[Laszlo-dev] [BULK] swf9 security bug ?

Henry Minsky hminsky at laszlosystems.com
Wed Oct 22 07:13:22 PDT 2008 

I am looking at fixing an issue with how we display image assets in
swf9, and I was trying to remove the bitmap conversion step from the
swf9 LzSprite implementation, and when I did that, I noticed these
warnings print out in fdb, and the thumbnails do not appear:


[SWF] /trunk4/demos/amazon/amazon.lzx - 133 bytes after decompression
[trace] Warning: Domain ecx.images-amazon.com does not specify a
meta-policy.  Applying default meta-policy 'all'.  This configuration is
deprecated.  See http://www.adobe.com/go/strict_policy_files to fix this
problem.
[trace] Error: Request for resource at
http://ecx.images-amazon.com/images/I/411XEC9SEYL._SL75_.jpg by requestor
from
http://127.0.0.1:8080/trunk4/demos/amazon/amazon.lzx?lzt=swf&debug=true&lzr=swf9is
denied due to lack of policy file permissions.
[trace] *** Security Sandbox Violation ***
[trace] Connection to
http://ecx.images-amazon.com/images/I/411XEC9SEYL._SL75_.jpg halted - not
permitted from
http://127.0.0.1:8080/trunk4/demos/amazon/amazon.lzx?lzt=swf&debug=true&lzr=swf9
[trace] Error: Request for resource at
http://ecx.images-amazon.com/images/I/311A24YVH6L._SL75_.jpg by requestor
from
http://127.0.0.1:8080/trunk4/demos/amazon/amazon.lzx?lzt=swf&debug=true&lzr=swf9is
denied due to lack of policy file permissions.


And indeed, the domain ecx.images-amazon.com that serves these images
has this crossdomain.xml file which restricts access

    <cross-domain-policy>
    <allow-access-from domain="*.images-amazon.com"/>
    <allow-access-from domain="images.amazon.com"/>
    <allow-access-from domain="g-images.amazon.com"/>
    <allow-access-from domain="*.ssl-images-amazon.com"/>
    <allow-access-from domain="*.amazon.com"/>
    <allow-access-from domain="cea.target.com"/>
    <allow-access-from domain="xyccea.target.com"/>
    <allow-access-from domain="testcea.target.com"/>
    <allow-access-from domain="devcea.target.com"/>
    <allow-access-from domain="sites.target.com"/>
    </cross-domain-policy>


But strangely in our code in trunk, running the amazon app in swf9
DOES still display the album images.  But it also prints out these same
warnings, indicating that access was denied!

So it seems like maybe there's a bug in the Flash 9 security implementation,
whereby
access to the images is possible if you ask for them as bitmaps, but
not if you try to display them directly as jpgs. I'm pretty confused, but it
seems pretty
clear that the crossdomain.xml file is trying to restrict access to these
images, yet
we are fetching and displaying them anyway.



I'm trying to figure out if there is something else I am missing here,
but it looks like Max inadvertently found a flash player security
hole.


-- 
Henry Minsky
Software Architect
hminsky at laszlosystems.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.openlaszlo.org/pipermail/laszlo-dev/attachments/20081022/e6de4804/attachment.html

More information about the Laszlo-dev mailing list