我们有一个网站,客户在不久前决定将其外包给印度后,将其带回我们的服务器。
他们的一个页面使用 SWF 播放器播放一些视频。页面中的 SWF 对象显然是使用 XML 文件配置的。这是 ASPX 页面中的 SWF 代码:
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"
codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"
width="900" height="600" id="tech" align="middle">
<param name="allowFullScreen" value="true" />
<param name="allowScriptAccess" value="sameDomain" />
<param name="movie" value="/Images/flv/simple.swf?xml_path=/Client/XML/NFLNews.xml" />
<param name="quality" value="high" />
<param name="wmode" value="transparent">
<embed src="/Images/flv/simple.swf?xml_path=/Client/XML/NFLNews.xml" quality="high"
wmode="transparent" width="900" height="600" name="tech" align="middle"
allowscriptaccess="sameDomain" allowfullscreen="true"
type="application/x-shockwave-flash"
pluginspage="http://www.macromedia.com/go/getflashplayer" />
</object>
请注意,该embed标签的 src 属性为:
src="/Images/flv/simple.swf?xml_path=/Client/XML/NFLNews.xml"
单击此页面时,它会在文件上引发“拒绝访问”错误/Client/XML/NFLNews.xml。但是,如果我直接浏览到 XML 文件,IIS 会毫无错误地提供它。
以下是 IIS 日志显示的请求内容:
#Fields: date time cs-uri-stem cs-uri-query s-contentpath sc-status
2012-11-28 16:09:33.482 /Videodisplay.aspx VID=22 "X:\inetpub\wwwroot\sitename\Videodisplay.aspx" 500
请注意,Videodisplay.aspx 是承载 SWF 对象的页面。XML 文件根本不显示在 IIS 日志中。
IIS 抛出的确切错误是:
Server Error in '/' Application.
Access to the path 'F:\inetpub\wwwroot\lijsoccer.com\Client\XML\NFLNews.xml' is denied.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.UnauthorizedAccessException: Access to the path 'F:\inetpub\wwwroot\lijsoccer.com\Client\XML\NFLNews.xml' is denied.
ASP.NET is not authorized to access the requested resource. Consider granting access rights to the resource to the ASP.NET request identity. ASP.NET has a base process identity (typically {MACHINE}\ASPNET on IIS 5 or Network Service on IIS 6 and IIS 7, and the configured application pool identity on IIS 7.5) that is used if the application is not impersonating. If the application is impersonating via <identity impersonate="true"/>, the identity will be the anonymous user (typically IUSR_MACHINENAME) or the authenticated request user.
To grant ASP.NET access to a file, right-click the file in File Explorer, choose "Properties" and select the Security tab. Click "Add" to add the appropriate user or group. Highlight the ASP.NET account, and check the boxes for the desired access.
我假设 SWF 对象必须在与 IIS 不同的安全上下文下运行?还是这里发生了其他事情?我们在这里从来没有真正处理过 Flash 的东西,所以我对此很陌生。
Windows 2008 R2、ASP.NET 4、IIS 7.5
更新:我已经确定Everyone了SWF实际上正在修改XML 文件。显然,我不想让每个人都可以访问这个文件,所以我在文件中添加了一个审核条目,以显示“每个人都失败了”,以尝试找出 SWF 文件在哪个用户下运行......但即使删除了每个人的写权限确实导致它再次失败,它没有写入安全审计事件。所以我想现在我坚持让每个人都拥有对该文件的写入权限,除非有人能告诉我如何确定 SWF 在哪个用户下运行。