Calling a program on the client hard drive

3429 views
Skip to first unread message

bgauthier

unread,
Oct 27, 2006, 3:00:59 PM10/27/06
to
I am developing an HTML-based application which requires launching a
Perl program (or another kind of executable) from the Web client hard
drive. This application will initiate monitoring of a phone line on an
Asterisk server and it will start a VNC session.

Browsers are normally banned from launching local programs. Can this be
circumvented in Firefox?

Any pointer is welcome. Please e-mail me directly, in addition to
posting on this list.

Thanks in advance.

Benoît Gauthier
gaut...@circum.com

Nickolay Ponomarev

unread,
Oct 27, 2006, 3:11:11 PM10/27/06
to bgauthier, dev-ext...@lists.mozilla.org
On 27 Oct 2006 12:00:59 -0700, bgauthier <gaut...@circum.com> wrote:
> I am developing an HTML-based application which requires launching a
> Perl program (or another kind of executable) from the Web client hard
> drive. This application will initiate monitoring of a phone line on an
> Asterisk server and it will start a VNC session.
>
> Browsers are normally banned from launching local programs. Can this be
> circumvented in Firefox?
>
For a regular web page, no. It is possible to write an extension that
provides this functionality to selected web pages, though.

Nickolay

bgauthier

unread,
Oct 27, 2006, 3:15:08 PM10/27/06
to
Nickolay Ponomarev wrote:
> For a regular web page, no. It is possible to write an extension that
> provides this functionality to selected web pages, though.

Nickolay:

you are correct: this would be used on one specific page of my
application, not on a general public page.

Does such an extension exist? If no, where would one start to develop
such an extension?


Benoît Gauthier

Nickolay Ponomarev

unread,
Oct 27, 2006, 3:40:39 PM10/27/06
to bgauthier, dev-ext...@lists.mozilla.org
I don't think such extension exists; you can easily write one though.
Introduction to extensions:
http://developer.mozilla.org/en/docs/Building_an_Extension
Quickstart wizard: http://ted.mielczarek.org/code/mozilla/extensionwiz/
Running applications: http://kb.mozillazine.org/Running_applications
Catching an event in dispatched by a webpage:
http://forums.mozillazine.org/viewtopic.php?p=1005555#1005555

Alternatively there's a way to grant advanced privileges to -signed-
pages. I don't remember much about it.

Nickolay
>
> Benoît Gauthier
>
> _______________________________________________
> dev-extensions mailing list
> dev-ext...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-extensions
>

Eric H. Jung

unread,
Oct 27, 2006, 5:12:02 PM10/27/06
to dev-ext...@lists.mozilla.org
Actually, you don't have to do this in an extension, although that probably is the most user-friendly way. You *can* do it right from a web page if the user grants permissions. Try this (obviously it won't work in IE):

<html>

<head>

<title>Execute Any Process</title>

<script>

function executeFile() {

netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");

var nsIFilePicker = Components.interfaces.nsIFilePicker;

var fp =
Components.classes["@mozilla.org/filepicker;1"].createInstance(nsIFilePicker);

fp.init(window, "Select a File To Execute", nsIFilePicker.modeOpen);

fp.appendFilters(nsIFilePicker.filterAll);

var res = fp.show();

if (res == nsIFilePicker.returnOK) {

var process =
Components.classes["@mozilla.org/process/util;1"]
.createInstance(Components.interfaces.nsIProcess);

process.init(fp.file);

process.run(false, null, 0);

}

}

</script>

</head>

<body>

<input type="button" value="Run a process" onclick="executeFile()"/>

</body>

</html>

I've posted a more elaborate version that handles non-executable filetypes (e.g., .jpg) here:

http://pastebin.mozilla.org/1066

When using these scripts, the user is prompted by Firefox/Mozilla/SeaMonkey to grant permissions that allow the scripts to do nefarious things to his computer. Therefore, you might consider signing the script so the user knows it hasn't been tampered with, say, a man-in-the-middle attack:

http://www.mozilla.org/projects/security/components/jssec.html

Also consider hosting the scripts on an SSL-secured page.

Regards,

Eric
Jung

----- Original Message ----

From: bgauthier <gaut...@circum.com>

To: dev-ext...@lists.mozilla.org

Sent: Friday, October 27, 2006 3:15:08 PM

Subject: Re: Calling a program on the client hard drive

Nickolay Ponomarev wrote:

> For a regular web page, no. It is possible to write an extension that

> provides this functionality to selected web pages, though.

Nickolay:

you are correct: this would be used on one specific page of my

application, not on a general public page.

