Security Basics mailing list archives
Re: How to get browser to write a file to local disk
From: "Robert Wesley McGrew" <wesley () mcgrewsecurity com>
Date: Thu, 26 Apr 2007 14:23:09 -0500
On 4/25/07, Jim Clark <diegoslice () gmail com> wrote:
I've been asked to help solve a browser issue that is thorny at best if not impossible due to security. There is a browser based application written in Flash Action Script that needs to write an XML file to the local disk. Picture a salesman with a USB flash drive that he can use at a customer's site. All the files are on the flash drive and a remote server is never contacted so the application is completely client side. To start the application, a browser is fired up and the local file opened from the flash drive which is a form with several list boxes that the customer can choose various options and then submit the form. What should happen is a XML file is then written to disk which the application uses in several ways further downstream including applying an XSLT transformation to display the results. The specification targets IE6, IE7 and Firefox running on XP and Vista. The catch is that none of these browsers allows files to be written to disk for security reasons regardless if Java applets, JavaScript, ECMAScript, etc. are used. So the problem is once the form is submitted and the Flash Action Script has the output XML ready, how to circumvent security and get the XML file written to preferably the same drive and directory the application was launched from. Having never programmed in Flash Action Script, I was hoping that Action Script could call an executable and pass either the XML or form parameters to create the XML. The initial feedback to this was "big doubts" to paraphrase nicely. Is what I described possible? Are there other solutions for accomplishing this? The application is nearing completion and this piece is becoming trickier than expected. Thanks in advance! -Jim
I would say that this is a design problem of trying to shoehorn technologies meant for web applications into a problem that never called for them. I think you are getting closer to your solution when you mentioned calling an executable, in that this is a situation that calls for a standalone application to do everything you've described. Is there any compelling reason why it's written in Flash Action Script to run in a web browser, if there's no communication being made? -- Robert Wesley McGrew http://mcgrewsecurity.com
Current thread:
- How to get browser to write a file to local disk Jim Clark (Apr 26)
- Re: How to get browser to write a file to local disk Robert Wesley McGrew (Apr 26)
- Re: How to get browser to write a file to local disk Larry Offley (Apr 27)
- Re: How to get browser to write a file to local disk Robert Wesley McGrew (Apr 26)