all enough. A PHP script may not set off virus warnings at all, but that same script could reveal vital information for your site, or cause other bad things to happen if executed.
You must examine the content of the files - never rely on the extension or MIME type reported by the client. Those can easily be faked.
Serve your downloads from a location for which you have disabled the execution of server side code. This is all you need to do to protect yourself from server side exploits. Relying on file extensions or other such things are all hacks.
If you want to fully protect your users (and indirectly your website) as well, you'll need to run the files through a suitable virus scanner. It is possible, and there are real-life examples of doing so, to exploit video decoders and such software to run arbitrary code. But if you start walking down that line, you could also argue that certain text strings might set off weird behavior in certain software, and that starts getting silly. Luckily, the people who write virus scanners will have done most of the work for you. So:
Never execute that what is uploaded
If you feel it's needed, virus scan them as well.
You can virus check each file that is uploaded. If you look at most web based email clients you will see when you upload a file they are checked by McWhoever. In generally you shouldn't let them upload exe files but checking the extension is a very basic (unreliable) method.
It's quite hard to make an upload REALLY secure.
There are quite a lot of things to check - the file extension is just one part of it. Here are few things which have to be at least checked:
file extension (as you've already mentioned)
mimetype
filesize
depending on the users: maybe check the uploads with ClamAV ...
To answer your question here is a meta attack:
bad guy uploads a binary to your
server, perhaps tricking your
filters by compressing file and
changing extension to .avi
exploit bug in a CGI script to
decompress avi from #1
exploit bug in another CGI to
execute file from #2 -> backdoor
installed
backdoor accessed and rootkit
installed to hide all evidence of steps
1,2,3
Some variation on the above is what typically happens when servers are compromised.
I have couple of .swf games files uploaded to my server. I want to run some test, but I dont want to expose or let public/others people to see our swf files. Currently, if I type:
www.domain.com/games/game1.swf
It will play the swf file.
I tried to visit some other flash game based websites. When I visit one of the swf files (e.g www.xxx.com/folder/flash.swf), it would redirect me to the homepage (www.xxx.com)
Is this the correct way to prevent public people to view my swf files?
There are a lot of swf-to-fla decompiler third party software, will my swf files secured?
Will my swf files being hacked/stolen (code and graphics)?
Once your swf files being hacked, will my website safe from web attacks?
How to secure swf files?
Please help
You have a lot of questions here.
When I visit one of the swf files ... it would redirect me to the homepage ...
I would suspect this is implemented by checking the 'HTTP_REFER', when loading the .SWF page. You could do this if you like.
Is this the correct way to prevent public people to view my swf files?
No. Depending on what server you're running, you should put some authentication on the folder '/TestSwfs', and then upload all your swfs to there, and you will need to log in first. Fairly simple to do this in both IIS and Apache, but let us know which one you are running.
There are a lot of swf-to-fla decompiler third party software, will my swf files secured?
I suspect not. There are probably SWF Obfuscators though, but they can still be reversed.
Once your swf files being hacked, will my website safe from web attacks?
It shouldn't matter. You should not be inlcuding secrets/passwords in your SWFs that you don't want to be public. You may be writing high-scores, and you can step up the complexity required by doing some crypto, or other such things, but really, for just high scores, it's probably not important.
Design your SWF code so that even if it was public, your server would be safe.
One additional point to Silky's answer.
You should implement REST Api correctly in your SWF, that will assume that even if someone can hack your swf (which is very easy), the can not login to your server and manipulate any data or bring it down.
You should never directly alter database by using direct apis, you should always use webservices instead of database connectivity tools.