Stopping WebBrowser from navigating to local files.
| Author |
Message |
|
Jerry Rya
#1 / 6
|
 Stopping WebBrowser from navigating to local files. I have a custom webbrowser control. The user can surf the net as usual but if they c:\ in the navigation ComboBox, they can get to the root of the winNt box and subsequently any directory on the machine. What are my possible solutions for this? Also if I block all access to the local files, I still need to keep one directory available for supporting files, i.e., local .html files and text files that are read at run-time. Basically the entire file system needs to be invisible to the webbrowser control except one folder, c:\supportFiles\ Thanks for any help
Jerry
|
| Sun, 13 Oct 2002 03:00:00 GMT |
|
 |
|
Jason Smit
#2 / 6
|
Stopping WebBrowser from navigating to local files. maybe hard code c:\supportFiles\ in the control and don't give them the option to type in anything else?
Quote: > I have a custom webbrowser control. The user can surf the net as usual > but if they c:\ in the navigation ComboBox, they can get to the root of > the winNt box and subsequently any directory on the machine. What are my > possible solutions for this? Also if I block all access to the local > files, I still need to keep one directory available for supporting files, > i.e., local .html files and text files that are read at run-time. > Basically the entire file system needs to be invisible to the webbrowser > control except one folder, c:\supportFiles\ > Thanks for any help
> Jerry
|
| Mon, 14 Oct 2002 03:00:00 GMT |
|
|
|
Jerry Rya
#3 / 6
|
Stopping WebBrowser from navigating to local files. Hello, I posted some code below. I found if I restrict the user from the get go,
I don't have a problem. Logically this works but I feel that I went
around the world to get to it. My concern is, what if there's something
is included in the navigating in time? An example, "http_new://". If
something new comes out or I missed something, this browser will be
obsolete in time. Does anyone have a better logic to tackle this? Thanks
again.
Jerry
Here's the code:
Private Sub wbMain_BeforeNavigate2(index As Integer, ByVal pDisp As
Object, URL As Variant, Flags As Variant, TargetFrameName As Variant,
PostData As Variant, Headers As Variant, Cancel As Boolean)
If LCase(Left(URL, 16)) = "c:\source_files" Or _
LCase(Left(URL, 7)) = "http://" Or _
LCase(Left(URL, 8)) = "https://" Or _
LCase(Left(URL, 7)) = "mailto:" Or _
LCase(Left(URL, 6)) = "ftp://" Or _
LCase(Left(URL, 24)) = "file:///c:/source_files" Or _
LCase(Left(URL, 11)) = "javascript:" Then
wb1.navigate URL
Else
Cancel=True
End If
Quote: > maybe hard code c:\supportFiles\ in the control and don't give them the > option to type in anything else?
> > I have a custom webbrowser control. The user can surf the net as usual
> > but if they c:\ in the navigation ComboBox, they can get to the root of
> > the winNt box and subsequently any directory on the machine. What are my
> > possible solutions for this? Also if I block all access to the local
> > files, I still need to keep one directory available for supporting files,
> > i.e., local .html files and text files that are read at run-time.
> > Basically the entire file system needs to be invisible to the webbrowser
> > control except one folder, c:\supportFiles\
> > Thanks for any help
> > Jerry
|
| Mon, 14 Oct 2002 03:00:00 GMT |
|
|
|
Sixto Santo
#4 / 6
|
Stopping WebBrowser from navigating to local files. Hello Jerry! The trick is to check for unacceptable values.
You could try this:
Private Sub brwWebBrowser_BeforeNavigate2(ByVal pDisp As Object, URL As
Variant, Flags As Variant, TargetFrameName As Variant, PostData As Variant,
Headers As Variant, Cancel As Boolean)
Dim ValidPath As String
ValidPath = "c:\supportFiles" ' path in lowercase, no trailing \
If Dir$(URL, 31) <> "" Then ' DIR Forced to match any type of file
' Navigation to filesystem attempted.
'Check if acceptable
If LCase$(Left$(URL, Len(ValidPath))) <> ValidPath Then
Cancel = True
End If
End If
End Sub
Regards,
Sixto
Quote: > Hello, > I posted some code below. I found if I restrict the user from the get go,
> I don't have a problem. Logically this works but I feel that I went
> around the world to get to it. My concern is, what if there's something
> is included in the navigating in time? An example, "http_new://". If
> something new comes out or I missed something, this browser will be
> obsolete in time. Does anyone have a better logic to tackle this? Thanks
> again.
> Jerry
> Here's the code:
> Private Sub wbMain_BeforeNavigate2(index As Integer, ByVal pDisp As
> Object, URL As Variant, Flags As Variant, TargetFrameName As Variant,
> PostData As Variant, Headers As Variant, Cancel As Boolean)
> If LCase(Left(URL, 16)) = "c:\source_files" Or _
> LCase(Left(URL, 7)) = "http://" Or _
> LCase(Left(URL, 8)) = "https://" Or _
> LCase(Left(URL, 7)) = "mailto:" Or _
> LCase(Left(URL, 6)) = "ftp://" Or _
> LCase(Left(URL, 24)) = "file:///c:/source_files" Or _
> LCase(Left(URL, 11)) = "javascript:" Then
> wb1.navigate URL
> Else
> Cancel=True
> End If
> > maybe hard code c:\supportFiles\ in the control and don't give them the
> > option to type in anything else?
> > > I have a custom webbrowser control. The user can surf the net as usual
> > > but if they c:\ in the navigation ComboBox, they can get to the root
of
> > > the winNt box and subsequently any directory on the machine. What are
my
> > > possible solutions for this? Also if I block all access to the local
> > > files, I still need to keep one directory available for supporting
files,
> > > i.e., local .html files and text files that are read at run-time.
