Other Software > Developer's Corner

Executing a file from a link

(1/2) > >>

nharding:
Hi,

I am writing DCDisplay, and one of the things I've added is the ability to scan your hard drive to produce a report. I have a html template that outputs the file, size, thumbnail image, any problems found, any duplicate copies, average resolution, and number of pages. I wanted the links in the report to be "live" so that you can do <a href="file:\\c:\DCDisplay\DCDisplay.exe c:\path\file.cbr">FileName</a> but this doesn't work.

Has anyone got a small webserver service that can be used with <a href="1270.0.0.1:2012:\\DCDisplay c:\path\file.cbr">, for example ,otherwise I can add it to the application, but I think it's something that could be more general (with whitelisted applications, so DCDisplay would have to be registered to run c:\DCDisplay\DCDisplay.exe for example.

Neil Harding

nharding:
Actually thinking about it, I guess it would be possible using a java app to launch the real app, but the java security model would still cause problems.

Neil Harding

nharding:
I've decided to embed a web browser into the application, so it can be used to control the application (selecting a link will open that archive), but I still think it would be useful to be able to start an application from within a html page.

Neil Harding

Ath:
I wanted the links in the report to be "live" so that you can do <a href="file:\\c:\DCDisplay\DCDisplay.exe c:\path\file.cbr">FileName</a> but this doesn't work.
-nharding (January 08, 2011, 09:36 AM)
--- End quote ---

Does it help if you use forward slashes instead of backslashes? And I recall a 'file:' prefix needs a triple-slash if a local file is involved, like file:///c:/DCDisplay/DCDisplay.exe bladibla

worstje:
Would it be useful? Perhaps. Would it be a gigantic danger? Hell yes. That is why all sane browsers will redflag it and make the user confirm at least once they really want to do some action that falls out of the scope of the website, might be dangerous, etc.

Suppose for a moment it would work without any issues. Calling arbitrary applications just means you open up a can of worms known as scripting for attackers. Even if they can't put files on your computer to call such as batchfiles, cmd.exe can be used to execute simple things without much trouble. Powershell would be even worse.

Do not forget it is trivial for a webpage to have links click themselves or otherwise get executed.

The best way to go about it is to run either your own webclient control like you are doing atm, or to have the webpage be served by a sort of builtin webserver inside your program. That way, calling the link can just load something on this internal builtin webserver which executes the action. This is how the Visual Studio help system works.

Navigation

[0] Message Index

[#] Next page