A document open in Reader sandbox is never trusted and cannot be allowed saving file to arbitrary disk locations (except specific whitelisted locations such as temp folder). You can add to whitelisted locations if you have a way to make that change on the client machine configuration - See policy configuration section in the application security guide: http://learn.adobe.com/wiki/download/attachments/64389123/AcrobatApplicationSecurity.pdf?v ersion=1
We are also looking at providing alternate API/behaviour which would ask for user confirmation before a save.
I understand that, but this is NOT an unsupported configuration.
We have attempted to make a WhiteList configuration and still no success. Are we perhaps configuring the network path incorrectly?
We have followed the instructions as per the security documentation. We have even added network path in configuration whitelist as recursive.
Surely we should be able to employ BUSINESS WORKFLOW as in the past, otherwise sandbox security would be pointless without having the flexibility.
Can you paste in here examples of the path where you are trying to save the PDF file from the script and the path that you have provided on the whitelist?
var myPath = '/main_network_pathname/sub_folder_pathname/' + this.getField('out').value;
NOTE: this.getField('out').value = myPDF.pdf
FILES_ALLOW_DIR_ANY = /main_network_pathname/sub_folder_pathname/
FILES_ALLOW_ANY = /main_network_pathname/sub_folder_pathname/*
Assuming a network path like \\CoolServerName\ShareName\FolderName exists and you want to allow writing to it from protected mode, try adding the following likes in the ProtectedModeWhitelistConfig.txt file:
FILES_ALLOW_ANY = \??\UNC\CoolServerName\ShareName\FolderName\*
(Please note the \??\UNC\ prefix and the use presence of forward slashes). This should give protected view write access to the existing FolderName folder.
So you are saying that if I have the following network path:
it goes into the protectedwhitelist file as:
FILES_ALLOW_ANY = \??\UNC\NetworkPath\myfolder\thisFolder\*
Does the protectedwhitelist file need to have anything else inside of it?
I tried this pathing and also confirmed that the WhiteList is being employed (checked the HKEY_LOCAL_MACHINE\SOFTWARE\POLICIES\ADOBE\ACROBAT READER\10.0\FEATURELOCKDOWN has a DWORD entry for "bUseWhiteListConfigFile" and it is set to "1".
Still getting the same error.
Interesting; that did work for me.
Could you try the following:
1. Protected Mode logging via Edit -> Preferences -> General Tab -> check the box "Create Protected Mode Log File" (towards the bottom). Press Yes if asked for confirmation.
2. Press OK on the Preferences dialog box.
3. Restart Reader.
4. Run your plugin/JS that should have worked.
5. Go to General Tab of Preferences (again) and this time click the View Log button and share the results of that file.
If the custom policy was applied, the log should contain a line saying:
[02:22/21:53:10] Found custom policy file: D:\Program Files (x86)\Adobe\Reader 10.0\Reader\ProtectedModeWhitelistConfig.txt
[02:22/21:53:10] Adding custom policy: FILES_ALLOW_ANY = \??\UNC\blah\xyzzy\foo\*
If you don't see that, then there could be something wrong in getting the policy setup.
Also, if there is a policy violation, it should contain a line saying:
[02:22/21:58:17] NtCreateFile: STATUS_ACCESS_DENIED
[02:22/21:58:17] real path: \??\UNC\blah\xyzzy\foo\flagfile.txt
[02:22/21:58:17] Consider modifying policy using these policy rules: FILES_ALLOW_ANY or FILES_ALLOW_DIR_ANY
[02:22/11:38:21] Found custom policy file: C:\Program Files\Adobe\Reader 10.0\Reader\ProtectedModeWhitelistConfig.txt
[02:22/11:38:21] Adding custom policy: FILES_ALLOW_ANY = \??\UNC\myNetworkPath\subNetworkPath\*
[02:22/11:38:22] NtCreateKey: STATUS_ACCESS_DENIED
[02:22/11:38:22] real path: \REGISTRY\MACHINE\Software\Adobe
[02:22/11:38:22] Consider modifying policy using this policy rule: REG_ALLOW_ANY
[02:22/11:38:22] NtCreateKey: STATUS_ACCESS_DENIED
[02:22/11:38:22] real path: \REGISTRY\MACHINE\SOFTWARE\Adobe
From your log, it looks like the policy did get added, and there were no violations when accessing the network path either. So now the question is: Is your plugin/JS code bailing out at a place even before it accesses the paths? Because if the network path were accessed, the access should have been granted (per the policy) or otherwise an entry saying the access was denied would have appeared in the log.
Could something be going wrong before or after the network file has been accessed? Which exact call is failing?
As stated...if I remove the Protected Mode, the "saveAs" function works fine.
It's failing here:
Security settings prevent access to this property or method.
Based on your log, things seem to be working correctly from the policy point of view, so the issue could be elsewhere (maybe something during the Save operation that's causing the problem).
Could you share a simple PDF that demonstrates this problem?
Got it working.
Constructing the rules with the right syntax is always critical, especially with little or no documentation for the whitelist.
Even what the broker log reports and adding that to the white list is not an easy task.
FILES_ALLOW_ANY=\??\UNC\CoolServer\Coolshare\* did the trick along with all the other recommendations from the broker log.
I think WE got it working as well...so here is my question...
Is the string "=\??\UNC\coolserver\coolshare\*" the actual word for word syntax???
All I can say is how can Adobe so radically change it's product's security structure with little or no documentation to assist what can and IS a fundamental change affecting the WORKFLOW of any organization.
This is like looking for a needle in a haystack.
Thanks to everyone who chimed in on this thread...much appreciated. I will keep open this thread until we have further tested.
