Stopping WebBrowser from navigating to local files.
Author |
Message |
Jerry Rya #1 / 6
|
 Stopping WebBrowser from navigating to local files.
I have a custom webbrowser control. The user can surf the net as usual but if they c:\ in the navigation ComboBox, they can get to the root of the winNt box and subsequently any directory on the machine. What are my possible solutions for this? Also if I block all access to the local files, I still need to keep one directory available for supporting files, i.e., local .html files and text files that are read at run-time. Basically the entire file system needs to be invisible to the webbrowser control except one folder, c:\supportFiles\ Thanks for any help Jerry
|
Sun, 13 Oct 2002 03:00:00 GMT |
|
 |
Jason Smit #2 / 6
|
 Stopping WebBrowser from navigating to local files.
maybe hard code c:\supportFiles\ in the control and don't give them the option to type in anything else?
Quote: > I have a custom webbrowser control. The user can surf the net as usual > but if they c:\ in the navigation ComboBox, they can get to the root of > the winNt box and subsequently any directory on the machine. What are my > possible solutions for this? Also if I block all access to the local > files, I still need to keep one directory available for supporting files, > i.e., local .html files and text files that are read at run-time. > Basically the entire file system needs to be invisible to the webbrowser > control except one folder, c:\supportFiles\ > Thanks for any help > Jerry
|
Mon, 14 Oct 2002 03:00:00 GMT |
|
 |
Jerry Rya #3 / 6
|
 Stopping WebBrowser from navigating to local files.
Hello, I posted some code below. I found if I restrict the user from the get go, I don't have a problem. Logically this works but I feel that I went around the world to get to it. My concern is, what if there's something is included in the navigating in time? An example, "http_new://". If something new comes out or I missed something, this browser will be obsolete in time. Does anyone have a better logic to tackle this? Thanks again. Jerry Here's the code: Private Sub wbMain_BeforeNavigate2(index As Integer, ByVal pDisp As Object, URL As Variant, Flags As Variant, TargetFrameName As Variant, PostData As Variant, Headers As Variant, Cancel As Boolean) If LCase(Left(URL, 16)) = "c:\source_files" Or _ LCase(Left(URL, 7)) = "http://" Or _ LCase(Left(URL, 8)) = "https://" Or _ LCase(Left(URL, 7)) = "mailto:" Or _ LCase(Left(URL, 6)) = "ftp://" Or _ LCase(Left(URL, 24)) = "file:///c:/source_files" Or _ LCase(Left(URL, 11)) = "javascript:" Then wb1.navigate URL Else Cancel=True End If
Quote: > maybe hard code c:\supportFiles\ in the control and don't give them the > option to type in anything else?
> > I have a custom webbrowser control. The user can surf the net as usual > > but if they c:\ in the navigation ComboBox, they can get to the root of > > the winNt box and subsequently any directory on the machine. What are my > > possible solutions for this? Also if I block all access to the local > > files, I still need to keep one directory available for supporting files, > > i.e., local .html files and text files that are read at run-time. > > Basically the entire file system needs to be invisible to the webbrowser > > control except one folder, c:\supportFiles\ > > Thanks for any help > > Jerry
|
Mon, 14 Oct 2002 03:00:00 GMT |
|
 |
Sixto Santo #4 / 6
|
 Stopping WebBrowser from navigating to local files.
Hello Jerry! The trick is to check for unacceptable values. You could try this: Private Sub brwWebBrowser_BeforeNavigate2(ByVal pDisp As Object, URL As Variant, Flags As Variant, TargetFrameName As Variant, PostData As Variant, Headers As Variant, Cancel As Boolean) Dim ValidPath As String ValidPath = "c:\supportFiles" ' path in lowercase, no trailing \ If Dir$(URL, 31) <> "" Then ' DIR Forced to match any type of file ' Navigation to filesystem attempted. 'Check if acceptable If LCase$(Left$(URL, Len(ValidPath))) <> ValidPath Then Cancel = True End If End If End Sub Regards, Sixto
Quote: > Hello, > I posted some code below. I found if I restrict the user from the get go, > I don't have a problem. Logically this works but I feel that I went > around the world to get to it. My concern is, what if there's something > is included in the navigating in time? An example, "http_new://". If > something new comes out or I missed something, this browser will be > obsolete in time. Does anyone have a better logic to tackle this? Thanks > again. > Jerry > Here's the code: > Private Sub wbMain_BeforeNavigate2(index As Integer, ByVal pDisp As > Object, URL As Variant, Flags As Variant, TargetFrameName As Variant, > PostData As Variant, Headers As Variant, Cancel As Boolean) > If LCase(Left(URL, 16)) = "c:\source_files" Or _ > LCase(Left(URL, 7)) = "http://" Or _ > LCase(Left(URL, 8)) = "https://" Or _ > LCase(Left(URL, 7)) = "mailto:" Or _ > LCase(Left(URL, 6)) = "ftp://" Or _ > LCase(Left(URL, 24)) = "file:///c:/source_files" Or _ > LCase(Left(URL, 11)) = "javascript:" Then > wb1.navigate URL > Else > Cancel=True > End If
> > maybe hard code c:\supportFiles\ in the control and don't give them the > > option to type in anything else?
