将控件声明为脚本安全的技巧
怎样将控件声明为脚本安全
2004-10-18 19:49:33 (文章类别:C++)
#Basic Skills: Create Safe Initialization&Scripting ActiveX Control 当创建嵌入到Web浏览器中使用的ActiveX控件时,需要将控件声明为脚本安全,否则浏览器会在控件加载和发生脚本交互时进行安全提示,影响使用: 创建初始化/脚本安全的ActiveX控件通常有两种方法:实现控件的 IObjectSafety 接口和修改客户端注册表: #实现控件的IObjectSafety接口 下面是 IObjectSafety 的原型,该接口主要定义两个纯虚函数—— GetInterfaceSafetyOptions 和 SetInterfaceSafetyOptions: //Objsafe.h // Option bit definitions for IObjectSafety: #define??INTERFACESAFE_FOR_UNTRUSTED_CALLER??0x00000001 ????// Caller of interface may be untrusted. #define??INTERFACESAFE_FOR_UNTRUSTED_DATA??0x00000002 ????// Data passed into interface may be untrusted. // {CB5BDC81-93C1-11cf-8F20-00805F2CD064} DEFINE_GUID(IID_IObjectSafety, 0xcb5bdc81, 0x93c1, 0x11cf, 0x8f, 0x20,? ??0x0, 0x80, 0x5f, 0x2c, 0xd0, 0x64); interface IObjectSafety : public IUnknown { ??public: ????virtual HRESULT __stdcall GetInterfaceSafetyOptions(? ??????/* [in]?*/ REFIID riid, ??????/* [out] */ DWORD __RPC_FAR *pdwSupportedOptions, ??????/* [out] */ DWORD __RPC_FAR *pdwEnabledOptions) = 0; ????virtual HRESULT __stdcall SetInterfaceSafetyOptions(? ??????/* [in] */ REFIID riid, ??????/* [in] */ DWORD dwOptionSetMask, ??????/* [in] */ DWORD dwEnabledOptions) = 0; }; GetInterfaceSafetyOptions 返回控件的安全性标识: INTERFACESAFE_FOR_UNTRUSTED_CALLER? 声明接口为脚本安全 INTERFACESAFE_FOR_UNTRUSTED_DATA??? 声明接口为初始化安全 SetInterfaceSafetyOptions 允许容器请求控件将自身配置为初始化和脚本安全。 浏览器在加载ActiveX控件时会首先检测控件是否支持 IObjectSafety 接口,如果支持,浏览器首先调用 IObjectSafety::SetInterfaceSafetyOptions 完成控件初始化,如果控件支持脚本交互,则继续调用 IObjectSafety::GetInterfaceSafetyOptions 。 ● 如果使用 ATL ,可以这样实现 IObjectSafety: // MyCtrlClass.h class ATL_NO_VTABLE CMyCtrlClass :? ? ... ?public IObjectSafetyImpl<CMyCtrlClass,?INTERFACESAFE_FOR_UNTRUSTED_CALLER>, ? ... // 其他接口基类 { public: ... BEGIN_COM_MAP(CMyCtrlClass) ? ... ? COM_INTERFACE_ENTRY(IObjectSafety) ? ... END_COM_MAP() ... BEGIN_PROP_MAP(CMyCtrlClass) ?... ?// Example entries ?// PROP_ENTRY("Property Description", dispid, clsid) ?// PROP_PAGE(CLSID_StockColorPage) END_PROP_MAP() ... STDMETHOD(GetInterfaceSafetyOptions)(REFIID riid, DWORD *pdwSupportedOptions,? ?????????????????????????DWORD *pdwEnabledOptions);? STDMETHOD(SetInterfaceSafetyOptions)(REFIID riid, DWORD dwOptionSetMask,? ?????????????????????????DWORD dwEnabledOptions); ● 如果使用 MFC ,可以这样实现 IObjectSafety: // ProjectNameCtrl.h #ifdef L_IMPL_OBJECTSAFETY #include <objsafe.h> #endif // L_IMPL_OBJECTSAFETY ... public: #ifdef L_IMPL_OBJECTSAFETY ??BEGIN_INTERFACE_PART(ObjectSafety, IObjectSafety) ????STDMETHOD(GetInterfaceSafetyOptions)(REFIID riid, DWORD __RPC_FAR *pdwSupportedOptions, DWORD __RPC_FAR *pdwEnabledOptions); ????STDMETHOD(SetInterfaceSafetyOptions)(REFIID riid, DWORD dwOptionSetMask, DWORD dwEnabledOptions); ??END_INTERFACE_PART(ObjectSafety) ??DECLARE_INTERFACE_MAP(); #endif // L_IMPL_OBJECTSAFET // ProjectNameCtrl.cpp #ifdef L_IMPL_OBJECTSAFETY BEGIN_INTERFACE_MAP(CProjectNameCtrl, COleControl) ?INTERFACE_PART(CProjectNameCtrl, IID_IObjectSafety, ObjectSafety) END_INTERFACE_MAP() #endif // L_IMPL_OBJECTSAFETY #ifdef L_IMPL_OBJECTSAFETY // Implementation of IObjectSafety STDMETHODIMP CProjectNameCtrl::XObjectSafety::GetInterfaceSafetyOptions( ??????REFIID riid,? ??????DWORD __RPC_FAR *pdwSupportedOptions,? ??????DWORD __RPC_FAR *pdwEnabledOptions) { ??METHOD_PROLOGUE_EX(CProjectNameCtrl, ObjectSafety) ??if (!pdwSupportedOptions || !pdwEnabledOptions) ??{ ????return E_POINTER; ??} ??*pdwSupportedOptions = INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA; ??*pdwEnabledOptions = 0; ??if (NULL == pThis->GetInterface(&riid)) ??{ ????TRACE("Requested interface is not supported./n"); ????return E_NOINTERFACE; ??} ??// What interface is being checked out anyhow? ??OLECHAR szGUID[39]; ??int i = StringFromGUID2(riid, szGUID, 39); ??if (riid == IID_IDispatch) ??{ ????// Client wants to know if object is safe for scripting ????*pdwEnabledOptions = INTERFACESAFE_FOR_UNTRUSTED_CALLER; ????return S_OK; ??} ??else if (riid == IID_IPersistPropertyBag? ?????|| riid == IID_IPersistStreamInit ?????|| riid == IID_IPersistStorage ?????|| riid == IID_IPersistMemory) ??{ ????// Those are the persistence interfaces COleControl derived controls support ????// as indicated in AFXCTL.H ????// Client wants to know if object is safe for initializing from persistent data ????*pdwEnabledOptions = INTERFACESAFE_FOR_UNTRUSTED_DATA; ????return S_OK; ??} ??else ??{ ????// Find out what interface this is, and decide what options to enable ????TRACE("We didn’t account for the safety of this interface, and it’s one we support.../n"); ????return E_NOINTERFACE; ??}?? } STDMETHODIMP CProjectNameCtrl::XObjectSafety::SetInterfaceSafetyOptions( ????REFIID riid,? ????DWORD dwOptionSetMask,? ????DWORD dwEnabledOptions) { ??METHOD_PROLOGUE_EX(CProjectNameCtrl, ObjectSafety) ??OLECHAR szGUID[39]; ??// What is this interface anyway? ??// We can do a quick lookup in the registry under HKEY_CLASSES_ROOT/Interface ??int i = StringFromGUID2(riid, szGUID, 39); ??if (0 == dwOptionSetMask && 0 == dwEnabledOptions) ??{ ????// the control certainly supports NO requests through the specified interface ????// so it’s safe to return S_OK even if the interface isn’t supported. ????return S_OK; ??} ??// Do we support the specified interface? ??if (NULL == pThis->GetInterface(&riid)) ??{ ????TRACE1("%s is not support./n", szGUID); ????return E_FAIL; ??} ??if (riid == IID_IDispatch) ??{ ????TRACE("Client asking if it’s safe to call through IDispatch./n"); ????TRACE("In other words, is the control safe for scripting?/n"); ????if (INTERFACESAFE_FOR_UNTRUSTED_CALLER == dwOptionSetMask && INTERFACESAFE_FOR_UNTRUSTED_CALLER == dwEnabledOptions) ????