10

I've been reading about the security restrictions for file uploads in Flash Player 10. According to the FileReference docs for upload(), the upload does not have to be triggered by a user-initiated action (the browse() does, but that's another story). If it did, that would force an awkward user experience for multi-file uploads, since only one upload can occur at once -- so the user would have to click (or press a button) once per file to initiate the upload, but only when the previous file had finished uploading.

The documentation for URLLoader.load(), on the other hand, states:

In Flash Player 10 and later, if you use a multipart Content-Type (for example "multipart/form-data") that contains an upload (indicated by a "filename" parameter in a "content-disposition" header within the POST body), the POST operation is subject to the security rules applied to uploads:

The POST operation must be performed in response to a user-initiated action, such as a mouse click or key press.

This Flash Security article corroborates the URLLoader documentation (see the "POST APIs" section).

The original whitepaper, however, does not state this -- only that a FileReference browse must be in response to a user-initiated action, not the (potentially URLLoader-driven) upload itself:

When a SWF file uses the FileReference.browse() and FileReference.upload() methods to upload a file to a server, Flash Player enforces two security rules:

  • FileReference.browse() must be called from within a user-event handler (mouse or keyboard event).

[...]

Flash Player enforces these same rules any time a networking API is called to perform a POST that appears to the server to contain an upload.

As far as I can tell from actual use of the URLLoader API to upload a file, the uploads indeed don't need to come from a user-initiated action; but, is this because I'm using a debug version of the player, or because the documentation is wrong? (Or something else?)

TL;DR: The documentation contains conflicting information, and I don't trust my field tests (in the face of docs that say they shouldn't work). Can URLLoader be used to upload a file without user interaction? Or only FileReference? (That would kill most file pre-processing possibilities, which is what I happen to be interested in doing!)

Cameron
  • 96,106
  • 25
  • 196
  • 225

2 Answers2

2

I believe that Adobe wants to have it so that you can NOT use URLLoader to upload a file without interaction. I just think that they happened to not do it in the best way and you can get around it depending on how exactly you are using the URLLoader to upload the file (if you put a filename in the POST for the URLLoader it should error out, but you can get around that by Base64 encoding the file and sending that with the URLLoader to php).

Take a look at this post. Read through the comments in there too they seem to address the issue. Hopefully this helps a little bit.

Community
  • 1
  • 1
M. Laing
  • 1,607
  • 11
  • 25
2

You doesn't got errors, because you are running in debug. Got the same problem while working on my speedtest project.
So for the questions:

  • FileReference can't upload files without user interaction.

  • URLLoader can't upload files without user interaction if you are using POST, multipart/form-data and filename properties.

  • You can upload files with URLLoader if you are using content-type like application/octet-stream and putting the file body encoded (for example in base64) in you post request. That means, if you are using PHP, so you will work not with the $_FILES, but with the $_POST array, to get your file.

  • Working in debug mode on local machine, won't trigger the URLLoader restriction error.

Den
  • 601
  • 3
  • 10
  • Ah, it's because of the Debug player! But, as far as I know, FileReference *can* upload files without user interaction (it just can't *browse* for them). I hate double standards. – Cameron Feb 24 '12 at 14:43
  • 1
    As you have posted in your question, and according to adobe.com, `FileReference.browse()` must be called before `FileReference.Upload()`. – Den Feb 24 '12 at 14:47
  • Yep, I understand :-) But imagine the user clicks a "browse" button and selects 17 files through a `FileReferenceList`. Those 17 files can then be uploaded without further user interaction. But, if we want to modify them in some way before uploading them (say, resizing image files on the client), then the user would have to click 17 more times, once to initiate each (URLLoader) upload. That's what I meant by double standards. Of course, nobody's *actually* going to force their users to click 17 times when there're acceptable workarounds (such as Base64 encoding). – Cameron Feb 27 '12 at 21:00
  • It isn'so. I was using MultiPowerUpload, so there to upload you need 2 clicks, the first for browse, then you can manage images, like crop or resize, and then the second click to upload all of them. If you wish, i'll post some part of code, how is it made. – Den Feb 28 '12 at 05:48
  • Sure, I'm really curious how you got that to work! (The only way I can think of is to start all the uploads at once.) – Cameron Feb 28 '12 at 14:47
  • It is made so: after user clicks the upload button, all files selected from `FileReference.Browse()` are sent in binary data to the server with `URLLoader` in one recursive function walking through filelist. Really no magic. For additional help an [MultipartUpload](http://code.google.com/p/nascomaslib/source/browse/trunk/src/be/nascom/flash/net/upload/UploadPostHelper.as?spec=svn62&r=62) class is used to build correct http headers. – Den Feb 29 '12 at 13:21
  • Just realized I never accepted an answer on this one. What I ended up doing is changing the content-type on my URLLoader upload to 'application/octet-stream', then sending an 'x-content-type' of 'multipart/form-data' which my custom script on the server detects and handles appropriately. – Cameron Apr 26 '12 at 19:16