> > > I have a custom webbrowser control. The user can surf the net as usual > > > but if they c:\ in the navigation ComboBox, they can get to the root of > > > the winNt box and subsequently any directory on the machine. What are my > > > possible solutions for this? Also if I block all access to the local > > > files, I still need to keep one directory available for supporting files, > > > i.e., local .html files and text files that are read at run-time. > > > Basically the entire file system needs to be invisible to the webbrowser > > > control except one folder, c:\supportFiles\ > > > Thanks for any help > > > Jerry
|
Mon, 14 Oct 2002 03:00:00 GMT |
|
 |
Jason Smit #5 / 6
|
 Stopping WebBrowser from navigating to local files.
You can put the allowed urls in a config file or in a table. Have the control read the file to check for valid urls. If you want to change allowed urls later w/o recompiling, then just add/subtract from the config file or table. From the code below it looks like you want the control to be able to perform most normal browing functions + access a shared folder on your server by the physical path name. So, you can keep the allowed physical path names on file. What happens when you tighten up security on the server? Do they still get root access if they are not in the correct security group? If they don't then you might not need to limit anything n your code. Just set the permissions. /Jason
Quote: > Hello, > I posted some code below. I found if I restrict the user from the get go, > I don't have a problem. Logically this works but I feel that I went > around the world to get to it. My concern is, what if there's something > is included in the navigating in time? An example, "http_new://". If > something new comes out or I missed something, this browser will be > obsolete in time. Does anyone have a better logic to tackle this? Thanks > again. > Jerry > Here's the code: > Private Sub wbMain_BeforeNavigate2(index As Integer, ByVal pDisp As > Object, URL As Variant, Flags As Variant, TargetFrameName As Variant, > PostData As Variant, Headers As Variant, Cancel As Boolean) > If LCase(Left(URL, 16)) = "c:\source_files" Or _ > LCase(Left(URL, 7)) = "http://" Or _ > LCase(Left(URL, 8)) = "https://" Or _ > LCase(Left(URL, 7)) = "mailto:" Or _ > LCase(Left(URL, 6)) = "ftp://" Or _ > LCase(Left(URL, 24)) = "file:///c:/source_files" Or _ > LCase(Left(URL, 11)) = "javascript:" Then > wb1.navigate URL > Else > Cancel=True > End If
> > maybe hard code c:\supportFiles\ in the control and don't give them the > > option to type in anything else?
> > > I have a custom webbrowser control. The user can surf the net as usual > > > but if they c:\ in the navigation ComboBox, they can get to the root of > > > the winNt box and subsequently any directory on the machine. What are my > > > possible solutions for this? Also if I block all access to the local > > > files, I still need to keep one directory available for supporting files, > > > i.e., local .html files and text files that are read at run-time. > > > Basically the entire file system needs to be invisible to the webbrowser > > > control except one folder, c:\supportFiles\ > > > Thanks for any help > > > Jerry
|
Tue, 15 Oct 2002 03:00:00 GMT |
|
 |
Sixto Santo #6 / 6
|
 Stopping WebBrowser from navigating to local files.
Hello Jerry! The trick is to check for unacceptable values. You could try this: Private Sub brwWebBrowser_BeforeNavigate2(ByVal pDisp As Object, URL As Variant, Flags As Variant, TargetFrameName As Variant, PostData As Variant, Headers As Variant, Cancel As Boolean) Dim ValidPath As String ValidPath = "c:\supportFiles" ' path in lowercase, no trailing \ If Dir$(URL, 31) <> "" Then ' DIR Forced to match any type of file ' Navigation to filesystem attempted. 'Check if acceptable If LCase$(Left$(URL, Len(ValidPath))) <> ValidPath Then Cancel = True End If End If End Sub Regards, Sixto
Quote: > Hello, > I posted some code below. I found if I restrict the user from the get go, > I don't have a problem. Logically this works but I feel that I went > around the world to get to it. My concern is, what if there's something > is included in the navigating in time? An example, "http_new://". If > something new comes out or I missed something, this browser will be > obsolete in time. Does anyone have a better logic to tackle this? Thanks > again. > Jerry > Here's the code: > Private Sub wbMain_BeforeNavigate2(index As Integer, ByVal pDisp As > Object, URL As Variant, Flags As Variant, TargetFrameName As Variant, > PostData As Variant, Headers As Variant, Cancel As Boolean) > If LCase(Left(URL, 16)) = "c:\source_files" Or _ > LCase(Left(URL, 7)) = "http://" Or _ > LCase(Left(URL, 8)) = "https://" Or _ > LCase(Left(URL, 7)) = "mailto:" Or _ > LCase(Left(URL, 6)) = "ftp://" Or _ > LCase(Left(URL, 24)) = "file:///c:/source_files" Or _ > LCase(Left(URL, 11)) = "javascript:" Then > wb1.navigate URL > Else > Cancel=True > End If
> > maybe hard code c:\supportFiles\ in the control and don't give them the > > option to type in anything else?
> > > I have a custom webbrowser control. The user can surf the net as usual > > > but if they c:\ in the navigation ComboBox, they can get to the root of > > > the winNt box and subsequently any directory on the machine. What are my > > > possible solutions for this? Also if I block all access to the local > > > files, I still need to keep one directory available for supporting files, > > > i.e., local .html files and text files that are read at run-time. > > > Basically the entire file system needs to be invisible to the webbrowser > > > control except one folder, c:\supportFiles\ > > > Thanks for any help > > > Jerry
|
Tue, 15 Oct 2002 03:00:00 GMT |
|
|
|