{ ??????return S_OK; ????} ????else ????{ ??????return E_FAIL; ????} ??} ??else if (riid == IID_IPersistPropertyBag? ?????|| riid == IID_IPersistStreamInit ?????|| riid == IID_IPersistStorage ?????|| riid == IID_IPersistMemory) ??{ ????TRACE("Client asking if it’s safe to call through IPersist*./n"); ????TRACE("In other words, is the control safe for initializing from persistent data?/n"); ????if (INTERFACESAFE_FOR_UNTRUSTED_DATA == dwOptionSetMask && INTERFACESAFE_FOR_UNTRUSTED_DATA == dwEnabledOptions) ????{ ??????return NOERROR; ????} ????else ????{ ??????return E_FAIL; ????} ??} ??else ??{ ????TRACE1("We didn’t account for the safety of %s, and it’s one we support.../n", szGUID); ????return E_FAIL; ??} } STDMETHODIMP_(ULONG) CProjectNameCtrl::XObjectSafety::AddRef() { ??METHOD_PROLOGUE_EX_(CProjectNameCtrl, ObjectSafety) ??return (ULONG)pThis->ExternalAddRef(); } STDMETHODIMP_(ULONG) CProjectNameCtrl::XObjectSafety::Release() { ??METHOD_PROLOGUE_EX_(CProjectNameCtrl, ObjectSafety) ??return (ULONG)pThis->ExternalRelease(); } STDMETHODIMP CProjectNameCtrl::XObjectSafety::QueryInterface( ??REFIID iid, LPVOID* ppvObj) { ??METHOD_PROLOGUE_EX_(CProjectNameCtrl, ObjectSafety) ??return (HRESULT)pThis->ExternalQueryInterface(&iid, ppvObj); } #endif // L_IMPL_OBJECTSAFETY 注意在 项目属性 / C/C++ / 预处理器 中添加预处理定义: L_IMPL_OBJECTSAFETY #修改客户端注册表 如果控件为实现 IObjectSafety 接口,那么浏览器会进一步调用 ICatInformation::IsClassOfCategories 查询系统注册表HKEY_CLASSES_ROOT/Component Categories/{..catid...},检查控件是否支持给定的组件种类(Compnent Category)。 如果控件已经使用“组建类管理器(Component Categories Manager )”将自身注册为安全则不再进行提示。 为了在注册表中创建正确的组件类型子键,通常要实现以下三个步骤: 创建“组建类管理器(Component Categories Manager )”的实例并获取 ICatRegister 接口指针; 实例化 CATEGORYINFO 结构并填充适当的成员; 以 CATEGORYINFO 地址为参数调用 ICatInformation::IsClassOfCategories 。 在 MFC ActiveX 控件项目的 stdafx.h中添加 #include <objsafe.h> (有可能需要comcat.h头文件)。 然后在 APP 类的实现文件中(ProjectName.cpp)添加如下函数: //ProjectName.cpp const GUID CDECL CLSID_SafeItem = ????{ 0x3B43D84B, 0x05BE, 0x4CB3, { 0xB6, 0x82, 0xE1, 0x60, 0xC3, 0x8B, 0xA0, 0x88 } }; // 注意这个GUID一定要与控件的CLSID相同! // 不一定等于该文件中的 const GUID CDECL BASED_CODE _tlid // 版本控制 const WORD _wVerMajor = 1; // 次版本号 const WORD _wVerMinor = 0; // ... InitInstance() 和 ExitInstance() // 创建组件种类 HRESULT CreateComponentCategory(CATID catid, WCHAR* catDescription) { ??ICatRegister* pcr = NULL ; ??HRESULT hr = S_OK ; ??hr = CoCreateInstance(CLSID_StdComponentCategoriesMgr,? ??????NULL, CLSCTX_INPROC_SERVER, IID_ICatRegister, (void**)&pcr); ??if (FAILED(hr)) ????return hr; ??// Make sure the HKCR/Component Categories/{..catid...} ??// key is registered. ??CATEGORYINFO catinfo; ??catinfo.catid = catid; ??catinfo.lcid = 0x0409 ; // english ??// Make sure the provided description is not too long. ??// Only copy the first 127 characters if it is. ??int len = wcslen(catDescription); ??if (len>127) ????len = 127; ??wcsncpy(catinfo.szDescription, catDescription, len); ??