In this post I hope to address some of the concerns raised by Keith Peters in his recent blog post. In the post Keith brings up some existing applications that will be broken because of the new security enhancements to the FileReference class. I for one had no idea that this issue existed so thanks to Keith for bringing it up. Let’s first take a look at exactly what has changed.

In previous versions of the Flash Player, you could programmatically call the FileReference.browse() method to open a file browser dialog window which enabled users to locate a file on their system so that it could be uploaded to a server. Many existing applications use this feature including various WordPress and Flickr uploaders. In Flash Player 10 you can no longer spawn this dialog window programmatically and it must be initiated by a user click. The attempt to launch the dialog with code will throw a security exception, effectively breaking these existing applications.

There are other important changes in the FileReference class like the new ability to read and write local files. My initial reaction was that the new security features were added because of these new features. But actually these changes were coming anyway due to some existing security concerns surrounding the FileReference class. Let’s a take a quick look at what some of these concerns are. Please bear in mind that I’m not going to go into too much detail about what all the security implications are but rather give a high-level overview.

HTML security guidelines do not allow the opening of file dialog windows without user interaction. The new changes in Flash Player 10 will move Flash in line with general web security guidelines. So why are there security concerns with doing this in the first place? Well for one, developers can do things like repeatedly open the dialog forcing users to choose a file before being able to continue. This can essentially lock the user out of the application. Another potential concern arises from the situation where there are multiple SWF files on the same page from different sources. The user seeing the file dialog window does not necessarily know which SWF spawned the dialog. I will let you use your imagination about how this could lead to some bad things.

These concerns and others have made it vital that we implement the need for user interaction to launch the dialog. So then what will happen to existing applications that rely on the programmatic launch approach? In short they will have to update their applications to account for these changes. That being said, there are some workarounds available for applications that are launching Flash-based uploaders from HTML content. One such workaround is to create the HTML upload button in Flash rather than HTML so that the user will initiate the upload request from Flash. Similarly, another possibility is to overlay a transparent SWF button over the HTML content so that again, the user clicking happens in Flash and not in HTML. We are currently reaching out to partners to help them find the best solution for them.

Keith mentioned some well-known applications that will currently be broken because of the new security features like WordPress and Flickr. If you know of other applications please let me know in the comments section so that we can connect with them to help them find the optimal solution for their application.

After hearing the internal reasoning behind the new security enhancements I think they make total sense. There are just too many security concerns that arise when you allow developers to spawn native dialog windows programmatically. But we will definitely step up our efforts to ensure that existing developers get the help they need to update their applications accordingly.

Lee

20 Comments

I just finished uploading a new tutorial that shows you how to create a regular slider and then take it to another level by adding throw physics to it. Trust me, this is not you parent’s slider! Most of what I’ve learned about animation physics comes from Keith Peter’s excellent ActionScript Animation book. Check it out at gotoandlearn.com. You can see the final result below.

Update: There was a slght bug where the slider wouldn’t come to a complete stop when moving to the left. This was because vx never actually reached zero. This is easily fixed by adding the following line of code. I updated the tutorial files with the fix.

if(Math.abs(vx) < 0.5) vx = 0;

28 Comments

I just finished uploading a new tutorial created by Mike Chambers that shows you how to get setup with Adobe AIR on Linux. It’s always been my goal to include tutorials by other authors but there has always been the issue of quality control. This obviously won’t be an issue with Mike as he knows more about the Flash Platform than I ever will. It’s an honor to have him come on board to do some tutorials. I’m also working on one right now that should be out tonight. Check it out at http://www.gotoandlearn.com.

6 Comments

The late summer and fall are definitely the busiest times for Flash conferences and this year is looking to be especially packed. I will be attending the conferences listed below and will be speaking at all of them in some form or another. Hopefully one of these events is happening near you so you can get in on the festivities. There is a lot of new stuff to talk about!

