AIR security flaw

Posted on July 20, 2009


Opening a new browser out side any AIR application will dispose the url variables on the browser.

Although it’s not 100% logical to put this claim on AIR applications because that is meant for desktop application and have least relation with external browsers, it’s an issue that you may get some time while launching any external browser( ‘external’ means not inside AIR application itself).  This problem creates security flaws when you are opening a browser against some authenticated data or session. Even if use ‘post’ method to send the urlvariables, they wont be hidden on the browser.

Here is one example where you can find such trouble.

  1. <?xml version="1.0" encoding="utf-8"?>
  2. <mx:WindowedApplication xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute">
  3.         <mx:Button x="399" y="305" label="Button" click="getUI()" />
  4.        
  5.         <mx:Script>
  6.                 <![CDATA[
  7.                         private function getUI():void{
  8.                                 var re:URLRequest=new URLRequest("http://localhost/url/check.php");
  9.                                 re.method=flash.net.URLRequestMethod.POST;
  10.                                
  11.                                 var urlv:URLVariables=new URLVariables;
  12.                                 urlv.desc=5;
  13.                                 re.data=urlv;
  14.                                 navigateToURL(re,"_self");
  15.                         }
  16.                 ]]>
  17.         </mx:Script>
  18.        
  19. </mx:WindowedApplication>

When you run this example it will open a browser and will show the variable name and value where as if you write the same sort of code in for web application it would not show the ‘desc=5′ in the browser.
A sample piece of same code is given below which is implemented for a mouse click event on button.

  1. abc_mc.addEventListener(MouseEvent.CLICK, ola);
  2.  
  3. function ola(e:MouseEvent):void{
  4.         var re:URLRequest=new URLRequest("http://localhost/url/check.php");
  5.         re.method=flash.net.URLRequestMethod.POST;
  6.        
  7.         var urlv:URLVariables=new URLVariables;
  8.         urlv.desc=5;
  9.         re.data=urlv;
  10.         navigateToURL(re,"_blank");
  11. }

The php code used in the test is as follows:

  1. <?
  2. $test=$_REQUEST[‘desc’];
  3. echo $test;
  4. ?>
  5.  

So be sure you should never pass any data while opening some browser.


Filed Under AIR, AS3 | Leave a Comment »

Prevent XML caching problem

Posted on June 8, 2009


When load xml files by URLLoaders, they are often cached by the browsers and do flash is unable to display the updated data. This is a very common problem & I always find this some where around me once in a month or so. Even my friends do face the same issue.

There is a very simple solution to this cute little problem. When ever you are loading by URLLoader.load method just add a time stamp to the URLRequest and everything will work fine except you might get some error message while compiling the swf.(”Error #2044: Unhandled ioError:. text=Error #2032: Stream Error. URL”). You can ignore it and continue publishing. On the web it will not throw any such error- believe me.

Here is the little rabbit:

  1. var xmlPath:String="replaceYourXMLPathHere.xml"
  2. var urlReq:URLRequest = new URLRequest(xmlPath+"?time=" + new Date().getTime());

Let me know if the readers have some other idea..


Filed Under AS3 | Leave a Comment »

AS3 Event Handling- part 6

Posted on April 17, 2009


In this small part of action script event handling we will learn about one of the effective event handling technique that can help us to dispose our objects towards garbage collection( I will be writing about this interesting topic soon.)- in other way we can make efficient application without causing any memory leaking. The rule of thumb is to make use of removeListener and remove any event listener attached to some object before you remove or delete it by either removeChild or delete method. 

When ever we create objects and attach events with them, events go on executing if that object resides in memory. Let me give you one small example: 

Create a movieClip instance  on the stage and give it a name ( foo_mc  in my example). Now on the first frame open action panel and write down code for ENTER_FRAME event of that movielClip and then remove the foo_mc. The example code is given below:

  1. foo_mc.addEventListener(Event.ENTER_FRAME, trackObject);
  2.  
  3. function trackObject(evt:Event){
  4.         removeChild(foo_mc);
  5.         trace("I am executing");
  6. }

When you execute this code, even if you have removed the child by removeChild method, it will not be removed from memory and trackObject function will be executing. Even if you add foo_mc=null,  it will still execute the function. The reason is foo_mc is not deleted completely from memory at this point of time. It may be removed latter some time when garbage collector will see foo_mc does not have any reference to other objects. Here this loop of enter frame will go on because foo_mc has a listener to the enter frame event. One thing you should always remember that removeChild() never removes display objects from memory, it only removes from it’s parents display list. If this situation arises then it’s always wise to remove the event listener attached to it before you remove it from the display list. Also it’s a good programming practice to make the methods of a n object to null when not required in future so that they won’t eat up some memory. This case grow bigger when there are conditions for looping. So a better code may look like this:

  1. foo_mc.addEventListener(Event.ENTER_FRAME, trackObject);
  2.  
  3. function trackObject(evt:Event){
  4.         foo_mc.removeEventListener(Event.ENTER_FRAME, trackObject);
  5.         removeChild(foo_mc);
  6.         trace("I am executing");
  7. }

If you feel some thing different about this, please share with me.


