45fan.com - 路饭网

搜索: 您的位置主页 > 网络频道 > 阅读资讯:将控件声明为脚本安全的技巧

将控件声明为脚本安全的技巧

2016-08-29 12:06:44 来源:www.45fan.com 【

将控件声明为脚本安全的技巧

怎样将控件声明为脚本安全

2004-10-18 19:49:33 (文章类别:C++)

#Basic Skills:

Create Safe Initialization&Scripting ActiveX Control

当创建嵌入到Web浏览器中使用的ActiveX控件时,需要将控件声明为脚本安全,否则浏览器会在控件加载和发生脚本交互时进行安全提示,影响使用:

将控件声明为脚本安全的技巧screen.width-300)this.width=screen.width-300" align=center border=0>



将控件声明为脚本安全的技巧screen.width-300)this.width=screen.width-300" align=center border=0>


创建初始化/脚本安全的ActiveX控件通常有两种方法:实现控件的 IObjectSafety 接口和修改客户端注册表:

#实现控件的IObjectSafety接口

下面是 IObjectSafety 的原型,该接口主要定义两个纯虚函数——
GetInterfaceSafetyOptions 和 SetInterfaceSafetyOptions:

//Objsafe.h

// Option bit definitions for IObjectSafety:
#define??INTERFACESAFE_FOR_UNTRUSTED_CALLER??0x00000001
????// Caller of interface may be untrusted.
#define??INTERFACESAFE_FOR_UNTRUSTED_DATA??0x00000002
????// Data passed into interface may be untrusted.

// {CB5BDC81-93C1-11cf-8F20-00805F2CD064}
DEFINE_GUID(IID_IObjectSafety, 0xcb5bdc81, 0x93c1, 0x11cf, 0x8f, 0x20,?
??0x0, 0x80, 0x5f, 0x2c, 0xd0, 0x64);

interface IObjectSafety : public IUnknown
{
??public:
????virtual HRESULT __stdcall GetInterfaceSafetyOptions(?
??????/* [in]?*/ REFIID riid,
??????/* [out] */ DWORD __RPC_FAR *pdwSupportedOptions,
??????/* [out] */ DWORD __RPC_FAR *pdwEnabledOptions) = 0;

????virtual HRESULT __stdcall SetInterfaceSafetyOptions(?
??????/* [in] */ REFIID riid,
??????/* [in] */ DWORD dwOptionSetMask,
??????/* [in] */ DWORD dwEnabledOptions) = 0;
};

GetInterfaceSafetyOptions 返回控件的安全性标识:
INTERFACESAFE_FOR_UNTRUSTED_CALLER? 声明接口为脚本安全
INTERFACESAFE_FOR_UNTRUSTED_DATA??? 声明接口为初始化安全

SetInterfaceSafetyOptions 允许容器请求控件将自身配置为初始化和脚本安全。

浏览器在加载ActiveX控件时会首先检测控件是否支持 IObjectSafety 接口,如果支持,浏览器首先调用 IObjectSafety::SetInterfaceSafetyOptions 完成控件初始化,如果控件支持脚本交互,则继续调用 IObjectSafety::GetInterfaceSafetyOptions 。

● 如果使用 ATL ,可以这样实现 IObjectSafety:

// MyCtrlClass.h

class ATL_NO_VTABLE CMyCtrlClass :?
? ...
?public IObjectSafetyImpl<CMyCtrlClass,?INTERFACESAFE_FOR_UNTRUSTED_CALLER>,
? ... // 其他接口基类
{
public:
...
BEGIN_COM_MAP(CMyCtrlClass)
? ...
? COM_INTERFACE_ENTRY(IObjectSafety)
? ...
END_COM_MAP()
...
BEGIN_PROP_MAP(CMyCtrlClass)
?...
?// Example entries
?// PROP_ENTRY("Property Description", dispid, clsid)
?// PROP_PAGE(CLSID_StockColorPage)
END_PROP_MAP()
...
STDMETHOD(GetInterfaceSafetyOptions)(REFIID riid, DWORD *pdwSupportedOptions,?
?????????????????????????DWORD *pdwEnabledOptions);?
STDMETHOD(SetInterfaceSafetyOptions)(REFIID riid, DWORD dwOptionSetMask,?
?????????????????????????DWORD dwEnabledOptions);

