[sclug] sclug Digest, Vol 81, Issue 5
Bo Hansen
bohans at online.no
Mon Jun 7 19:49:05 UTC 2010
Just a quick thought. You could use protocol handlers when users select to
download the file. Dependent on the choice they select in a dropdown for
example.
notepad://mydownload.file
crystal://mydownload.file
The system admins would need to implement the protocol handlers, and this
also give them control over which users gets to use which protocol
handlers.
Bo
On Mon, 07 Jun 2010 17:07:05 +0100, Neil Haughton
<haughtonomous at googlemail.com> wrote:
> Thanks for the replies.
>
> This is a Windows environment, and the executables of interest will be
> exe.
> It sounds like that has a bearing on security concerns.
>
> Control of what is executed is not entirely outside our realm because we
> add
> value by configuring this application for the customer, to provide unique
> functionality. Part of that is (I am told) to be able to execute an
> application (could be notepad, could be Crystal Reports, could be
> *anything
> else*) from the browser to provide additional 'fringe' functionality, ie
> to
> extend the web application. The customer (admins) can also do this
> themselves, if they choose.
>
> I too thought that an integral part of browser design, if not spirit,
> was to
> prevent the arbitrary execution of local apps from within the browser
> context. My concern still is what view corporate sysadmins are going to
> take
> of this kind of functionality in our application. My instinct says 'dim',
> but I want to get a wider opinion.
>
> TIA
>
> Neil
>
> On 7 June 2010 13:00, <sclug-request at sclug.org.uk> wrote:
>
>> Send sclug mailing list submissions to
>> sclug at sclug.org.uk
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> http://sclug.org.uk/mailman/listinfo/sclug
>> or, via email, send a message with subject or body 'help' to
>> sclug-request at sclug.org.uk
>>
>> You can reach the person managing the list at
>> sclug-owner at sclug.org.uk
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of sclug digest..."
>>
>> Today's Topics:
>>
>> 1. Local execution form web app (Neil Haughton)
>> 2. SCLUG meeting this Wednesday 9th June at 19:30 (Simon Heywood)
>> 3. Re: Local execution form web app (Neil Brown)
>> 4. Re: Local execution form web app (Tim Sutton)
>> 5. Re: Local execution form web app (Darren Davison)
>> 6. Re: Local execution form web app (simon at spudley.com)
>>
>>
>> ---------- Forwarded message ----------
>> From: Neil Haughton <haughtonomous at googlemail.com>
>> To: sclug at sclug.org.uk
>> Date: Mon, 7 Jun 2010 09:58:48 +0100
>> Subject: [sclug] Local execution form web app
>> I apologise if this is off-topic-ish, but I would like a general
>> opinion.
>>
>> I am currently working with a web application that is being developed
>> for
>> sale to customers ranging from small companies to corporates. The
>> general
>> public will not have access. One of the requirements is to be able to
>> execute an arbitrary local executable from within the web app.
>> 'Arbitrary'
>> in the sense that the actual choice of executable can be configured by
>> the
>> user, the idea that a customer can configure the app to launch some
>> local
>> process as part of some action he has taken within the application. The
>> configuration can be locked down by the user (eg customer sysadmin) and
>> for
>> the most part will be used on an intranet.
>>
>> A typical use case is to configure the web app to download a text file
>> (say
>> some auto-generated report) from the web server and open it in a local
>> text
>> editor - but there are no limits on what the local application could
>> be.
>>
>> My instincts are that this will meet with resistance from sysadmins,
>> corporates in particular, for security reasons, but then again logic
>> tells
>> me that on an intranet and given the ability to lock down the
>> configuration
>> so local users cannot tinker with it, this isn't a security issue in the
>> first place.
>>
>> Are there any 'sysadmins' out there who can give me their views on
>> whether
>> I
>> am seeing a problem where one doesn't exist, or are my instincts right?
>>
>> TIA
>>
>> Neil.
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: Simon Heywood <simon at triv.org.uk>
>> To: sclug at sclug.org.uk
>> Date: Mon, 7 Jun 2010 10:00:02 +0100 (BST)
>> Subject: [sclug] SCLUG meeting this Wednesday 9th June at 19:30
>> The next meeting of the SCLUG will be at the Back of Beyond pub in
>> King's Road, Reading, at 19:30 this Wednesday.
>>
>> See http://www.sclug.org.uk/ for directions.
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: Neil Brown <neil at neilzone.co.uk>
>> To: haughtonomous at googlemail.com
>> Date: Mon, 07 Jun 2010 10:05:42 +0100
>> Subject: Re: [sclug] Local execution form web app
>> Quoting Neil Haughton <haughtonomous at googlemail.com>:
>>
>>
>> 'Arbitrary'
>>> in the sense that the actual choice of executable can be configured by
>>> the
>>> user, the idea that a customer can configure the app to launch some
>>> local
>>> process
>>>
>>
>>
>> If the customer (i.e. the corporate) can define which applications are
>> launched, then, the end users can only (absent a bug) launch
>> applications
>> which the environment owner provides for them to launch.
>>
>> The end user launches a pre-defined application, and so, whilst not a
>> sysadmin, this seems no different to clicking a icon on a desktop,
>> which was
>> pre-installed by the company for them to use?
