导读:
There is a very important security distinction between using Loader.loadBytes and Loader.load that EVERYONE needs to understand.使用这两者的不同的安全考虑是每一个人都要注意的
Loader.load loads content (PNG,GIF,JPG,SWF) into the security context of the url being loaded.
Loader.load 将内容装载到安全的URL上下文中去
Loader.loadBytes injects bytes (PNG, GIF, JPG, SWF) into the security context of your application!!!
Loader.loadBytes将内容的比特文件装载到你的应用程序的安全上下文中去
Loader.loadBytes is much like eval() and if used improperly it can inject a security hole into your application. Much like eval() it is very useful and allows you to do all sorts of great stuff but it can also cut your arm off and melt your tennis shoes.
Loader.loadBytes很像eval()方法,如果使用的不恰当,那么可能 为你的程序创建一个后门或者漏洞,正如eval一样在允许你完成诸多强大的功能的时候,也会甚至砍掉你的臂膀融化的你的运动鞋
So how harmful can it be, lets look at a simple example:到底有多有害呢,让我们看一些简单的例子
Load a PNG file from domain.com into your Flex app:将DOMAIN.COM的图片文件转载到你的应用程序,使用LOAD
GOOD: Do this with Loader.load and you are safe as can be.
很好的用法使用loader将使得你的装载十分安全
BAD: Do this with Loader.loadBytes and the injected image bytes will be processed like they were native code. If someone renames a .SWF file into .PNG, they have successfully injected data directly into your application running in AIR or Flash Player. If this SWF file were in AIR, it would have the ability to use any AIR apis and would create problems.
不好的做法,使用Loader.loadBytes将使得图像象本地的代码一样被处理,如果某人将一个。swf的文件改名为。png,那么他们就成功的向你的应用程序注入了一个后门程序,他们将获得你的应用程序的所有权限,例如如果是AIR应用程序,那么他们就获得了所有的API的操纵权
Note: The AIR team is looking at a minor API change for Loader to default loadBytes content into a security sandbox with an optional to override the new default behavior.
注意:AIR团队正在考察loadbyte的一个小的API问题,可能在将来的版本里进行变更
There are a few nice use cases for loadBytes in AIR:
当然这儿也有些用loadbyte用的很好的例子:
- Obsfucate a SWF file - Load a binary file and reorganize the bytes into a functional SWF before loading into your application. You could use TEA encryption or a simple bit shifting pattern across the ByteArray.
装载一个swf库的文件,然后调用其中的内容(感觉有点像DLL),当然你可以使用TEA的加密来加密这些比特内容。
- Provide try/buy functionality - Create 2 SWF files one trial and one purchased (encrypted) and provide the encryption key during software licensing.
提供 体验/购买功能,创建两个swf文件,一个体验版本,一个购买版本(加密的),然后提供密钥如果软件得到授权的话
Be careful when you use loadBytes, it can inject a security issue into your application if you do not know what you are loading. I will be updating my post on Progressive Image Loading as this methodology uses loadBytes and has risk.
小心的使用loadbyte,他就像一把双刃剑,在给你带来便捷的时候,如果使用不当也会伤害你的应用程序,我会在一篇日志中继续讨论这种方法论
Keep loading!
Ted :)
本文转自
http://www.onflex.org/ted/2008/01/loaderload-vs-loaderloadbytes.php