Filed Under AS3, Flash, Flex 3.0 | 1 Comment »

AS3 Event Handling- part 5

Posted on April 10, 2009


Previous part of AS3 Event Handling series was about creating custom event class. In this part we will look at the one of the mostly unused parameters in addEventListener method handler. 

addEventListener is the method used to add an listener to an object for a specified event. Hence we usually pass two parameters ( first one is the event name and second event handler name) and everything works perfectly. But if you need more control over the event flow you may be interested in the other parameters available. The other three parameters are useCapture, priority & useWeakReference.   We will discuss about the first one in this part.

useCapture

This parameter tells about processing of event object in the phases of the event propagation. The default value is false, means event object can provide information about the target phase and the bubbling phase and not about the capture phase.

To understand the exact behaviour let’s create one small flash file and write some code. Open an AS3 flash document and create one big rectanglular movieclip and name is as “parent_mc” and a smaller rectangular movieclip inside it and name is as “child_mc“. Now select first frame and write the code. Download the file to see what the trace statements say about mouse down event.

  1. parent_mc.addEventListener(MouseEvent.MOUSE_DOWN, truePhase, true);
  2. parent_mc.addEventListener(MouseEvent.MOUSE_DOWN, falsePhase, false);
  3.  
  4. function truePhase(evt:MouseEvent):void{
  5.         trace("=====================use capture true===================================");
  6.         switch(evt.eventPhase){
  7.                 case EventPhase.BUBBLING_PHASE:
  8.                         trace("BUBBLING_PHASE");
  9.                         break;
  10.                 case EventPhase.CAPTURING_PHASE:
  11.                         evt.stopImmediatePropagation();
  12.                         trace("CAPTURING_PHASE");
  13.                         break;
  14.                 case EventPhase.AT_TARGET:
  15.                         trace("AT_TARGET");
  16.                         break;
  17.         }
  18.  
  19.         trace("currenttarget: " +evt.currentTarget.name);
  20.         trace("target:        "+evt.target.name);
  21. }
  22.  
  23. function falsePhase(evt:MouseEvent):void{
  24.         trace("=====================use capture false===================================");
  25.         switch(evt.eventPhase){
  26.                 case EventPhase.BUBBLING_PHASE:
  27.                         trace("BUBBLING_PHASE");
  28.                         break;
  29.                 case EventPhase.CAPTURING_PHASE:
  30.                         trace("CAPTURING_PHASE");
  31.                         break;
  32.                 case EventPhase.AT_TARGET:
  33.                         trace("AT_TARGET");
  34.                         break;
  35.         }
  36.  
  37.         trace("currenttarget: " +evt.currentTarget.name);
  38.         trace("target:        "+evt.target.name);
  39. }

There are two event handlers that handle the mouse down event, it’s because if we set useCapture true then we wont be able to catch the target & bubbling phase. So in two event handlers will handle the event with useCapture true and false respectively. When you down your mouse on the bigger rectangle, you can only see the target as parent_mc and in target phase of propagation. This is because there is no child element under the mouse pointer. Notice that I have added evt.stopImmediatePropagation(); in the first event handler in second switch statement, this blocks further propagation of event and do not let the second event handler get execute. The event object stops navigation. You can see the results when you click the inner child_mc in this example. You can only be able to see
=====================use capture true===================================
CAPTURING_PHASE
currenttarget: parent_mc
target: child_mc

If you uncomment that line then you will be able to see the events fired in bubbling phase also. So uncomment it and look at the results. You will see:
=====================use capture true===================================
CAPTURING_PHASE
currenttarget: parent_mc
target: child_mc
=====================use capture false===================================
BUBBLING_PHASE
currenttarget: parent_mc
target: child_mc

This tells us one good logic to control our events when we have to control the event flow while working with nested display objects.

Click here to download the example file.


Filed Under AS3, Flash | Leave a Comment »

AS3 Event Handling- part 4

Posted on April 8, 2009


In the previous part we discussed about the event propagation. In this part we will look for creating a custom event class

The need of creating a custom event class comes when you have to put your event system more systematic and comprehensive. Let me give one example where you might need to have your won event class where you can define your event names, customize it to get values of the event related objects and use it with simplicity similar to inbuilt event classes. We are going to build a confirmation control box where we will have three buttons with labels ‘”Yes” , “No”, “Cancel”.  We might have other type of utility boxes that have either of these three kind of controls or combination of two or a single control( alert windows). 