>>
>> --
>>
>>
>>
>> Neil
>>
>> neil at neilzone.co.uk | http://neilzone.co.uk
>>
>>
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: Tim Sutton <tim at linfiniti.com>
>> To: haughtonomous at googlemail.com
>> Date: Mon, 7 Jun 2010 11:06:08 +0200
>> Subject: Re: [sclug] Local execution form web app
>> Hi
>>
>> On Mon, Jun 7, 2010 at 10:58 AM, Neil Haughton
>> <haughtonomous at googlemail.com> wrote:
>> > I apologise if this is off-topic-ish, but I would like a general
>> opinion.
>> >
>> > I am currently working with a web application that is being developed
>> for
>> > sale to customers ranging from small companies to corporates. The
>> general
>> > public will not have access. One of the requirements is to be able to
>> > execute an arbitrary local executable from within the web app.
>> 'Arbitrary'
>> > in the sense that the actual choice of executable can be configured by
>> the
>> > user, the idea that a customer can configure the app to launch some
>> local
>> > process as part of some action he has taken within the application.
>> The
>> > configuration can be locked down by the user (eg customer sysadmin)
>> and
>> for
>> > the most part will be used on an intranet.
>> >
>> > A typical use case is to configure the web app to download a text file
>> (say
>> > some auto-generated report) from the web server and open it in a local
>> text
>> > editor - but there are no limits on what the local application could
>> be.
>> >
>>
>> I thought that an integral part of browser design was to prevent the
>> arbitrary execution of local apps from within the browser context? I
>> think you can do it using evil microsoft activex technologies but not
>> from a standard javascript / applet context....or am I wrong?
>>
>> Regards
>>
>> Tim
>>
>>
>> > My instincts are that this will meet with resistance from sysadmins,
>> > corporates in particular, for security reasons, but then again logic
>> tells
>> > me that on an intranet and given the ability to lock down the
>> configuration
>> > so local users cannot tinker with it, this isn't a security issue in
>> the
>> > first place.
>> >
>> > Are there any 'sysadmins' out there who can give me their views on
>> whether I
>> > am seeing a problem where one doesn't exist, or are my instincts
>> right?
>> >
>> > TIA
>> >
>> > Neil.
>> >
>>
>>
>>
>> --
>> Tim Sutton - QGIS Project Steering Committee Member (Release Manager)
>> ==============================================
>> Visit http://linfiniti.com to find out about:
>> * QGIS programming services
>> * Mapserver and PostGIS based hosting plans
>> * FOSS Consulting Services
>> Skype: timlinux Irc: timlinux on #qgis at freenode.net
>> ==============================================
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: Darren Davison <darren at davisononline.org>
>> To: sclug at sclug.org.uk
>> Date: Mon, 7 Jun 2010 10:33:30 +0100
>> Subject: Re: [sclug] Local execution form web app
>> On Mon, Jun 07, 2010 at 09:58:48AM +0100, Neil Haughton wrote:
>> > A typical use case is to configure the web app to download a text file
>> (say
>> > some auto-generated report) from the web server and open it in a local
>> text
>> > editor - but there are no limits on what the local application could
>> be.
>>
>> erm, isn't this exactly what most browsers do out of the box? i.e.
>> enable
>> you to configure apps to launch to handle certain downloads?
>> Personally I
>> have OpenOffice launch to handle a .doc file I d/l, or gvim to handle a
>> .txt
>> file etc. etc.
>>
>>
>> --
>> Darren Davison
>> Public Key: 0xE855B3EA
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>>
>> iEUEARECAAYFAkwMvOkACgkQVgOfSOhVs+pgeQCgjfrerY8cpQ2It+Y+wa7VN6SH
>> DFMAljGF1CMpUzSzxvzWYe6Xo/ksL2s=
>> =3X2J
>> -----END PGP SIGNATURE-----
>>
>>
>> ---------- Forwarded message ----------
>> From: simon at spudley.com
>> To: sclug at sclug.org.uk
>> Date: Mon, 07 Jun 2010 10:13:12 +0100
>> Subject: Re: [sclug] Local execution form web app
>>
>>
>> You wrote:
>> > A typical use case is to configure the web app to download a text file
>> (say
>> > some auto-generated report) from the web server and open it in a local
>> text
>> > editor - but there are no limits on what the local application could
>> be.
>>
>> On a conceptual level, you're not asking for anything more than they
>> already do -- pdf, doc, and a bunch of other file types will likely
>> already
>> be configured by the users' browsers to do exactly the sort of thing
>> you're
>> proposing. All you're asking for is an arbrtrary new file type to be
>> configured in the browser along the same lines.
>>
>> Unless it's a file type with known security issues like .exe or .scr,
>> there's no reason for a sysadmin to particularly want to block the file
>> type
>> from being downloaded, especially in a local intranet context (an
>> external
>> block may still be reasonable, but that's not an issue for you).
>>
>> The security risk will be in what program you specify to open the files
>> with, and what that program does with files that it opens. But since
>> that's
>> entirely configurable at the client end, it's outside your realm.
>>
>> All your web app needs to do is present the file for download, and
>> leave it
>> up to the browser how to handle it.
>>
>> You'll never have a 100% smooth "click on the link and open the
>> program",
>> because the browser will always offer to open the file or download it,
>> but
>> users are used to that functionality already so it should be good
>> enough.
>>
>> HTH.
>>
>>
>> Simon C.
>>
>>
>>
>>
>> _______________________________________________
>> sclug mailing list
>> sclug at sclug.org.uk
>> http://sclug.org.uk/mailman/listinfo/sclug
>>
>
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
More information about the Sclug
mailing list