Justin Everett-Church on Flash 10 FileReference
Today I headed up to the Adobe SF office to interview Justin Everett-Church about the recent controversial changes to the FileReference class. Justin is the Senior Product Manager for Flash Player and in the interview he talks about the reasons for the change as well as ways that we could have possibly handled things better.
I found out a few things today that make things much clearer to me. First, this wasn’t based on a theoretical security threat but instead on actual security reports that we received. Unfortunately we cannot divulge the specifics of the attacks, but they are real. As for communication, the main issue was that we didn’t spend enough time communicating to the AJAX community who are primarily the ones affected by this change. Anyway, listen to the interview for more details.
Please also read this article for more details on the changes. Feel free to leave your opinions in the comments but I’m moving on. The reasoning makes sense to me and the workarounds are actually quite easy. Now on to those other complaints 
.
Lee
Very interesting – thanks lee. And I agree – it’s time to move onwards and upwards.
Any reason for mono sound?
Honestly I haven’t totally followed what the change was and this helps–so thanks. But, really, you can tell us what the real threat is/was. I get the theory that you don’t want to tell the bad people how to exploit it–but if it’s so important wouldn’t it make sense to strongly encourage users to upgrade to FP10? Really, I’m often bopping back to FP9 because of several reasons–but what risk am I exposing myself to exactly.
Anyway, thanks for the vid! Is that video player a new UI for tv.adobe.com…? sweet
@jassa thanks for letting me know. Guess I have to re-encode.
@Phillip Justin described the type of situation in the video. Flash ads that pop open file save dialogs that appear to be from the actual site not the ad. Things of this nature. When I say we can’t give specifics I mean about actual sites affected, etc.
Well, it’s good that you guys are talking about this more and hopefully reaching out, but I think the “sure, we could have communicated more” statement is the understatement of the year. When I first blogged about this, the only statement I could find from Adobe was, “Throwing error 2176 prevents a security vulnerability that could allow dialogs to be displayed without an explicit action by the user. WordPress will need to alter their code so that they do not indirectly call FileReference.browse to display the file dialog.”
And if you read the various posts by WP engineers and the SWFUpload guys on their own support forums, it’s obvious they felt left out in the rain on this one.
At any rate, there is a patch available for WordPress:
http://www.bit-101.com/blog/?p=1608
So all is good in the end!
Minor note: Church’s name is spelled incorrectly in the title.
Also, thanks for clarifying this issue.
@Phillip, about risks: There are some sites, who used this exploit, to let you download a file, which when run would wreak havoc on you PC (Windows). A common example is the “Codec.exe”, which supposedly let’s you view video content from that site, but in reality is just a Trojan (Trojan.Downloader.WMA.x), or in some cases, a virus.
- Win32.Parite.A/B/H, Win32.Worm.VB.NPM among others and even in some “stranger” versions of Codec.exe, are loaded with almost ancient viruses/variants like Sadmind, Code Red, MyDoom, Sasser etc.
As for the FLV Player, it’s JW Player version 3.16, by Jeroen Wijering, a Dutch (like me) Flash-guru, what’s most interesting to know, is that the flv playback framework (a.k.a actionscript), is written by me. It was only later on that Jeroen, added XSPF-/XML-playlist support. Currently Jeroen has version 4.2 out. get it at: http://www.jeroenwijering.com/?about=JW_FLV_Media_Player.
@Lee, nice video, it explains a lot. b.t.w. did someone forgot to turn of their cellphone, before the interview? since that kind interference is almost always caused by cellphone signals, most notably, a incoming call. (or outgoing if you start a call).
Makes perfect sense to me. In my eyes scripting a browse dialog pop up without user interaction will always be bad practice anyway.
In any case it’s not like it’s a big job to fix. Instead of launching the dialog, launch a “browse” button which on click will launch a the dialog. So then with the javascript problem you could have javascript tell flash to show the “browse” button.
Very interesting.
hey, great article.
there’s a typo in the title if you care.
justin everett-chruch
Good to know.
Thanks for this. Happy to see the article that outlines functionality in FP10 that now requires user initiation.
Great post, it’s nice to finally hear these words straight from the horse’s mouth (Justin). I imagine reasons like this (among others I’m sure) are what kept this functionality out of the player for so long.
I can say from experience using the FileReference.save, .browse, and .download with great success. The Flash Player team has done a great job and I look forward to the future of the expansion of the FileReference class.
Andrew Christensen | Geek.Blog | http://blog.728media.com
Would it be that hard to just add a warning box that the flash player loads and asks if it’s okay to open the browse window if it’s not opened through user interaction already? I’m thinking much the same way it prompts you if it’s okay your microphone or web cam. This seems like it would be a great workaround and at least bridge the gap a little so some applications don’t become completely useless until they update.
[...] Justin Everett-Church on Flash 10 FileReference (from The Flash Blog) [...]
I have a very silly QUESTION. BUT CAN ANYBODY HELP ME ? Whenever I am trying to open “Global Security Setting Panel” the “Macromedia Flash player – Setting” window, is not displaying in my computer monitor. #What can be yhe problem ? I have recenyly installed the newest version of Flash Player in my computer.
I’m still having major issues with this but not because of the FileReference class. One issue that hasn’t been addressed is that not only does flash 10 block a file reference it appears it also blocks a HTTP POST request that is trying to upload say a byte array. This is a valid use case for any app that is resizing a user uploaded image, taking a screen shot etc…
My particular use case is actually zipping mp3 files that the user uploads. The uploads work fine but once I’ve zipped the mp3s (using Actionscript) and try to upload the resulting zip file (a bytearray) to Amazon S3 it won’t work anymore. Since the upload is NOT coming from a FileReference I can’t get around it with the button trick.
My application relies on this functionality so this is really bad. Any help would be greatly appreciated.
[...] Justin Everett-Chruch on Flash 10 FileReferenceLee Brimelow interviews Justin Everett-Church (Senior Product Manager for Flash Player) about the recent changes to the FileReference class. [...]
Could you let Justin know there is a problem with his site.
Thx
[...] Brimelow at The Flash Blog had this to say about the recent changes, and posted again when the controversy did not simply fade [...]
My flex app is built on the Cairngorm model, and this change forced me to de-modularize a reusable piece of functionality. The process was user clicks download which triggered a webservice call to gather data and save it locally on the server. Then, in the result callback, the fileReference.download was called. This change forced me to add an extra “click step” – I had to put an Alert in after the server returned its result, to force the user to click an OK button so that FP10 would allow the dialogue to pop. BAD User Centered Design/usability as it adds a perceived unnecessary click to the user experience.
Being a java guy who likes code reuse/code once use many (and not by means of copy/paste chunks of code), I did not like how this security change forced me to rewrite the download piece of my flex app. Did I mention this was discovered by someone in my sales dept. a day before a client demo? Nice – I like to scramble…