	Flash Forward - Aug 19-22, San Francisco This is a new take on an all-time classic. Beau Amber has taken over the reigns from Lynda.com and has instituted a unique one-track format this year. It will be really interesting to see how people like it. My role will be to present the Flash Player 10 goodness during the Adobe keynote. Apart from that I will simply be just another attendee.
	Flash on the Beach - Sep 28-Oct 1, Brighton Last year’s FOTB was one of the best conferences I have ever been to. Unfortunately I only got to see one day of it as Mike Chambers and I were on a tour of Europe at the time. This year I will be staying the whole time and will be presenting a session called Platform Jiu-Jitsu. It will cover many different areas of the Flash Platform and will have an MMA theme.
	flashPitt - Oct 10, Pittsburgh This conference is being run by the Pittsburgh Adobe User Group. It is a one-day event featuring a great speaker line-up. These smaller events are often more fun to speak at as you can connect better with a smaller group. I’ll be delivering the keynote to get things started in the morning.
	The ActionScript Conference - Oct 19, Singapore I’ll be hopping over to Singapore for this one-day event being put on by the Singapore Adobe User Group. I’ve been Singapore once before and loved it so I’m definitely looking forward to going back. My session details have not been worked out yet but I’ll update this once it is final.
	Adobe Max - Nov 16-19, San Francisco This is the big one. I will more than likely be at all 3 Max events this year. The first will be in San Francisco and I’ll be giving two sessions. I’m sure I will be doing many other things as well but I hope to be able to see a good amount of the sessions. The cool thing about Max is that it isn’t just limited to Flash.

If you know of any other events going on please let me know in the comments. If there isn’t an event in your part of the world, start a user group and create one. I get lots of requests to come to places like Africa, the Middle East, and South America. Unfortunately it is tough to go somewhere unless there is some type of event to justify it.

Lee

15 Comments

As I mentioned in my last video tutorial on AMFPHP, I want to take a few minutes and talk about the steps you can take to make it as secure as possible. Most of what I’m going to share was taken from a blog post written by Wade Arnold. One important thing to note right off the bat is that I will be talking about security as it relates to AMFPHP 1.9 and higher. If you are using an earlier version you will want to check elsewhere for the details for you specific version. So without further adieu, here are the steps to better AMFPHP security:

Delete the Service Browser
If you’ve watched my tutorials you know that the Service Browser is that Flex application that allows you, or anyone else for that matter, to see all of the services and methods you have available. For obvious reasons you will want to delete this on your production machine. You don’t want random people seeing all the goodies that you have exposed. To get rid of it simply delete the browser folder that is located in your AMFPHP root directory.

Delete the DiscoveryService service
The DiscoveryService service is included when you install AMFPHP. When you go to the Service Browser for the first time you will see it as the one and only service. This service exposes methods that give all the details about the services and methods you have available. In that sense it is very much like the Service Browser itself and should be deleted for the same reasons. From your AMFPHP root directory, go into the services folder. From there either delete the entire amfphp folder or just the DiscoveryService.php file which is located inside of it.

Set the PRODUCTION_SERVER property
The PRODUCTION_SERVER property is located in the gateway.php file which is located in the root AMFPHP folder. This property is set to false by default but should be set to true in production environments. This will disable things like remote tracing and debugging headers. Open gateway.php and set the property like so:

106
107

//define("PRODUCTION_SERVER", false);
define("PRODUCTION_SERVER", true);

Run over SSL if possible
I’m definitely not a server geek so don’t ask me how you would do this. But the idea is that the data going back and forth between Flash and AMFPHP will not be plain text and this would of course make it much harder for people to be able sniff out the actual data.

Running the beforeFilter
In AMFPHP 1.9 there is a new feature which will allow you to authenticate the calling client to make sure they have the right access level to call the service. Basically you define a function in your service class named beforeFilter using the signature below:

1

public function beforeFilter($function_called)

This function will be called before your service method which was called by the client. If this function returns true, then the service method is called. If not, then a security error is thrown. It is inside this function that you can do some type of authentication. Joshua Ostrom has a nice blog post that goes into more details on this.

General PHP security
Since AMFPHP and all of the services you expose with it are nothing more than PHP files, you will want to familiarize yourself with some basic PHP security guidelines. Preventing SQL injection is one of the biggest areas that you need to make sure you protect against. There are many good articles on the web that explain how to prevent this attack. If you do a lot of PHP work, do yourself a favor and pick up a book like Essential PHP Security to make sure that you are being safe.

Lee

21 Comments