How can I understand uploaded files are permanently stored in the website's server?
For example, how can I understand when I uploaded my PDF file to this website (https://smallpdf.com/pdf-to-jpg) whether its also saves my file to its server?
If you are referring to a third party server that you have no control over there is no programmatic way of determining if they are in fact storing your pdfs permanently.
They might have a Terms and Conditions page where they set out the terms and conditions of using their service.
Alternatively if it concerns you try to find a site that makes it clear that they do not store your files permanently.
Related
I'm developing a web app using ReactJS and trying to create a txt file with a number in it on the local storage, c:\temp for example.
Is it possible to do it without keep asking the user for his approval (dialog)?
Thanks
localStorage is a browser API and not an arbitrary file on the user's disk. If you are going to use it, then there is a handy React hook for it.
You can't write to arbitrary files on the user's disk, although you can generate a download from in-memory data. This may be saved to the user's download folder or may prompt a SaveAs dialog (you can't control which).
If you want to store data on the server then you can make HTTP requests to it (i.e. use Ajax) and write a web service to process those requests.
I want to upload file into folder from which my Angular app is served while running on localhost. I'm not able to find any solution without using backend.
For example I just want to upload an image file and that file should copy in specified folder of the project. This should be done only with Angular without using any Backend script or hitting any API endpoint.
Depending on your webhost, you can make your assets-folder accessible via FTP.
Making a FTP-call from javascript (angular is javascript) isn't that difficult. And there are plenty of example and questions about it on the internet (like this)
Why you wouldn't do that:
The credentials for your ftp-connection will be accessible in the compiled javascript-code. With a little bit of effort, everyone can find it.
Each gate you open through the webhosts firewall, is a extra vulnerability. Thats why everybody will recommend you to add an API endpoint for uploading files so that you keep holding the strings of what may be uploaded.
Edit:
As I read your question again and all the sub-answers, I (think) figured out that you are building an native-like app with no back-end, just an angular-single page front-end application. An I can understand why (you can run this on every platform in an application that supports javascript), but the problem you are encountering is only the first of a whole series.
If this is the case, I wouldn't call it uploadingas you would store it locally.
But the good news is that you have localstoragefor your use to store temporary data on the HDD of the client. It isn't a very large space but it is something...
The assets folder is one of the statically served folders of the Angular app. It is located on the server so you can't add files to it without hitting the server (HTTP server, API, or whatever else...).
Even when running your app on localhost, there's a web server under the hood, so it behaves exactly the same than a deployed application, and you can't add files to the assets folder via the Angular app.
I don't know what exactly you want to do with your uploaded files, but:
If you want to use them on client side only, and in one user session, then you can just store the file in a javascript variable and do what you want with it
If you want to share them across users, or across user sessions, then you need to store them on the server, and you can't bypass an API or some HTTP server configuration
Based on your clarification in one of your comments:
I'm trying to develop a small speed test application in which user can upload any file from his system to check upload and download speed.
The only way to avoid having you own backend is to use 3rd party API.
There are some dedicated speed test websites, which also provide API access. E.g.:
https://myspeed.today
http://www.speedtest.net
https://speedof.me/api.html
Some more: https://duckduckgo.com/?q=free+speedtest+api
Note, that many of these APIs are paid services.
Also, I've been able to find this library https://github.com/ddsol/speedtest.net, which might indicate that speedtest.net has some kind of free API tier. But this is up to you to investigate.
This question might also be of help, as it shows using speedtest.net in React Native: Using speedtest.net api with React Native
You can use a third party library such ng-speed-test. For instance here is an Angular library which has an image hosted on a third party server (ie GitHub) to test internet speed.
I need to have data written to a text file in javascript. I want it to write a username and password to the text file and create a new line every time. Here is my code http://pastebin.com/24Tvdemu.
Can anyone help this has had me stumped for ages.
As Javascript in html is a client side language, you will need to send the files to the server, and save there the file. Anyway, you can prompt the user to save the file in their local machine, but it´s not usefull at least you really need that for any reason.
Check this answer Javascript: Create and save file
Some suggestions for this -
If you are trying to write a file on client machine, You can't do this in any cross-browser way. IE does have methods to enable "trusted" applications to use ActiveX objects to read/write file.
If you are trying to save it on your server then simply pass on the text data to your server and execute the file writing code using some server side language.
