What is the best way to check if a URL is valid in c?
i am launching url using windows api (ShellExecute) and it always launches default web browser, whether url is right or wrong.
I'm not concerned about establishing a connection, just validity. Is there a method for this?
You may want to use PathIsURL function from the Windows API.
Related
I'm trying to write a VSCode extension where users could log into Google AppEngine with a google account, and I need to get their SACSID cookie to make appengine requests.
So I'm opening a browser window at
https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttp://localhost:3000/
(generated by google.appengine.api.users.create_login_url)
The user logs in and is redirected to my local webserver at
localhost:3000/_ah/conflogin/?state={state}
Now I try to forward the request to my AppEngine app (since it knows how to decode the state parameter), so I do a request to
https://my-app.appspot.com/_ah/conflogin/?state={state}
basically just replacing localhost with the actual app.
but it doesn't work, presumably because the domain is different. I assume this is on purpose, for security.
Is there any way I can make this work ?
Not ideal, but the only solution I've found is to have an endpoint on my GAE instance that does the redirection. Then I can set that as the continue url, when I'm starting the authentication process
https://accounts.google.com/ServiceLogin?service=ah&passive=true&continue=https://appengine.google.com/_ah/conflogin%3Fcontinue%3Dhttps://my-app.appspot.com/redirect?to=http://localhost:3000
I think you should center the attention on the protocols you are using, since it’s known that the cookie name is based on the http protocol (HTTP : ACSID, HTTPS:SACSID), and that’s the security perspective till this point for me.
Having the error you are facing now would be helpful to understand the problem better. Also, how are you performing the call to the API and the code you are using would be helpful too.
To handle windows authentication, one way to handle such scenario is by passing credentials in URL itself as shown below :
driver.get('http://domain\username:password#abc.com')
my user name contains a domain ex. domain\Username. However, when i pass https://domain\username:password#example.com URL it gets converted to '/'. I am using C# selenium bindings. Please suggest a solution to get this working.
You need to replace any special character using its ASCII value .
For \ , it's 092
Also, I believe browsers have dropped support for this syntax of passing credentials along with url and i am sure it won't work if you are using latest browser version of chrome/firefox.
You should instead allow browser to show credential alert and handle it using selenium.
IAlert alert = webDriver.SwitchTo().Alert();
alert.SetAuthenticationCredentials(userId,password);
alert.Accept(); //not sure if this line is required.
We have a web app which is HTML/AngularJS on the front-end and uses MS Web API on the background. We require the use of HTTPS for security reasons. Every article I've read about using plaintext passwords and how to login basically comes down to "just use HTTPS and everything will be secure".
Recently, we were testing the app in-house and the Web API service was accidentally down when the QA person was trying to login. What happened next is what you see in the image below. The password was shown in plain text in the browser. QA, my boss, the company, God and everyone in America is "having a cow" because of this.
The message being displayed in the browser isn't something I coded, it appears that it is part of AngularJS which is trying to do me a favor by showing me a failed API call and what object it was trying to pass to the API. In which case, it makes sense (I think) that Angular has that information.
Can anyone please help me understand what happened here? And what is considered the proper way to address this? I assume I can add some JavaScript code to encrypt the password on the client side first, but that also seems like it would be super easy for a hacker to intercept on the client side. So what's the correct approach to take to keep things secure on the client?
What happened is that the user (you) and the browser (on your machine) live in the same trust boundary.
You just typed that password into the browser. The browser only hides it in the input box to prevent shoulder-surfing. The browser does not really attempt to hide something you just typed in from you.
If you open dev tools in the browser, you can see anything that is sent over the wire in the HTTP protocol. Anyone outside your trust boundary cannot see this because the HTTPS protocol encrypts anything on the wire.
its hard to tell without looking on the code, but I found the similar issue :
app.config(['$qProvider', function ($qProvider) {
$qProvider.errorOnUnhandledRejections(false);
}]);
I have built a controller that is uses the media view to stream videos to users. When someone accesses the controller from an iOS device, the user agent being sent is not matching and the session logs out.
I am using the iPad plugin for Flow Player and I have seen other posts about flash not sending the correct user agent strings, so instead of messing with that, I'd like to disable Session.checkAgent for that specific action. I have tried adding it to beforeFilter(), but the check clearly happens before that point.
Is there some other method I can override to implement this?
I haven't tested it, but if you know (part of) the URL, you can check the $_GET['url'] inside your app/Config/core.php and modify the session configuration based upon its value, For example, $_GET['url'] starts with '/videos/view'.
You need to do this inside the configuration file, otherwise the session is already started as you already discovered.
Note that $_GET['url'] is only used in older versions of CakePHP. For newer versions of CakePHP, you may need to user $_SERVER['REQUEST_URI'] or another $_SERVER environment variable.
I'm working on a Windows Phone 7 application that makes a REST service call. The third party that hosts the web services has an invalid certificate in the current environment. When I hit the URL in Firefox, I get a warning about the cert and I am asked if I want to continue. I'm also using the Poster FF extension to test the call. It works with Poster if I first accept the invalid cert in Firefox. If I don't, then POSTER wont make the request.
In my WP7 Emulator, I can't make the request at all. I get a 404 at the EndGetResponse method. I making the same request as in Poster, so I know there is nothing wrong with the request. I have successfully hit another web service using the same code (no certs involved), so I don't think it's the code. The only thing I can think of is that WP7 doesn't allow requests to an invalid cert. Has anyone had experience with this situation? Is there any way around it?
Is there a way I can tell my app to accept all communication, even if there is an invalid cert?
There is sadly no way to do this on the phone. Ordinarily, i.e. on the desktop this simple line of code will disable certificate checking.
System.Net.ServicePointManager.ServerCertificateValidationCallback = (se, cert, chain, sslError) => { return true; };
If you look at the ServicePointManager on the phone, there's no callback to hook into. It's a massive pain in the arrrrse.
Have you considered writing to the service owner and asking why they're being bad internet citizens? (essentially, what you're seeing here is web security in action, for better or worse)
As Matt says, you might be able to code a simple relay on a web server. It doesn't have to be a special service, but maybe just a web page that does the call for you and spits out RAW text or XML. Your phone client just GETs this page and picks through the response manually.
Where there's a will there's a way.
Luke
You need to install the root CA cert of the issuing party on the phone.
You can do this by emailing the RootCA to the user of the phone. They click on the attachement and it will prompt them to ask if they want to install the certificate on the phone.
Once you have done that your requests should go through.
I dont believe there is a way to do this programatically in your app however.
I'm not aware of a way to install additional certificates on the phone.
In this situation I'd create a proxy service between your app and the 3rd party site and have your app call that. If you need to, you could put the proxy behind a valid cert.