The syntax for whitelisting a network path like "\\Hello\New\World"
FILES_ALLOW_ANY = \??\UNC\Hello\New\World\*
Basically, instead of the leading prefix "\\" use the "\??\UNC\" prefix.
Just to not confuse anyone about my last post:
FILES_ALLOW_ANY=\??\UNC\CoolServer\Coolshare\* is NOT the literal string to use.
Replace CoolServer with your server name and replace Coolshare with your share name.
Here's where I wish the broker would've reported this method access error but it never did. Took a while to get the syntax down pat.
Final words for anyone trying to make Reader X with ProtectedMode enabled:
The Brokerlog is your friend. .
However, the Brokerlog entries are not the literal rules for your ProtectedModeWhiteListConfig.txt Some trial and error required with the syntax :-(
Here's what works in my Windows 7/IE9 and XP/IE8 environment (Reader 10 Only+McAfee 8.7+Entrust 9.1) based on Broker log entries :
REM SECTION_ALLOW_ANY=Global\FntCache-4cea5cda-f9ce-45ec-af77-82b8733ef9a1* (at one point the broker recommended this but found later it was not needed).
Also, the 10.0.1 update addresses issues with Entrust and McAfee, and the JS SaveAs method now seems to work with the proper syntax for the FILES_ALLOW_ANY rule.
I'm still experiencing issues with files on DFS shares. Even after version 10.0.1 has been applied. It would seem my issue is not in opening normal PDF files but in the fact that the PDF files have been Archived, and have the Black Clock Symbol on them. If i disable the Adobe Sandbox the files "un archive" and open perfectly but with the sandbox still enabled it fails with "Access Denied". I have even generated a customised Whitelist as specified in the AcrobatApplicationSecurity.pdf (with help of the broker log) and with help with this article. I must add that if i use the DFS link directly (\\server\share\xxxx\xxx\xx\filename.pdf) the PDF opens fine even with the sandbox enabled and it being in the "Archived state" but through a mapped drive to the DFS share it won't open (z:\xxxx\xxx\xx\filename.pdf). Here is my last broker log with "no errors seen anymore..." :
[03:09/22:18:33] Adobe Reader Protected Mode Logging Initiated
[03:09/22:18:33] Found custom policy file: C:\Program Files\Adobe\Reader\ProtectedModeWhitelistConfig.txt
[03:09/22:18:33] Adding custom policy: FILES_ALLOW_ANY = \??\UNC\MYSERVER.NET\SVR\*
[03:09/22:18:34] Adding custom policy: FILES_ALLOW_ANY = \??\UNC\MYSERVER2\SVR\*
[03:09/22:18:34] Adding custom policy: FILES_ALLOW_ANY = \??\UNC\MYSERVER3\SVR\*
[03:09/22:18:34] Adding custom policy: FILES_ALLOW_ANY = \??\C:\WINDOWS\system32\*
[03:09/22:18:34] Adding custom policy: REG_ALLOW_ANY = HKEY_LOCAL_MACHINE\SOFTWARE\Adobe*
[03:09/22:18:34] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat*
[03:09/22:18:34] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings*
[03:09/22:18:34] Adding custom policy: REG_ALLOW_ANY = HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication*
[03:09/22:18:34] Adding custom policy: EVENTS_ALLOW_ANY = MSFT.VSA*
[03:09/22:18:34] Adding custom policy: EVENTS_ALLOW_ANY = _fCanRegisterWithShellService*
Any help would be deeply appreciated! Tim.
Let me get clear on your issues:
1. Applied 10.01 msp to Reader 10.
2. Protected mode enabled: Cannot open archived .pdfs.
3. However, you can access archived pdfs via UNC paths (are you using FQDNs?) but not via mapped drives.
Have you tried to add a whitelist rule like
FILES_ALLOW_ANY = MAP\FOLDER\* eg. FILES_ALLOW_ANY=Z:\SVR\*
I don't see how i can put drive letters down as the user could map any drive to the DFS Share!
However i did try putting the 3 servers in that the DFS connects to and that made no difference.
That was why i posted the Whitelist log above for everyone to see (with no errors anymore) The servers in the whitelist set as per you did previously.
You were correct, If i use Start > Run > \\Myserver.net\svr\sharename$ and browse to the file it opens fine.
You were correct, if i used Z:\ mapped to the above and then browser to the file it fails to open!
I tried Z:\* in the whitelist! no joy i'm afraid.
The plugin which i created using Acrobat SDK works fine in AdobeReader-9 but it doesnt works as expected in AdobeReader-X.
The issues with Reader-X are listed below :
1. In Reader-X, there is an option which we can select for 'Enable Protected-Mode'.
a. If this is enabled i am able to see all the buttons of MyPlugin but when i clicked on each button it wont do its task instead i get error message saying unable to create HelperObject (Class not Registered Error) . Why MyPlugin's buttons not performing its task when the Protected-Mode is Enabled?
b.If i disable the Protected-Mode , i will see to see all the buttons of MyPlugin and the when i click on those buttons it will be able to do its task as expected.
Here is what my application does,
The plug-in is written in VC++ and it interacts with C# .
The C# code reads\writes to registry and file system. It also accesses Acrobat APIs using DDE.
When protected mode is ON, it displays a class not registered error.
Whereas the C# class is registered and is accessible when protected mode is OFF.
Implementing the Broker Process will solve the issue ?
Is there any sample available for implementing the Broker Process ?
After reading this thread i think the Broker Process is needed to make my plug-in work even when the Protected mode is ON.
Please let me know as to how this should be achieved.
Thanks in advance. Please someone help me out from this..