> > > Basically the entire file system needs to be invisible to the
webbrowser
> > > control except one folder, c:\supportFiles\
> > > Thanks for any help
> > > Jerry
|
| Mon, 14 Oct 2002 03:00:00 GMT |
|
|
|
Jason Smit
#5 / 6
|
Stopping WebBrowser from navigating to local files. You can put the allowed urls in a config file or in a table. Have the control read the file to check for valid urls. If you want to change allowed urls later w/o recompiling, then just add/subtract from the config file or table. From the code below it looks like you want the control to be able to perform
most normal browing functions + access a shared folder on your server by the
physical path name. So, you can keep the allowed physical path names on
file.
What happens when you tighten up security on the server? Do they still get
root access if they are not in the correct security group? If they don't
then you might not need to limit anything n your code. Just set the
permissions.
/Jason
Quote: > Hello, > I posted some code below. I found if I restrict the user from the get go,
> I don't have a problem. Logically this works but I feel that I went
> around the world to get to it. My concern is, what if there's something
> is included in the navigating in time? An example, "http_new://". If
> something new comes out or I missed something, this browser will be
> obsolete in time. Does anyone have a better logic to tackle this? Thanks
> again.
> Jerry
> Here's the code:
> Private Sub wbMain_BeforeNavigate2(index As Integer, ByVal pDisp As
> Object, URL As Variant, Flags As Variant, TargetFrameName As Variant,
> PostData As Variant, Headers As Variant, Cancel As Boolean)
> If LCase(Left(URL, 16)) = "c:\source_files" Or _
> LCase(Left(URL, 7)) = "http://" Or _
> LCase(Left(URL, 8)) = "https://" Or _
> LCase(Left(URL, 7)) = "mailto:" Or _
> LCase(Left(URL, 6)) = "ftp://" Or _
> LCase(Left(URL, 24)) = "file:///c:/source_files" Or _
> LCase(Left(URL, 11)) = "javascript:" Then
> wb1.navigate URL
> Else
> Cancel=True
> End If
> > maybe hard code c:\supportFiles\ in the control and don't give them the
> > option to type in anything else?
> > > I have a custom webbrowser control. The user can surf the net as usual
> > > but if they c:\ in the navigation ComboBox, they can get to the root
of
> > > the winNt box and subsequently any directory on the machine. What are
my
> > > possible solutions for this? Also if I block all access to the local
> > > files, I still need to keep one directory available for supporting
files,
> > > i.e., local .html files and text files that are read at run-time.
> > > Basically the entire file system needs to be invisible to the
webbrowser
> > > control except one folder, c:\supportFiles\
> > > Thanks for any help
> > > Jerry
|
| Tue, 15 Oct 2002 03:00:00 GMT |
|
|
|
Sixto Santo
#6 / 6
|
Stopping WebBrowser from navigating to local files. Hello Jerry! The trick is to check for unacceptable values.
You could try this:
Private Sub brwWebBrowser_BeforeNavigate2(ByVal pDisp As Object, URL As
Variant, Flags As Variant, TargetFrameName As Variant, PostData As Variant,
Headers As Variant, Cancel As Boolean)
Dim ValidPath As String
ValidPath = "c:\supportFiles" ' path in lowercase, no trailing \
If Dir$(URL, 31) <> "" Then ' DIR Forced to match any type of file
' Navigation to filesystem attempted.
'Check if acceptable
If LCase$(Left$(URL, Len(ValidPath))) <> ValidPath Then
Cancel = True
End If
End If
End Sub
Regards,
Sixto
Quote: > Hello, > I posted some code below. I found if I restrict the user from the get go,
> I don't have a problem. Logically this works but I feel that I went
> around the world to get to it. My concern is, what if there's something
> is included in the navigating in time? An example, "http_new://". If
> something new comes out or I missed something, this browser will be
> obsolete in time. Does anyone have a better logic to tackle this? Thanks
> again.
> Jerry
> Here's the code:
> Private Sub wbMain_BeforeNavigate2(index As Integer, ByVal pDisp As
> Object, URL As Variant, Flags As Variant, TargetFrameName As Variant,
> PostData As Variant, Headers As Variant, Cancel As Boolean)
> If LCase(Left(URL, 16)) = "c:\source_files" Or _
> LCase(Left(URL, 7)) = "http://" Or _
> LCase(Left(URL, 8)) = "https://" Or _
> LCase(Left(URL, 7)) = "mailto:" Or _
> LCase(Left(URL, 6)) = "ftp://" Or _
> LCase(Left(URL, 24)) = "file:///c:/source_files" Or _
> LCase(Left(URL, 11)) = "javascript:" Then
> wb1.navigate URL
> Else
> Cancel=True
> End If
> > maybe hard code c:\supportFiles\ in the control and don't give them the
> > option to type in anything else?
> > > I have a custom webbrowser control. The user can surf the net as usual
> > > but if they c:\ in the navigation ComboBox, they can get to the root
of
> > > the winNt box and subsequently any directory on the machine. What are
my
> > > possible solutions for this? Also if I block all access to the local
> > > files, I still need to keep one directory available for supporting
files,
> > > i.e., local .html files and text files that are read at run-time.
> > > Basically the entire file system needs to be invisible to the
webbrowser
> > > control except one folder, c:\supportFiles\
> > > Thanks for any help
> > > Jerry
|
| Tue, 15 Oct 2002 03:00:00 GMT |
|
| |
|