● 如果使用 MFC ,可以这样实现 IObjectSafety:
// ProjectNameCtrl.h

#ifdef L_IMPL_OBJECTSAFETY
#include <objsafe.h>
#endif // L_IMPL_OBJECTSAFETY
...
public:
#ifdef L_IMPL_OBJECTSAFETY
??BEGIN_INTERFACE_PART(ObjectSafety, IObjectSafety)
????STDMETHOD(GetInterfaceSafetyOptions)(REFIID riid, DWORD __RPC_FAR *pdwSupportedOptions, DWORD __RPC_FAR *pdwEnabledOptions);
????STDMETHOD(SetInterfaceSafetyOptions)(REFIID riid, DWORD dwOptionSetMask, DWORD dwEnabledOptions);
??END_INTERFACE_PART(ObjectSafety)

??DECLARE_INTERFACE_MAP();
#endif // L_IMPL_OBJECTSAFET

// ProjectNameCtrl.cpp

#ifdef L_IMPL_OBJECTSAFETY

BEGIN_INTERFACE_MAP(CProjectNameCtrl, COleControl)
?INTERFACE_PART(CProjectNameCtrl, IID_IObjectSafety, ObjectSafety)
END_INTERFACE_MAP()

#endif // L_IMPL_OBJECTSAFETY

#ifdef L_IMPL_OBJECTSAFETY
// Implementation of IObjectSafety
STDMETHODIMP CProjectNameCtrl::XObjectSafety::GetInterfaceSafetyOptions(
??????REFIID riid,?
??????DWORD __RPC_FAR *pdwSupportedOptions,?
??????DWORD __RPC_FAR *pdwEnabledOptions)
{
??METHOD_PROLOGUE_EX(CProjectNameCtrl, ObjectSafety)

??if (!pdwSupportedOptions || !pdwEnabledOptions)
??{
????return E_POINTER;
??}

??*pdwSupportedOptions = INTERFACESAFE_FOR_UNTRUSTED_CALLER | INTERFACESAFE_FOR_UNTRUSTED_DATA;
??*pdwEnabledOptions = 0;

??if (NULL == pThis->GetInterface(&riid))
??{
????TRACE("Requested interface is not supported./n");
????return E_NOINTERFACE;
??}

??// What interface is being checked out anyhow?
??OLECHAR szGUID[39];
??int i = StringFromGUID2(riid, szGUID, 39);

??if (riid == IID_IDispatch)
??{
????// Client wants to know if object is safe for scripting
????*pdwEnabledOptions = INTERFACESAFE_FOR_UNTRUSTED_CALLER;
????return S_OK;
??}
??else if (riid == IID_IPersistPropertyBag?
?????|| riid == IID_IPersistStreamInit
?????|| riid == IID_IPersistStorage
?????|| riid == IID_IPersistMemory)
??{
????// Those are the persistence interfaces COleControl derived controls support
????// as indicated in AFXCTL.H
????// Client wants to know if object is safe for initializing from persistent data
????*pdwEnabledOptions = INTERFACESAFE_FOR_UNTRUSTED_DATA;
????return S_OK;
??}
??else
??{
????// Find out what interface this is, and decide what options to enable
????TRACE("We didn’t account for the safety of this interface, and it’s one we support.../n");
????return E_NOINTERFACE;
??}??
}

STDMETHODIMP CProjectNameCtrl::XObjectSafety::SetInterfaceSafetyOptions(
????REFIID riid,?
????DWORD dwOptionSetMask,?
????DWORD dwEnabledOptions)
{
??METHOD_PROLOGUE_EX(CProjectNameCtrl, ObjectSafety)

??OLECHAR szGUID[39];
??// What is this interface anyway?
??// We can do a quick lookup in the registry under HKEY_CLASSES_ROOT/Interface
??int i = StringFromGUID2(riid, szGUID, 39);

??if (0 == dwOptionSetMask && 0 == dwEnabledOptions)
??{
????// the control certainly supports NO requests through the specified interface
????// so it’s safe to return S_OK even if the interface isn’t supported.
????return S_OK;
??}

??// Do we support the specified interface?
??if (NULL == pThis->GetInterface(&riid))
??{
????TRACE1("%s is not support./n", szGUID);
????return E_FAIL;
??}


