This content has been marked as final. Show 5 replies
You cannot access the location of a file. It is a security restriction. Check out Adobe Apollo on the labs.adobe.com site if you want to write a Flex application that requires local file read and write.
I understand that, but apollo it's in it's early alpha. And it sounds kind of stupid been able to upload a file to the server, been able to download a file from the server, but not been able to read it locally, I don't see how this restriction applies if there is such a simple work around by doing a server upload - download operation.
You have to think about this from the end-user's point of view. When I download something, I chose to do it and by picking the OK button I am authorizing the program to save a file to my disk. That's why you can't just start downloading files from a server - the user has to be involved.
If it were possible to read the file location when doing an upload, a malicious SWF could start reading all of the files from a directory and saving them to its creator's server. Since we don't provide the file's location, that isn't possible.
The file upload and download is a security risk that we had been trying to avoid but our customers demanded it and we provided it, but constrained it in a way to make it safe.
Does that prohibit some useful tasks? Yes, but rather that than have to issue security patches because someone had their data stolen.
Our customer's security is one of our highest priorities. More people trust the Flash Player more than any other piece of software.
Thanks for taking your time to discus about this issue. I've always liked the approach flash has had to protect personal data, or to be more specific to completely separate Internet form the local PC environment. And the proof that you guys are on the right track is that there are no FLASH viruses yet.
Still, and if it's possible I would like to make a few suggestions that shouldn't affect the security model but definatelly improve the way FLASH communicates with the server:
1.- Access a File Reference locally, I'm not talking about accessing any file on the local PC but the one the user manually selected for lets say an upload (Básicaly add an open command to fileReference), this would be very usefull since will allow the SWF to process the file before sending it, wich for example will allow to change an image size before upload or to process a text file and upload only the results of this process. I don't see how this could be a security risk since you are able to do this with the server and a huge everhead today.
2.- Been able to store the file Reference, again without accessing the PATH of the file, but the file reference object itself will be most useful to for lots applications, you don't need to have access to a directory structure but be able to access a file previously selected by the user. Just a while ago I wrote a flex application that uploaded a single file to a server every hour. I was able to store in a shared object all the paramenters a user selected for the upload except for the file reference. This meas that the user has to select the file every time it opens the application.
The best thing for you to do is fill out a request form:
The product teams always read these and prioritize them for a future release. My guess is that they will consider the matter resolved by Apollo, but it can't hurt to let them know what you think.