To store some information on the client side that is considerably small, you can go for cookies.
Using the HTML5 API for Local Storage.
More details : Is it possible to write data to file using only JavaScript?
My application creates .xml files and stores them on the user's hard drive; there is a default folder that I set in the web.xml to store the files, let's say D:/temp. Now after I write the files I need to read them back with javascript, I am using a javascript library that has this function mxUtils.load('URL of the file') (this function returns the content of the file), the problem is that it is giving me an error Cross origin requests are only supported for HTTP, (I now it doesn't have anything to do with the function or the library) I think the problem is that you can't read local files because of some security issues. Anyone can advise me some solution? Thanks
You cant access local filesystem using javascript.
For accessing the file using javascript , you have to upload it to a server and access it using the files url.
As stated, you cannot access a file on the filesystem strictly through Javascript. You could, however, use the input file type to upload the file to your server and then read it:
<input type="file" name="myfileinput">
Then, you can access it via the $_FILES global in PHP - other languages also provide this functionality through other means. Please note, again, that there is absolutely no way to access a file that is on someone's filesystem with Javascript without their consent (i.e. using the file input type). That would be a huge security risk - imagine going to a page and having it wipe your whole D:/ drive.
It's best to expose your files via HTTP and use mxUtils.load("http://yoursite/static/yourfile.xml").
Search for static files on Apache HTTP Server HowTo. Setup Apache to serve your xml files, make sure that you can view xml file in browser and then use the same url in mxUtils.load call.
I just implemented uploadify in my project, and I noticed what seems like an important security issue with the uploading process:
The folder in which the file should be uploaded is provided as a javascript argument, so client-side. If the user changes the script, and fills in a different folder (i.e. "/") for the upload, the file gets uploaded to the different folder.
There is an option in the config to filter the filetypes, but again it's provided on the client side ("fileExt").
So am I wrong to think this could lead to a possible hack? Uploading a php file anywhere in the Web Root and executing it seems easy.
Is it the desired behavior?
Should I just cross-check the upload folder in the uploadify.php file?
Should I send a notice to the uploadify makers?
I'm sure I'm not the first one to think about this. Oh, and the same goes for other config parameters, like sizeLimit and queueSizeLimit.
Just looked at the code (haven't installed it anywhere), and it certainly looks like this is a security problem. Looking at uploadify.php, I see this:
$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
Which means that passing "/" would put the file in the document root (i.e. the home directory of your website). Of course, the user could easily (for example) pass in a folder parameter like '../../etc' and a file named 'passwd'. Or, more trivially, he could upload a "logo.jpg" to the document root and, hey, now you've got porn for a site logo!
Of course, even if you sandbox the users, there are still lots of potential problems with allowing a user to arbitrarily upload a file to your server. What if they upload a .php file, then go to that file with their browser? They suddenly have the ability to execute arbitrary code on your server!
If you want to do this, you should force the user's uploads into a restricted directory (the realpath function will sanitize the path, in case the user created crazy paths with "../.." or whatever), and you should restrict the types of files allowed (i.e. to only ".jpg", ".gif", ".png" or whatever). Even then, a malicious user could DOS you by filling up your disk quota.
i just want to give my opinion about your post.
You forget a important thing in your analyse.
Developpers HAVE TO check variables in the server side script.
If you use javascript (like uploadify, or your own script) or if you don't use javascript (just a simple FORM in html), YOU HAVE to check the data in the server side script. So no matter if you are using uploadify or not for your security. Don't forget that it's easy to buid HTTP request and send it to the server. So the security of a web application not depends of the client
Thanks for your attention
GUIGUI
That is indeed a security issue, path traversal. You should email them and ask them to fix it.
You are free to put file anywhere using your server side script and your config. I never use their javascript config for such things.
I know this is a bit old topic, but here's a note from plugin developer:
Given the wide variety of scripting languages, server side validation is up to the users to code. We are developing the plugin to allow those who know what they are doing to use what ever language they want for the front end and back end. And creating new scripts to retrieve information makes it that little bit harder for other users to implement, for example those using aspx, java, codeigniter etc.. would need to rewrite major portions of the plugin.
You can read it full here.
Remember, server validdation is a must! You cannot ignore it, ever. This is what I've learnt reading SO and PHP manual.