Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
Web Server - Ask For Help / Re: Google picking up documents from web folder
« on: November 14, 2024, 04:58:14 PM »
>> Thank you, it is files which the users upload as supporting documents which we are storing in a documents sub-folder contained in the web folder.
>> When I try to browse those files, I am not able to. Thus a malicious user would need to know the full file-name of the file to get to it? Or is there another way?
They would need to know, or deduce, the name. Or guess. Unless your names are generated randomly it's probably easy to guess a name or two, especially given that the server allows for an unlimited number of guesses. Treating the name as a secret, and then broadcasting that secret to all legitimate users in some form or another, does not make it a terribly good secret.
>> I maybe wrong, but would imagine that Google indexed the file whilst it was being opened / viewed by a user in Chrome.
I very much doubt that they got it that way. I suspect they got it by crawling your site. Either way though, you've shown that it's not a terribly well-kept secret.
>> Is there a way to project files in the web folder?
not by default, no.
>> Or if the web folder is always publicly accessible, should I put the files outside the web folder, and change my user-procedure that it opens from local disk and not via URL?
Opening from local disk is not an option. HTTP pages have a "single source" policy - in other words web pages cannot link to pages to the disk.
However, since the files belong to a user, and should only be available to that user, it's pretty easy to limit access to the file to that user. For example, just moving it to the \web\loggedin folder would require the user to be logged in to access the file. You can also serve the document from *outside* the web folder - and thus implementing further checks on who owns the file, and so on.
>> When I try to browse those files, I am not able to. Thus a malicious user would need to know the full file-name of the file to get to it? Or is there another way?
They would need to know, or deduce, the name. Or guess. Unless your names are generated randomly it's probably easy to guess a name or two, especially given that the server allows for an unlimited number of guesses. Treating the name as a secret, and then broadcasting that secret to all legitimate users in some form or another, does not make it a terribly good secret.
>> I maybe wrong, but would imagine that Google indexed the file whilst it was being opened / viewed by a user in Chrome.
I very much doubt that they got it that way. I suspect they got it by crawling your site. Either way though, you've shown that it's not a terribly well-kept secret.
>> Is there a way to project files in the web folder?
not by default, no.
>> Or if the web folder is always publicly accessible, should I put the files outside the web folder, and change my user-procedure that it opens from local disk and not via URL?
Opening from local disk is not an option. HTTP pages have a "single source" policy - in other words web pages cannot link to pages to the disk.
However, since the files belong to a user, and should only be available to that user, it's pretty easy to limit access to the file to that user. For example, just moving it to the \web\loggedin folder would require the user to be logged in to access the file. You can also serve the document from *outside* the web folder - and thus implementing further checks on who owns the file, and so on.
2
Web Server - Ask For Help / Re: NTWS Page embedded on an external website in an Iframe being called recursively
« on: November 14, 2024, 04:50:41 PM »
enable cookies on your iframe
3
Web Server - Ask For Help / Re: Issues displaying NetTalk camera images in a Windows application.
« on: November 14, 2024, 04:50:15 PM »
>> below first few chars from the file that was saved with this code in the desktop program.
>> data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAoAAAAHgCAYAAAA10dzkAAAAAX
Images can be stored in blobs in multiple ways. This format is used in the web when the images are delived "inline" rather than in a separate request. To convert to binary;
a) remove the text at the start up to, and including the ,
b) base 64 decode it.
As you can see the header shows both the format of the image (png) and the base64 encoding. Should you wish, you can parse out that header to better choose the file name, and note the base64 decoding.
Cheers
Bruce
>> data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAoAAAAHgCAYAAAA10dzkAAAAAX
Images can be stored in blobs in multiple ways. This format is used in the web when the images are delived "inline" rather than in a separate request. To convert to binary;
a) remove the text at the start up to, and including the ,
b) base 64 decode it.
As you can see the header shows both the format of the image (png) and the base64 encoding. Should you wish, you can parse out that header to better choose the file name, and note the base64 decoding.
Cheers
Bruce
4
Web Server - Ask For Help / Re: Issues displaying NetTalk camera images in a Windows application.
« on: November 11, 2024, 10:37:41 PM »
have you looked inside the blob record to see what is actually there? is it binary, or base64 encoded?
