简体繁体 English

delphi禁止从TwebBrowser访问文件

[英]delphi prevent access files from TwebBrowser

原文 2010-11-03 10:02:57 0 2 delphi

I use TEmbeddedWB (internet explorer activex) in my projects. 我在项目中使用TEmbeddedWB （Internet Explorer Activex ）。

I want to prevent people from uploading files: 我想阻止人们上传文件：

ex: goto gmail.com and then attch a file: Internet explorer opens the upload file windows that allows people to access local disk. 例如：转到gmail.com，然后附加文件：Internet Explorer会打开允许人们访问本地磁盘的上传文件窗口。

Is there a simple way to prevent this windows from being displayed ? 有没有简单的方法可以防止显示此窗口？

Regards 问候

2 个解决方案

It sounds like you are trying to "sandbox" your app so that your users cannot access the local file system. 听起来您正在尝试“沙盒化”您的应用程序，以使您的用户无法访问本地文件系统。 Perhaps you're building an app that is hosted on Citrix with multiple users, and if one of them "breaks out" of the app, they can run rampant through the file system on the server. 也许您正在构建一个由Citrix托管且有多个用户的应用程序，并且如果其中一个“突围”该应用程序，则它们可以在服务器上的文件系统中大量运行。

I don't know if there is a simple answer to this particular question, but I recommend that you look at the total problem before trying to solve the individual issues, as you may find that there are just too many. 我不知道对这个特定问题是否有简单的答案，但是我建议您在尝试解决单个问题之前先研究整个问题，因为您可能会发现问题太多了。 For instance, in the browser ActiveX, you can also "view source". 例如，在浏览器ActiveX中，您也可以“查看源代码”。 That probably opens Notepad on the server. 这可能会在服务器上打开记事本。 From there, you can run rampant. 从那里，您可以横行。 Do you have CHM help? 您有CHM帮助吗？ From the help window, you can also access the "open file" dialog. 从帮助窗口，您还可以访问“打开文件”对话框。 Do you allow the user to open/save files through your regular menus? 您是否允许用户通过常规菜单打开/保存文件？ Same issue. 同样的问题。 How about hyperlinks? 超级链接怎么样？ If your About box has a hyperlink, that's an easy way to pop open a browser. 如果“关于”框具有超链接，则这是弹出浏览器的简便方法。 Can the user enter an address for browsing in your embedded ActiveX? 用户可以输入一个地址在嵌入式ActiveX中浏览吗？ If so, can they enter things like: C:\\WINDOWS\\system32\\cmd.exe 如果是这样，他们是否可以输入以下内容：C：\\ WINDOWS \\ system32 \\ cmd.exe

You could decouple the navigation, do it yourself, sanitize the HTML then display the sanitized version. 您可以解耦导航，自己动手，清理HTML，然后显示清理的版本。 Unfortunately you would have to do this for ALL resources and would need to handle the numerous JavaScript libraries. 不幸的是，您将必须对所有资源执行此操作，并且需要处理大量的JavaScript库。 For basic HTML, look for <input type="file" . 对于基本HTML，请查找<input type="file" 。 This would at least catch the basic usage, but not the more advanced usage. 这至少会捕获基本用法，但不会捕获更高级的用法。

A simpler solution might be to limit what URL's the browser can navigate too and only allow URL's you know are safe. 一个更简单的解决方案可能是限制浏览器也可以浏览的URL，并且只允许您知道安全的URL。

Assuming you don't want them to browse the local machine, if you solve the "open file" problem the same issue exists if you have a "save file" dialog. 假设您不希望他们浏览本地计算机，如果您解决了“打开文件”问题，那么如果您有一个“保存文件”对话框，则存在相同的问题。 You may have to close those loops by replacing the browser popup menu with one that does not have any "Save x As..." options. 您可能需要通过关闭浏览器弹出菜单而不使用任何“另存为...”选项来关闭这些循环。