For the above example let’s create a small project with flex builder and create a small custom component called ConfirmationBox. Put three buttons labeled as per required. And here is the similar code. that you may write for your self.

  1. <?xml version="1.0" encoding="utf-8"?>
  2. <mx:Canvas xmlns:mx="http://www.adobe.com/2006/mxml" width="400" height="100">
  3.         <mx:Button x="175" y="68" label="Yes" click="yes()"/>
  4.         <mx:Button x="248" y="68" label="No" click="no()"/>
  5.         <mx:Button x="321" y="68" label="Cancel" click="cancel()"/>
  6.         <mx:HRule x="10" y="54" width="380" height="1"/>
  7.         <mx:Text x="31" y="10" text="Are you sure you want to quit?" width="359" height="41" fontSize="17" fontFamily="Arial" fontWeight="bold"/>
  8.         <mx:Script>
  9.                 <![CDATA[
  10.                        
  11.                         private function cancel():void{
  12.                                 //TODO
  13.                         }
  14.                         private function no():void{
  15.                                 //TODO
  16.                         }
  17.                         private function yes():void{
  18.                                 //TODO
  19.                         }
  20.                                                
  21.                 ]]>
  22.         </mx:Script>
  23. </mx:Canvas>

Each button has separate click handlers and we shall write some code so that our component can dispatch some custom event that we are soon going to create. Generally we subclass the already existing flash.events.Event class to readily avail all the basic methods and properties of an event class. Now we shall create a event class called “WindowControlEvent” which will extends Event class of flash.events package. Add three string constants to denote the event names before the constructor. And your class will look like below.

  1. package
  2. {
  3.         import flash.events.Event;
  4.  
  5.         public class WindowControlEvent extends Event
  6.         {
  7.                 public static const YES:String="yes";
  8.                 public static const NO:String="no";
  9.                 public static const CANCEL:String="cancel";
  10.  
  11.                 public function WindowControlEvent(type:String, bubbles:Boolean=false, cancelable:Boolean=false)
  12.                 {
  13.                         //TODO: implement function
  14.                         super(type, bubbles, cancelable);
  15.                 }
  16.  
  17.         }
  18. }

Declaring the constants with uppercase makes it clearer to avoid typing error. We can now attach this event class to some object with addEventListener method. Ex: objectName.addEventListener(WindowControlEvent.YES, eventHandler).That’s it for a very basic custom event class. Now let’s use it.

In the small application that we wrote before lets dispatch the events in the three event handlers.We have to dispatch a new WindowControlEvent and pass the event name (”cancel”, “no” or “yes”) by the constants defined for them.

  1. <mx:Script>
  2.         <![CDATA[
  3.                 public function cancel():void{
  4.                         dispatchEvent(new WindowControlEvent(WindowControlEvent.CANCEL));
  5.                 }
  6.                 public function no():void{
  7.                         dispatchEvent(new WindowControlEvent(WindowControlEvent.NO));
  8.                 }
  9.                 public function yes():void{
  10.                         dispatchEvent(new WindowControlEvent(WindowControlEvent.YES));
  11.                 }
  12.         ]]>
  13. </mx:Script>

Now let’s use this in our application and capture the events.

  1. <?xml version="1.0" encoding="utf-8"?>
  2. <mx:WindowedApplication xmlns:mx="http://www.adobe.com/2006/mxml" layout="absolute" xmlns:local="*" applicationComplete="init()">
  3.         <local:ConfirmationBox id="confBox">
  4.                
  5.         </local:ConfirmationBox>
  6.         <mx:Script>
  7.                 <![CDATA[
  8.                         import mx.controls.Alert;
  9.                         private function init():void{
  10.                                 confBox.addEventListener(WindowControlEvent.YES, saveAndExit);
  11.                                 confBox.addEventListener(WindowControlEvent.NO, dontSaveAndExit);
  12.                                 confBox.addEventListener(WindowControlEvent.CANCEL, stayBack);
  13.                         }
  14.                        
  15.                         private function stayBack(evt:WindowControlEvent):void{
  16.                                 Alert.show("stayback");
  17.                         }
  18.                        
  19.                         private function dontSaveAndExit(evt:WindowControlEvent):void{
  20.                                 Alert.show("dontSaveAndExit");
  21.                         }
  22.                        
  23.                         private function saveAndExit(evt:WindowControlEvent):void{
  24.                                 Alert.show("saveAndExit");
  25.                         }
  26.                        
  27.                 ]]>
  28.         </mx:Script>
  29. </mx:WindowedApplication>
  30.  

Filed Under AS3, Flex 3.0 | 1 Comment »

keep looking »