5
Web Server - Ask For Help / Re: Google picking up documents from web folder
« on: November 11, 2024, 10:35:50 PM »
Hi Rupert,
>> Is there a way to block / stop this, as it is a serious security concern for the customer.
I feel like you're missing the point here. If have the files publically available in the web folder is a security concern, then you should fix that. Perhaps by describing why private files are in a public folder to begin with?
Turning off Google indexing doesn't stop people fetching the files. If google found them, so can everyone else. And malicious users don't respect the settings in your robots.txt file.
Cheers
Bruce
>> Is there a way to block / stop this, as it is a serious security concern for the customer.
I feel like you're missing the point here. If have the files publically available in the web folder is a security concern, then you should fix that. Perhaps by describing why private files are in a public folder to begin with?
Turning off Google indexing doesn't stop people fetching the files. If google found them, so can everyone else. And malicious users don't respect the settings in your robots.txt file.
Cheers
Bruce
6
Web Server - Ask For Help / Re: JWT Json Web Token
« on: November 03, 2024, 11:00:26 PM »
you probably got a compile warning on this line;
stToEncrypt = NetMakeHMAC(clip(strPREencrypt ),len(strPREencrypt),CLIP(lSecret),cs:CALG_SHA_256,0)
This line should be
stToEncrypt.SetValu(NetMakeHMAC(clip(strPREencrypt ),len(strPREencrypt),CLIP(lSecret),cs:CALG_SHA_256,0))
just one more reason not to ignore warnings....
stToEncrypt = NetMakeHMAC(clip(strPREencrypt ),len(strPREencrypt),CLIP(lSecret),cs:CALG_SHA_256,0)
This line should be
stToEncrypt.SetValu(NetMakeHMAC(clip(strPREencrypt ),len(strPREencrypt),CLIP(lSecret),cs:CALG_SHA_256,0))
just one more reason not to ignore warnings....
7
Web Server - Ask For Help / Re: Tree Control
« on: October 23, 2024, 06:57:03 PM »
When populating;
In your populate::aTree routine;
add a field to the TreeQueueType
selected Long ,name('selected | boolean')
Then when populating the queue set this field to true or false.
14.28 required for this next bit;
Later on, after the tree has been populated, You can select something using
p_web.ntTree('aTree','select','rowid')
(In both cases aTree is the Use Equate of the tree field on the form)
In your populate::aTree routine;
add a field to the TreeQueueType
selected Long ,name('selected | boolean')
Then when populating the queue set this field to true or false.
14.28 required for this next bit;
Later on, after the tree has been populated, You can select something using
p_web.ntTree('aTree','select','rowid')
(In both cases aTree is the Use Equate of the tree field on the form)
8
Web Server - Ask For Help / Re: Refresh the entire browse or just a row after an event in a Browse menu
« on: October 23, 2024, 05:57:17 PM »
done for build 14.28
9
Web Server - Ask For Help / Re: Convert text to HTML text for display
« on: October 03, 2024, 07:48:20 AM »
if you have a bunch of plain text, and you surround it with
<pre>
</pre>
Then I think you'll get what you;re looking for.
Cheers
Bruce
<pre>
</pre>
Then I think you'll get what you;re looking for.
Cheers
Bruce
10
Web Server - Ask For Help / Re: The EmailOAuth example has compile errors (Nettalk 14)
« on: September 25, 2024, 09:01:46 PM »
that example is a work in progress, and is not yet active.
Cheers
Bruce
Cheers
Bruce
11
The Rest - Ask For Help / Re: Strange behaviour of NetEncryptString and NetDecryptString
« on: September 22, 2024, 10:52:43 PM »12
Web Server - Ask For Help / Re: Browse Inline Menu ends up in Orphaned Embeds
« on: September 17, 2024, 08:23:04 PM »
I'm not sure. I tested here, and saw what you saw.
But then I touched the template and it seemed to be ok after that.
try editing the embed, adding a CR/LF maybe. Or just adding a space to netweb.tpw so it'll re-register.
Cheers
Bruce
But then I touched the template and it seemed to be ok after that.
try editing the embed, adding a CR/LF maybe. Or just adding a space to netweb.tpw so it'll re-register.
Cheers
Bruce
13
Web Server - Ask For Help / Re: Emulating the Accounts example 31 Records not displaying correctly
« on: September 15, 2024, 08:16:29 PM »
looks like a CSS issue. Is the page online?