??if (riid == IID_IDispatch)
??{
????TRACE("Client asking if it’s safe to call through IDispatch./n");
????TRACE("In other words, is the control safe for scripting?/n");
????if (INTERFACESAFE_FOR_UNTRUSTED_CALLER == dwOptionSetMask && INTERFACESAFE_FOR_UNTRUSTED_CALLER == dwEnabledOptions)
????{
??????return S_OK;
????}
????else
????{
??????return E_FAIL;
????}
??}
??else if (riid == IID_IPersistPropertyBag?
?????|| riid == IID_IPersistStreamInit
?????|| riid == IID_IPersistStorage
?????|| riid == IID_IPersistMemory)
??{
????TRACE("Client asking if it’s safe to call through IPersist*./n");
????TRACE("In other words, is the control safe for initializing from persistent data?/n");

????if (INTERFACESAFE_FOR_UNTRUSTED_DATA == dwOptionSetMask && INTERFACESAFE_FOR_UNTRUSTED_DATA == dwEnabledOptions)
????{
??????return NOERROR;
????}
????else
????{
??????return E_FAIL;
????}
??}
??else
??{
????TRACE1("We didn’t account for the safety of %s, and it’s one we support.../n", szGUID);
????return E_FAIL;
??}
}

STDMETHODIMP_(ULONG) CProjectNameCtrl::XObjectSafety::AddRef()
{
??METHOD_PROLOGUE_EX_(CProjectNameCtrl, ObjectSafety)
??return (ULONG)pThis->ExternalAddRef();
}

STDMETHODIMP_(ULONG) CProjectNameCtrl::XObjectSafety::Release()
{
??METHOD_PROLOGUE_EX_(CProjectNameCtrl, ObjectSafety)
??return (ULONG)pThis->ExternalRelease();
}

STDMETHODIMP CProjectNameCtrl::XObjectSafety::QueryInterface(
??REFIID iid, LPVOID* ppvObj)
{
??METHOD_PROLOGUE_EX_(CProjectNameCtrl, ObjectSafety)
??return (HRESULT)pThis->ExternalQueryInterface(&iid, ppvObj);
}

#endif // L_IMPL_OBJECTSAFETY

注意在 项目属性 / C/C++ / 预处理器 中添加预处理定义: L_IMPL_OBJECTSAFETY

#修改客户端注册表

如果控件为实现 IObjectSafety 接口,那么浏览器会进一步调用 ICatInformation::IsClassOfCategories 查询系统注册表HKEY_CLASSES_ROOT/Component Categories/{..catid...},检查控件是否支持给定的组件种类(Compnent Category)。


将控件声明为脚本安全的技巧screen.width-300)this.width=screen.width-300" align=center border=0>


如果控件已经使用“组建类管理器(Component Categories Manager )”将自身注册为安全则不再进行提示。

为了在注册表中创建正确的组件类型子键,通常要实现以下三个步骤:

创建“组建类管理器(Component Categories Manager )”的实例并获取 ICatRegister 接口指针;
实例化 CATEGORYINFO 结构并填充适当的成员;
以 CATEGORYINFO 地址为参数调用 ICatInformation::IsClassOfCategories 。
在 MFC ActiveX 控件项目的 stdafx.h中添加 #include <objsafe.h> (有可能需要comcat.h头文件)。
然后在 APP 类的实现文件中(ProjectName.cpp)添加如下函数:

//ProjectName.cpp

const GUID CDECL CLSID_SafeItem =
????{ 0x3B43D84B, 0x05BE, 0x4CB3, { 0xB6, 0x82, 0xE1, 0x60, 0xC3, 0x8B, 0xA0, 0x88 } };
// 注意这个GUID一定要与控件的CLSID相同!
// 不一定等于该文件中的 const GUID CDECL BASED_CODE _tlid

// 版本控制
const WORD _wVerMajor = 1;
// 次版本号
const WORD _wVerMinor = 0;

// ... InitInstance() 和 ExitInstance()

// 创建组件种类
HRESULT CreateComponentCategory(CATID catid, WCHAR* catDescription)
{
??ICatRegister* pcr = NULL ;
??HRESULT hr = S_OK ;

??hr = CoCreateInstance(CLSID_StdComponentCategoriesMgr,?
??????NULL, CLSCTX_INPROC_SERVER, IID_ICatRegister, (void**)&pcr);
??if (FAILED(hr))
????return hr;

??// Make sure the HKCR/Component Categories/{..catid...}
??// key is registered.
??CATEGORYINFO catinfo;
??catinfo.catid = catid;
??catinfo.lcid = 0x0409 ; // english

