Flash Player Security Advise

Flash Player Security Advise

30.07.2014 in Media & More

Don’t leave your Flash Player unattended!

The Problem

In one of our recent projects we just discovered by chance an upcoming problem for our users: they will not be able to print PDF documents with our Flex-based application when updating to Flash Player version or higher! Our application uses the open-source AS3 PDF library AlivePDF for generating invoice documents that can first be previewed in the browser an then be printed. Our client-side-generated PDF communicates via navigateToURL() with the server. But: With, it is no longer allowed to send HTTP headers with your request (via navigateToURL). This is breaking hundreds of sites!

The explanantion of Jeromie Clark from the Adobe team:

Unfortunately, this was an intentional and necessary change required to address a security issue reported by an external researcher. We sincerely apologize for the inconvenience.
After careful consideration, we found that the only way to truly resolve the issue was to disable support for custom headers in NavigateToURL.
While we would prefer to provide advanced notification for security changes that affect existing content, experience has taught us that it is not a viable approach, and ultimately puts customers at more risk. We go to great lengths to preserve backward-compatibility in general, but it’s our responsibility to balance those considerations with the overall security of end-users and the web at large.
Custom headers continue to be supported via the URLRequest class, and we encourage developers to use those APIs where custom headers are required.

As you can read on https://forums.adobe.com/thread/1475657 we are not alone with our problem. This thread leads us to https://bugbase.adobe.com/index.cfm?event=bug&id=3759971. And here you suddenly are in the middle of a very upset community.

The Solution

That are the recent facts. So let’s find a solution! Adobe proposes a few workarounds (see https://forums.adobe.com/message/6396080). But they all don’t fulfill our needs. So I’ve tried a few things and found the following way(s). The principle: forego the use of header instructions with navigateToURL!

1. Use the right „save“ method in AlivePDF

Use Method.LOCAL instead of Method.REMOTE. So you can read the PDF as ByteArray.

  1. var bytes:ByteArray = myPDF.save(Method.LOCAL);

2. Address the operating system’s file dialogue to save the file locally

Use ActionScript’s FileReference. Example:

  1. var bytes:ByteArray = myPDF.save(Method.LOCAL);
  2. var f:FileReference = new FileReference();
  3. f.save(bytes, filename);

3. Or: Encode the PDF data to plain text (with Base64 encoding)

And transport the plain text as data to a server side script, e.g. PHP. Plain text has not be ex-plained (wow, funny wording ;-)) to the receiver by using headers. That’s the trick!

  1. var myEncoder:Base64Encoder = new Base64Encoder();
  2. var bytes:ByteArray = myPDF.save(Method.LOCAL);
  3. myEncoder.encodeBytes(bytes);
  4. var encodedText:String = myEncoder.toString();
  5. var url:String  = getURL();
  6. var request:URLRequest = new URLRequest(url);
  7. request.method = URLRequestMethod.POST;
  8. request.data = new String(encodedText);
  9. navigateToURL(request,"_blank");

The corresponding PHP script decodes the data string back to PDF. It is allowed to use headers, so it’s no problem to preview the PDF in a browser:

  1. // get encoded data and decode it back to PDF
  2. $pdf_raw = file_get_contents( 'php://input' );
  3. $pdf_decoded = base64_decode( $pdf_raw );
  5. // PDF header
  6. header( 'Content-type: application/pdf' );
  7. header( 'Content-Length: ' . strlen( $pdf_decoded ) );
  9. // Show PDF
  10. print_r( $pdf_decoded );

If you want to show the browser dialogue for viewing or saving the PDF you can add the following header in PHP:

  1. header( 'Content-Disposition: attachment; filename="MyFile.pdf"');

Hope this will help – keep on coding!

Tags: , ,

Copyright © 2009-2017 by multimedia and more - - Impressum - powered by WordPress - Portfolio Theme deGusto by ThemeShift.com.