(given that it's a CSS issue, and it's only an issue in the deployed server, you may want to refresh your CSS in the browser.)
(given that it's a CSS issue, and it's only an issue in the deployed server, you may want to refresh your CSS in the browser.)
14
Web Server - Ask For Help / Re: Apostraphe value in sql
« on: September 15, 2024, 08:14:56 PM »
>> Bruce how is possible SQL injection attacks with prop:sql ?
Prop:Sql passes the SQL you write straight through to the database for execution.
By contrast the drivers create "Parameterized Queries" - which separate the "code" part of the sql from the data part of the sql. Separating the code and the data means that code is code and data is data.
With prop:Sql the code and data are smooshed together. So Jason's line;
InvoiceItems{Prop:Sql} = 'Select * from dbo.InvoiceItems where ProductName = ''' & p_web.GSV('SelectedProductName') & ''''
Is vulnerable to manipulation of SelectedProductName.
For example, say this is coming from an entry field on the window. Then I enter;
' ; Drop Table Customers; '
This is a trivial example, but shows the root problem. Once a user can enter "any sql", well they can do anything they like to your database, and none of it is good.
Prop:Sql passes the SQL you write straight through to the database for execution.
By contrast the drivers create "Parameterized Queries" - which separate the "code" part of the sql from the data part of the sql. Separating the code and the data means that code is code and data is data.
With prop:Sql the code and data are smooshed together. So Jason's line;
InvoiceItems{Prop:Sql} = 'Select * from dbo.InvoiceItems where ProductName = ''' & p_web.GSV('SelectedProductName') & ''''
Is vulnerable to manipulation of SelectedProductName.
For example, say this is coming from an entry field on the window. Then I enter;
' ; Drop Table Customers; '
This is a trivial example, but shows the root problem. Once a user can enter "any sql", well they can do anything they like to your database, and none of it is good.
15
Web Server - Ask For Help / Re: Apostraphe value in sql
« on: September 13, 2024, 09:52:44 PM »
Hi Jason,
>> you want me to produce example in sql?
sure.
>> I will issue the sql query in my embed code
>> InvoiceItems{Prop:Sql} = 'Select * from dbo.InvoiceItems where ProductName = ''' & p_web.GSV('SelectedProductName') & ''''
See - already you are exposing detail which you haven't done before. That's the purpose of an example.
You should not be using Prop:SQL at all in your program. This is very, very bad. Using Prop:Sql will open up your program to SQL injection attacks.
Do not do it.
Equally, you don't need to be using Prop:Sql. The API's support VIEWS as a return structure, and VIEW's support filters. You should be using that.
Let me say it again - if you are using Prop:Sql in General, and with user entered data in Particular, then your web app is doomed to failure. If you do go this route please let me know the URL of your service so I can delight in dropping all your tables from the database, randomly filling your database with Spam, altering all the unit prices so I can get stuff for free, and having fun in all other kinds of ways.
>> What i am asking is if there is a nettalk method to convert single apostrophe to double apostrophe then it would be useful.
Clarion has a command QUOTE which does that.
Cheers
Bruce
>> you want me to produce example in sql?
sure.
>> I will issue the sql query in my embed code
>> InvoiceItems{Prop:Sql} = 'Select * from dbo.InvoiceItems where ProductName = ''' & p_web.GSV('SelectedProductName') & ''''
See - already you are exposing detail which you haven't done before. That's the purpose of an example.
You should not be using Prop:SQL at all in your program. This is very, very bad. Using Prop:Sql will open up your program to SQL injection attacks.
Do not do it.
Equally, you don't need to be using Prop:Sql. The API's support VIEWS as a return structure, and VIEW's support filters. You should be using that.
Let me say it again - if you are using Prop:Sql in General, and with user entered data in Particular, then your web app is doomed to failure. If you do go this route please let me know the URL of your service so I can delight in dropping all your tables from the database, randomly filling your database with Spam, altering all the unit prices so I can get stuff for free, and having fun in all other kinds of ways.
>> What i am asking is if there is a nettalk method to convert single apostrophe to double apostrophe then it would be useful.
Clarion has a command QUOTE which does that.
Cheers
Bruce