Scripting.FilesystemObject filemove,writefile在IE浏览器中无法通过javascript工作(替代方法,doc?)
[英]Scripting.Filesystemobject filemove, writefile not working from javascript in IE browser (workarounds, doc?)
问题描述
I know it's a huge security hole to use Scripting.Filesystemobject from javascript in the browser. 
我知道在浏览器中使用javascript的Scripting.Filesystemobject是一个巨大的安全漏洞。 I heard a rumor that MS is locking down this hole in the latest version of Office. 我听说有传言称MS正在锁定最新版本的Office中的此漏洞。 This would be bad news for the enterprise web app I am working on, which has a few critical functions which depend on access to Scripting.Filesystem object, like writing out xml files or moving audio files. 对于我正在处理的企业Web应用程序来说,这将是个坏消息,它具有一些关键功能,这些功能取决于对Scripting.Filesystem对象的访问,例如写出xml文件或移动音频文件。
I have tried but failed to find any 'hard' documentation on this, and while my local dev box exhibits this behavior, others' machines here (which do not have latest version of anything except IE) do not exhibit the behavior. 我已经尝试过但没有找到任何“硬”文档,并且当我的本地dev框显示出此行为时,此处其他人的计算机(除IE之外没有其他任何最新版本的机器)没有表现出此行为。 If anyone can point me towards documentation confirming this - and or a workaround that does not involve creating an activeX control - I would be very grateful. 如果有人可以将我引向确认此文档的文档-或一种不涉及创建ActiveX控件的解决方法-我将不胜感激。
Thank you! 谢谢!
3 个解决方案
解决方案1
1 2010-01-26 14:55:01
This article kb240797 discusses IE kill bits. 本文kb240797讨论了IE 终止位。 In the registry you will find this key:- 在注册表中,您将找到以下密钥:-
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility HKEY_LOCAL_MACHINE \\ SOFTWARE \\ Microsoft \\ Internet Explorer \\ ActiveX兼容性
Under which you will find a set of CLSIDs (the CLSID for FileSystemObject is: {0D43FE01-F093-11CF-8940-00A0C9054228}). 在其下可以找到一组CLSID(FileSystemObject的CLSID为:{0D43FE01-F093-11CF-8940-00A0C9054228})。 If the "Compatibility Flags" value has the bit 1024 (0x400) on (the kill bit) the activex component is blocked. 如果“兼容性标志”值的(终止位)位为1024(0x400),则Activex组件将被阻止。
I've also heard that MS have or are planning to kill FileSystemObject but I haven't seen this officially and it isn't true on my current system. 我也听说MS已经或计划杀死FileSystemObject,但是我还没有正式看到这一点,而且在我当前的系统上也不是这样。 However it could be that they may internaly block it such a way that even fiddling with the kill bit won't help. 但是,可能是他们可能会在内部阻止它,以至于连杀手都无济于事。
解决方案2
0 2010-01-26 19:30:55
I don't know if this helps, but I've heard nothing along the lines of FileSystemObject being deprecated. 我不知道这是否有帮助,但在FileSystemObject弃用的情况下我什么也没听到。 I'd love to see your sources for this. 我希望看到您的消息来源。 Another thing to note is that the last "major" ActiveX control to be deprecated for being a security risk was CAPICOM, but this was announced with the release of Vista and finally removed in Windows 7. The documentation was also changed to reflect this deprecation and suggest alternatives well in advance. 还要注意的另一件事是,由于存在安全风险而不建议使用的最后一个“主要” ActiveX控件是CAPICOM,但这是在Vista版本中宣布的,并最终在Windows 7中删除。该文档也进行了更改,以反映此弃用和提前建议替代方案。
Many (MANY!) shell scripts rely on FileSystemObject for file operations, so I find it hard to believe it would be deprecated without an alternative being provided. 许多 (MANY!)Shell脚本都依赖FileSystemObject进行文件操作,因此,我很难相信如果不提供替代方法就不会推荐使用该脚本。 If it makes a difference, FileSystemObject is still accessible from Windows Desktop Gadgets which run on the IE engine. 如果有所不同,仍然可以从在IE引擎上运行的Windows桌面小工具访问FileSystemObject 。
解决方案3
-2 2010-01-26 14:35:29
You wouldn't, shouldn't ever access the users files system through a browser, for legit or illegit reasons. 你不会,不应该永远通过浏览器访问用户的文件系统,用于合法的或illegit原因。
The very, very best case example of accessing local storage is done through systems like Google Gears, and even those systems are often argued against by web/thin client purists. 通过Google Gears之类的系统来访问本地存储的非常非常好的例子是,甚至那些系统/ web /瘦客户机纯粹主义者也常常反对。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.