Does such an extension exist? If no, where would one start to develop

such an extension?

Benoît Gauthier

Message has been deleted

bgauthier

unread,
Oct 27, 2006, 5:39:54 PM10/27/06
to
I am developing an HTML-based application which requires launching a
Perl program (or another kind of executable) from the Web client hard
drive. This application will initiate monitoring of a phone line on an
Asterisk server and it will start a VNC session.

Browsers are normally banned from launching local programs. Can this be
circumvented in Firefox?

Any pointer is welcome. Please e-mail me directly, in addition to

Eric H. Jung

unread,
Oct 27, 2006, 5:46:34 PM10/27/06
to dev-ext...@lists.mozilla.org

http://pastebin.mozilla.org/1066

http://www.mozilla.org/projects/security/components/jssec.html

Regards,

Eric
Jung

----- Original Message ----

From: bgauthier <gaut...@circum.com>

To: dev-ext...@lists.mozilla.org

Nickolay Ponomarev wrote:

Nickolay:

such an extension?

Benoît Gauthier

_______________________________________________

dev-extensions mailing list

dev-ext...@lists.mozilla.org

https://lists.mozilla.org/listinfo/dev-extensions

Thanks in advance.

Benoît Gauthier
gaut...@circum.com

_______________________________________________

Nickolay Ponomarev

unread,
Oct 27, 2006, 5:47:06 PM10/27/06
to Eric H. Jung, gaut...@circum.com, dev-ext...@lists.mozilla.org
On 10/28/06, Eric H. Jung <eric...@yahoo.com> wrote:
> Actually, you don't have to do this in an extension, although that probably is the most user-friendly way. You *can* do it right from a web page if the user grants permissions. Try this (obviously it won't work in IE):
>
Right, I mentioned that. Here are pointers to more information:
http://www.mozilla.org/projects/security/components/signed-scripts.html
http://www.mozilla.org/projects/security/components/signed-script-example.html
(doesn't work - https://bugzilla.mozilla.org/show_bug.cgi?id=358436 )

Note that it requires you to
a) sign the JAR
b) serve the JAR over HTTPS
c) use enablePrivilege, which shows a confirmation dialog to the user
before your script can run with elevated privileges.

I think that going the extension route is simpler and results in
better user experience, especially since you already install
executables on user's machine.

If it's everything you need from the extension, I'll consider writing
it for you (it's pretty simple). I'll contact you off-list.

Nickolay

bgauthier

unread,
Nov 1, 2006, 6:01:54 AM11/1/06
to
Nickolay (Ponomarev) wrote an extension to my specifications. It is
found at

http://circum.com/startalocalprogram.html

Called "StartALocalProgram", the extension accepts two parameters in
the options: the location of the Perl interpreter on the local computer
and the location of the Perl script to run.

One can run any other program by leaving the Perl interpreter field
blank and entering the full path of the program to run in the second
option box.

Enjoy.

Benoît Gauthier

miles zarathustra

unread,
Nov 3, 2006, 4:25:27 PM11/3/06
to
Nickolay Ponomarev wrote:

> On 10/28/06, Eric H. Jung <eric...@yahoo.com> wrote:
>> Actually, you don't have to do this in an extension, although that
>> probably is the most user-friendly way. You *can* do it right from a web
>> page if the user grants permissions. Try this (obviously it won't work in
>> IE):
>>
> Right, I mentioned that. Here are pointers to more information:
> http://www.mozilla.org/projects/security/components/signed-scripts.html
>

The links to the SignTool application from this page are broken.
Is this page even being maintained?

> Note that it requires you to
> a) sign the JAR
> b) serve the JAR over HTTPS
> c) use enablePrivilege, which shows a confirmation dialog to the user
> before your script can run with elevated privileges.
>

Yowch!


Nickolay Ponomarev

unread,
Nov 3, 2006, 4:40:37 PM11/3/06
to miles zarathustra, dev-ext...@lists.mozilla.org
You should file a bug about that.

analu...@gmail.com

unread,
Jan 7, 2013, 5:57:53 PM1/7/13
to dev-ext...@lists.mozilla.org
Hello, Eric!

I have the same issue that you had looong time ago.
I have tried your solution, but found that from Firefox 15 this cannot be done (no way to enable privileges on UniversalXPConnect).
Have you have an updated solution to this?

Thank you very much!

Ana.

zeinea...@gmail.com

unread,
Jun 18, 2014, 11:23:04 AM6/18/14
to
Hello, Anna
I have the same issue , have you found a soluttion?
thanks
zeine
Reply all
Reply to author
Forward
0 new messages