??// Make sure the provided description is not too long.
??// Only copy the first 127 characters if it is.
??int len = wcslen(catDescription);
??if (len>127)
????len = 127;
??wcsncpy(catinfo.szDescription, catDescription, len);
??// Make sure the description is null terminated.
??catinfo.szDescription[len] = ’/0’;

??hr = pcr->RegisterCategories(1, &catinfo);
????pcr->Release();

??return hr;
}

// 注册组件种类
HRESULT RegisterCLSIDInCategory(REFCLSID clsid, CATID catid)
{
??// Register your component categories information.
??ICatRegister* pcr = NULL ;
??HRESULT hr = S_OK ;
??hr = CoCreateInstance(CLSID_StdComponentCategoriesMgr,?
????????NULL, CLSCTX_INPROC_SERVER, IID_ICatRegister, (void**)&pcr);
??if (SUCCEEDED(hr))
??{
??? // Register this category as being "implemented" by the class.
??? CATID rgcatid[1] ;
??? rgcatid[0] = catid;
??? hr = pcr->RegisterClassImplCategories(clsid, 1, rgcatid);
??}
??if (pcr != NULL)
????pcr->Release();
??return hr;
}

// 卸载组件种类
HRESULT UnRegisterCLSIDInCategory(REFCLSID clsid, CATID catid)
{
??ICatRegister* pcr = NULL ;
??HRESULT hr = S_OK ;

??hr = CoCreateInstance(CLSID_StdComponentCategoriesMgr,?
??????NULL, CLSCTX_INPROC_SERVER, IID_ICatRegister, (void**)&pcr);
??if (SUCCEEDED(hr))
??{
??? // Unregister this category as being "implemented" by the class.
??? CATID rgcatid[1] ;
??? rgcatid[0] = catid;
??? hr = pcr->UnRegisterClassImplCategories(clsid, 1, rgcatid);
??}

??if (pcr != NULL)
????pcr->Release();

??return hr;
}

STDAPI DllRegisterServer(void)
{
??HRESULT hr;

??AFX_MANAGE_STATE(_afxModuleAddrThis);

??if (!AfxOleRegisterTypeLib(AfxGetInstanceHandle(), _tlid))
????return ResultFromScode(SELFREG_E_TYPELIB);

??if (!COleObjectFactoryEx::UpdateRegistryAll(TRUE))
????return ResultFromScode(SELFREG_E_CLASS);

??// 标记控件初始化安全.
??// 创建初始化安全组件种类
??hr = CreateComponentCategory(CATID_SafeForInitializing,
??????? L"Controls safely initializable from persistent data!");
??if (FAILED(hr))
????return hr;
??// 注册初始化安全
??hr = RegisterCLSIDInCategory(CLSID_SafeItem, CATID_SafeForInitializing);
??if (FAILED(hr))
????return hr;

??// 标记控件脚本安全
??// 创建脚本安全组件种类?
??hr = CreateComponentCategory(CATID_SafeForScripting, L"Controls safely scriptable!");
??if (FAILED(hr))
????return hr;
??// 注册脚本安全组件种类
??hr = RegisterCLSIDInCategory(CLSID_SafeItem, CATID_SafeForScripting);
??if (FAILED(hr))
????return hr;

??return NOERROR;
}

STDAPI DllUnregisterServer(void)
{
??HRESULT hr;

??AFX_MANAGE_STATE(_afxModuleAddrThis);

??if (!AfxOleUnregisterTypeLib(_tlid, _wVerMajor, _wVerMinor))
????return ResultFromScode(SELFREG_E_TYPELIB);

??if (!COleObjectFactoryEx::UpdateRegistryAll(FALSE))
????return ResultFromScode(SELFREG_E_CLASS);

??// 删除控件初始化安全入口.
??hr=UnRegisterCLSIDInCategory(CLSID_SafeItem, CATID_SafeForInitializing);
??if (FAILED(hr))
????return hr;
??// 删除控件脚本安全入口
??hr=UnRegisterCLSIDInCategory(CLSID_SafeItem, CATID_SafeForScripting);
??if (FAILED(hr))
????return hr;

??return NOERROR;
}?

MSDN示例: [ Safectl.rar ]
 
 

本文地址:http://www.45fan.com/a/question/69292.html
Tags: 怎样 控件 声明
编辑:路饭网
关于我们 | 联系我们 | 友情链接 | 网站地图 | Sitemap | App | 返回顶部