Home/ Questions/Q 3978436
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T05:02:50+00:00

In a plugin context (a swf loaded by an another swf), is there any

  • 0

In a plugin context (a swf loaded by an another swf), is there any way to restrict access to file system and network in the same time to the loaded swf ?

Compiler option “-use-network=true|false” does not fit because you cannot restrict both file/network.

Code example :

Air App :

package
{
    import flash.display.Loader;
    import flash.display.Sprite;
    import flash.filesystem.File;
    import flash.net.URLRequest;

    public class TestContentSecurity extends Sprite
    {
        private var l :Loader = new Loader;
        public function TestContentSecurity()
        {
            addChild(l);
            l.load(new URLRequest(File.documentsDirectory.nativePath + "/Content.swf"));
        }
    }
}

Loaded swf :

    package
{
    import flash.display.Sprite;
    import flash.events.Event;
    import flash.events.IOErrorEvent;
    import flash.net.URLLoader;
    import flash.net.URLRequest;
    import flash.system.ApplicationDomain;
    import flash.text.TextField;

    public class Content extends Sprite
    {
        private var _log : TextField = new TextField;
        private var l: URLLoader;
        public function Content()
        {
            addChild(_log)
            _log.multiline = true;
            _log.width = 500;
            _log.height = 500;
            l = new URLLoader();
            l.addEventListener(Event.COMPLETE, onLoad);
            l.addEventListener(IOErrorEvent.IO_ERROR, onError);
            l.load(new URLRequest("c:/Windows/regedit.exe"))
        }

        public function onLoad(e:Event) : void{
            _log.text += "SUCCESS\n" ;
        }
        public function onError(e:IOErrorEvent) : void{
            _log.text += "ERROR\n";
        }
    }
}

The loaded swf is in user’s document folder, outside Air app folder. Currently, the loaded swf is abble to load “c:/Windows/regedit.exe” and I don’t want it (neither sending informations on the network).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’ve found one solution in AIR, I don’t like it but it works. The idea is to have a mini http server and to load content from this server.

    I load targeted file with :

    new URLRequest("http://localhost:1111/Content.swf")

    By doing this, flash will load “Content.swf” as a remote file and place it in a REMOTE security sandbox. Loaded swf won’t be able to access to any local files neither to network.

    If anyone have a cleaner solution to get this REMOTE security sand box, I will be happy.

    /**
 * HTTP server original idea :
 * http://coenraets.org/blog/2009/12/air-2-0-web-server-using-the-new-server-socket-api/
 */
package
{
    import flash.display.Loader;
    import flash.display.Sprite;
    import flash.filesystem.File;
    import flash.filesystem.FileMode;
    import flash.filesystem.FileStream;
    import flash.net.URLRequest;
    import flash.events.Event;
    import flash.events.ProgressEvent;
    import flash.events.ServerSocketConnectEvent;
    import flash.net.ServerSocket;
    import flash.net.Socket;
    import flash.utils.ByteArray;

    public class TestContentSecurity extends Sprite
    {
        private var l :Loader = new Loader;
        private var serverSocket:ServerSocket;

        public function TestContentSecurity()
        {
            init();
            l.load(new URLRequest("http://localhost:1111/Content.swf"));
        }


        private function init():void
        {
            // Initialize the web server directory (in applicationStorageDirectory) with sample files
            listen(1111);
        }

        private function listen(port : uint):void
        {
            try
            {
                serverSocket = new ServerSocket();
                serverSocket.addEventListener(Event.CONNECT, socketConnectHandler);
                serverSocket.bind(port, "127.0.0.1");
                serverSocket.listen();
                trace("Listening on port " + port + "...\n");
            }
            catch (error:Error)
            {
                trace("Port " + port +
                    " may be in use. Enter another port number and try again.\n(" +
                    error.message +")", "Error");
            }
        }

        private function socketConnectHandler(event:ServerSocketConnectEvent):void
        {
            var socket:Socket = event.socket;
            socket.addEventListener(ProgressEvent.SOCKET_DATA, socketDataHandler);
        }

        private function socketDataHandler(event:ProgressEvent):void
        {
            try
            {
                var socket:Socket = event.target as Socket;
                var bytes:ByteArray = new ByteArray();
                socket.readBytes(bytes);
                var request:String = "" + bytes;

                var filePath:String = request.substring(5, request.indexOf("HTTP/") - 1);
                var file:File = File.applicationDirectory.resolvePath(filePath);
                if (file.exists && !file.isDirectory)
                {
                    var stream:FileStream = new FileStream();
                    stream.open( file, FileMode.READ );
                    var content:ByteArray = new ByteArray();
                    stream.readBytes(content);
                    stream.close();
                    socket.writeUTFBytes("HTTP/1.1 200 OK\n");
                    socket.writeUTFBytes("Content-Type: application/x-shockwave-flash\n\n");
                    socket.writeBytes(content);
                }
                else
                {
                    socket.writeUTFBytes("HTTP/1.1 404 Not Found\n");
                    socket.writeUTFBytes("Content-Type: text/html\n\n");
                    socket.writeUTFBytes("<html><body><h2>Page Not Found</h2></body></html>");
                }
                socket.flush();
                socket.close();
            }
            catch (error:Error)
            {
                trace("Error");
            }
        }
    }
}
    • 0