avm1: Partially implement FileReference (Part of #307)

[hatal175]

I've implemented mostly just the browse function which opens a file dialog. The download and upload have security implications, so I'm not sure how to take them into consideration (if the framework is implemented at all).

For the dialog, I've added the rfd crate. It allows for asynchronous file dialogs which the tiny dialog crate don't have, and are part of the spec according the docs.

[midgleyc]

The download and upload have security implications, so I'm not sure how to take them into consideration (if the framework is implemented at all).

At the moment, I think we ignore the security framework (e.g. on LoadVars or XML).

I think that this doesn't matter so much: download is effectively a GET of a given URL, and upload a POST: if a user can do these inside Flash, they can also do them outside Flash, so I don't find it terribly concerning if Ruffle just does these ignoring the sandboxing.

[hatal175]

If you consider it ok, I can implement the other ones as well for the pull request.

…

On Tue, Aug 17, 2021, 18:42 Chris Midgley ***@***.***> wrote: The download and upload have security implications, so I'm not sure how to take them into consideration (if the framework is implemented at all). At the moment, I think we ignore the security framework (e.g. on LoadVars or XML). I think that this doesn't matter so much: download is effectively a GET of a given URL, and upload a POST: if a user can do these inside Flash, they can also do them outside Flash, so I don't find it terribly concerning if Ruffle just does these ignoring the sandboxing. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#5086 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACYQXXPEPHPAAQNJ46JRQFTT5J7NLANCNFSM5CJWOB3A> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> .

[midgleyc]

I think that would be nice :)

In terms of SWFs in the wild using this: I know of one web-based management interface that uses upload (first parameter only). I don't know of anything using download, but I wouldn't be surprised to see it.

[midgleyc]

Comments on the desktop file selector also apply to the web one. A lot of the code is shared: can it be moved up a level somehow?

[kmeisthax]

Regarding the security checks: our intention on web is to not open up any new web attack surface, so on the web we don't need to run the same security checks for download or upload since we're not bothering with policy files or anything. browse is equivalent to populating a file upload input on web and is perfectly fine.

On desktop the story changes a little. Flash movies on desktop inherently don't come with an origin. The original security model for local file access was web-only or filesystem-only, controlled with some movie metadata. This is a restriction we absolutely don't implement right now. When we implement download or upload we may want to consider changing ExternalNavigatorBackend so that it can be locked one way or the other.

[hatal175]

Comments on the desktop file selector also apply to the web one. A lot of the code is shared: can it be moved up a level somehow?

Well, technically yes, but no :) I could put in core but there are no other implementations of obviously ui code there... if other people also think so, I can move it.

[hatal175]

I don't think I'm going to implement the download/upload pair in this pull request. After an answer to the duplication of the ui code, I'll rebase this and consider this complete for now.

[midgleyc]

You have a leftover log::warn!("{}", extensions[0]); in desktop/src/ui.rs, other than that looks good to me.

[adrian17]

For the record, the web popup looks like this:

[adrian17]

I think the PR is good. One question from reading the docs:

Only one browse() session can be performed at a time (because only one dialog box can be displayed at a time).

Do we have a guard against that? What would happen if we called browse twice?
I don't think it's an issue on web (rfd shows a popup that makes it impossible to trigger new AS click events, right?), but not sure about desktop. If it's impossible on desktop too, then it's cool.

Also notes for the future:

Because of new functionality added to Flash Player, when publishing to Flash Player 10, you can have only one of the following operations active at one time: FileReference.browse(), FileReference.upload(), FileReference.download(). Otherwise, Flash Player throws a runtime error (code 2174). Use FileReference.cancel() to stop an operation in progress.

We'll probably need a guard against that, when we get upload/download.

In Flash Player 10 and later, you can call this method successfully only in response to a user event (for example, in an event handler for a mouse click or keypress event). Otherwise, calling this method results in Flash Player throwing an Error.

Ideally we should implement this at some point, but it's probably not a big immediate risk - since FP blocked this behavior, I don't think people bothered to even try to trigger this without user event.

[adrian17]

(I'd appreciate if kmeisthax looked at the async portion too, but I think it's mergeable as-is)

[Herschel]

Since this uses rfd, can we also use rfd for the initial Choose SWF dialog on desktop and remove tinyfiledialog? It feels odd to have two separate file dialog crates.

[Herschel]

Thank you!

[Herschel]

I get nervous about these kind of conversions, because u64 -> f64 can be lossy and from::From by convention should be a lossless conversion. But we already have From<usize>, so this is fine for now.

[Herschel]

style nit: Let's import fs::self and then do fs::metadata (makes it a little clearer that it's the standard metadata fn and not our own fn.)

[Herschel]

Let's make two separate impl blocks and #[cfg(not(target_arch = "wasm32"))] on the impl block, instead of doing #[cfg] on each method.

[hatal175]

There are functions that should be in both configs and functions that should be in just one. Since I can't do two trait implemenrations, it means I have to duplicate the functions that are in both... advice?

[Herschel]

Also, looks like there's an undocumented FileReference.convertToPPT and deleteConvertedPPT, at least in the desktop player(?):

ASSetPropFlags(flash.net.FileReference.prototype, null, 6, 1);
for(var k in flash.net.FileReference.prototype) {
	trace(k);
}

No clue what they do, but we should at least mention these in a comment and/or possibly stub them out.

[hatal175]

I've fixed most of the issues you've raised except the cfg thing.

1. I've removed tinyfiledialogs from the license - I hope that's ok.
2. rfd can't set file dialog title for now - I have a pending pull request: Add set_title to FileDialog PolyMeilex/rfd#23. Pull request was merged and title was readded.
3. I chose to add a comment since there's no real mention of those functions anywhere. It's probably used internally by flash somewhere so no real reason to stub.
4. Also updated rfd crate while I'm at it.

[PolyMeilex]

For the record, the web popup looks like this:

I intentionally designed it in a way that is easy to customize, so you don't have to stick to that in case you don't like it, you can just provide CSS styles for IDs that RFD is using rfd-overlay,rfd-card,rfd-input,rfd-button

Default style can be used as a reference: https://github.com/PolyMeilex/rfd/blob/master/src/backend/wasm/style.css