// Make sure the description is null terminated. ??catinfo.szDescription[len] = ’/0’; ??hr = pcr->RegisterCategories(1, &catinfo); ????pcr->Release(); ??return hr; } // 注册组件种类 HRESULT RegisterCLSIDInCategory(REFCLSID clsid, CATID catid) { ??// Register your component categories information. ??ICatRegister* pcr = NULL ; ??HRESULT hr = S_OK ; ??hr = CoCreateInstance(CLSID_StdComponentCategoriesMgr,? ????????NULL, CLSCTX_INPROC_SERVER, IID_ICatRegister, (void**)&pcr); ??if (SUCCEEDED(hr)) ??{ ??? // Register this category as being "implemented" by the class. ??? CATID rgcatid[1] ; ??? rgcatid[0] = catid; ??? hr = pcr->RegisterClassImplCategories(clsid, 1, rgcatid); ??} ??if (pcr != NULL) ????pcr->Release(); ??return hr; } // 卸载组件种类 HRESULT UnRegisterCLSIDInCategory(REFCLSID clsid, CATID catid) { ??ICatRegister* pcr = NULL ; ??HRESULT hr = S_OK ; ??hr = CoCreateInstance(CLSID_StdComponentCategoriesMgr,? ??????NULL, CLSCTX_INPROC_SERVER, IID_ICatRegister, (void**)&pcr); ??if (SUCCEEDED(hr)) ??{ ??? // Unregister this category as being "implemented" by the class. ??? CATID rgcatid[1] ; ??? rgcatid[0] = catid; ??? hr = pcr->UnRegisterClassImplCategories(clsid, 1, rgcatid); ??} ??if (pcr != NULL) ????pcr->Release(); ??return hr; } STDAPI DllRegisterServer(void) { ??HRESULT hr; ??AFX_MANAGE_STATE(_afxModuleAddrThis); ??if (!AfxOleRegisterTypeLib(AfxGetInstanceHandle(), _tlid)) ????return ResultFromScode(SELFREG_E_TYPELIB); ??if (!COleObjectFactoryEx::UpdateRegistryAll(TRUE)) ????return ResultFromScode(SELFREG_E_CLASS); ??// 标记控件初始化安全. ??// 创建初始化安全组件种类 ??hr = CreateComponentCategory(CATID_SafeForInitializing, ??????? L"Controls safely initializable from persistent data!"); ??if (FAILED(hr)) ????return hr; ??// 注册初始化安全 ??hr = RegisterCLSIDInCategory(CLSID_SafeItem, CATID_SafeForInitializing); ??if (FAILED(hr)) ????return hr; ??// 标记控件脚本安全 ??// 创建脚本安全组件种类? ??hr = CreateComponentCategory(CATID_SafeForScripting, L"Controls safely scriptable!"); ??if (FAILED(hr)) ????return hr; ??// 注册脚本安全组件种类 ??hr = RegisterCLSIDInCategory(CLSID_SafeItem, CATID_SafeForScripting); ??if (FAILED(hr)) ????return hr; ??return NOERROR; } STDAPI DllUnregisterServer(void) { ??HRESULT hr; ??AFX_MANAGE_STATE(_afxModuleAddrThis); ??if (!AfxOleUnregisterTypeLib(_tlid, _wVerMajor, _wVerMinor)) ????return ResultFromScode(SELFREG_E_TYPELIB); ??if (!COleObjectFactoryEx::UpdateRegistryAll(FALSE)) ????return ResultFromScode(SELFREG_E_CLASS); ??// 删除控件初始化安全入口. ??hr=UnRegisterCLSIDInCategory(CLSID_SafeItem, CATID_SafeForInitializing); ??if (FAILED(hr)) ????return hr; ??// 删除控件脚本安全入口 ??hr=UnRegisterCLSIDInCategory(CLSID_SafeItem, CATID_SafeForScripting); ??if (FAILED(hr)) ????return hr; ??return NOERROR; }? MSDN示例: [ Safectl.rar ] |
本文地址:http://www.45fan.com/a/question/69292.html