[ANN] A 6 MB SqueakPlugin.image

Here you could see running on Explorer on my Mac.
Also run in Firefox, Safari and iCab

Now I wish know if someone know how modify the following and someone could
use this image remote via Browser

<EMBED
    type="application/x-squeak-source"
    ALIGN="CENTER"
    WIDTH="800"
    HEIGHT="600">
</EMBED>

Very thanks !!!

Edgar

Lic. Edgar J. De Cleene wrote:
> Here you could see running on Explorer on my Mac.
> Also run in Firefox, Safari and iCab
>
> Now I wish know if someone know how modify the following and someone could
> use this image remote via Browser

Try this, it's a slightly stripped down version of what squeakland uses.
For this to work your image needs to replace the SqueakPlugin.image in
the squeakland installation.

Michael


<OBJECT
        ID="SqueakOCX Control"
        WIDTH=1024 HEIGHT=768
        ALIGN=center BORDER=2
        CLASSID="CLSID:2BE9C39E-8386-4435-B337-FCDAD8EAB006"
        CODEBASE="http://www.squeakland.org/installers/SqueakPluginInstaller.exe">
<embed
        type="application/x-squeak-source"
        ALIGN="CENTER"
        WIDTH="1024"
        HEIGHT="768"
        pluginspage="http://www.squeakland.org/detect.html"
        update_url="http://www.squeakland.org/update/"
        ></embed>
</OBJECT>

And alternatively speciy a different image via the "imageName" parameter
(same goes for "vmName" btw):

> <OBJECT
>     ID="SqueakOCX Control"
       imageName="MySqueak.image"
>     WIDTH=1024 HEIGHT=768
>     ALIGN=center BORDER=2
>     CLASSID="CLSID:2BE9C39E-8386-4435-B337-FCDAD8EAB006"
>     CODEBASE="http://www.squeakland.org/installers/SqueakPluginInstaller.exe">
>
> <embed
>     type="application/x-squeak-source"
       imageName="MySqueak.image"
>     ALIGN="CENTER"
>     WIDTH="1024"
>     HEIGHT="768"
>     pluginspage="http://www.squeakland.org/detect.html"
>     update_url="http://www.squeakland.org/update/"
>     ></embed>
> </OBJECT>
>
>

Andreas Raab puso en su mail :
Very thanks Andreas.

Your example is what I see when I first run the actual oficial
SqueakPlugin.image and look the show source in browser.

But what I asking is.

How I could have MySqueak.image and you (other person) could use via web ?

Today I have http://201-212-99-13.cab.prima.net.ar:8888 for running my
swikis, what wish know is the setup for MySqueak.image and the html code.

That way you (other person) don't need install any Squeak, only type
 http://201-212-99-13.cab.prima.net.ar/RemoteSqueak or similar

Very thanks !

Edgar





       
       
               
___________________________________________________________
1GB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
http://correo.yahoo.com.ar 

Lic. Edgar J. De Cleene wrote:
> Your example is what I see when I first run the actual oficial
> SqueakPlugin.image and look the show source in browser.
>
> But what I asking is.
>
> How I could have MySqueak.image and you (other person) could use via web ?

Not automatically, and quite deliberately so because of security
concerns. Silently downloading and running an image via the plugin would
make your users vulnerable to all sorts of nasty attacks. You will have
to convince your users to download and install the image you'd like them
to use first.

> Today I have http://201-212-99-13.cab.prima.net.ar:8888 for running my
> swikis, what wish know is the setup for MySqueak.image and the html code.
>
> That way you (other person) don't need install any Squeak, only type
>  http://201-212-99-13.cab.prima.net.ar/RemoteSqueak or similar.

Well, the plugin won't do that for you. It allows you to use any image
file that your user has previously installed but it will not download
and install an image.

Cheers,
   - Andreas

Michael Rueger puso en su mail :

> Try this, it's a slightly stripped down version of what squeakland uses.
> For this to work your image needs to replace the SqueakPlugin.image in
> the squeakland installation.
>
> Michael
Very thanks and again thanks to Andreas.

But maybe I explain what I wish bad.

I have the image working nicely as I said in first mail with picture what
proves it and now thanks Andreas I know I could change the name from
SqueakPlugin.image to XYZ.image.

Also I know I need a "special VM" what is double size as many Johns's images
what I test and have.

Again the question:

Suppose another person wish use this image remote via web what should be the
html script ?

He/she do not should download any, only should know a html path like
http://201-212-99-13.cab.prima.net.ar/RemoteSqueak or similar.

All this is for a game what we wish share with minimal troubles for non
Squeakers.

Also I could appreciate how  do something similar to

<html>
<HEAD>
<TITLE>XY Coordinates</TITLE>

<SCRIPT Language = javascript>

function XYpos() {
xPos = event.screenX
yPos = event.screenY
alert(xPos + " left " + yPos + " down")
}
</Script>
</HEAD>
<BODY onMouseDown = XYpos() bgcolor = white>
<h3 align="center">Click your mouse anywhere on the screen </h3>
</html>

If I serve that page via HttpView (what at present I using for this game) ,
how I could pass x and y coordinates to Squeak ?

That way only what I need is do Display asWebimage to browser and capture
the clicks and pass to Squeak.

Only one image in one server. Client don't need more info what a valid url.

Again , very, very thanks

Edgar




       
       
               
___________________________________________________________
1GB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
http://correo.yahoo.com.ar 

And also:

failureURL="http://www.whereYouCanFindAnInstallerForTheMissingImage.com"


Cheers,

-- Diego

To All what kindly help me.

ma := ModuleAssembly core.
    ma
        alias: '/d'
        to: [ma
                addPlug: [:request | HttpResponse fromString: '<html>
<HEAD><p>Choose a point on the map:</p></HEAD>
<form>
<input type=image name=point src=
"http://201-212-99-13.cab.prima.net.ar/TEG.jpg" align= "center"
width="750" height="490" border="0"
</form>']].
    ma
        addPlug: [:request |
            self halt.
            HttpResponse fromString: 'This is the default
content'].
    ^ service := (HttpService startOn: 8420 named: 'TEG')
                plug: ma rootModule

And see attached picture.
This time I test in Firefox, what when click said something like
http://localhost:8420/d?point.x=388&point.y=88

And what I could have in get and pass to Squeak

No need of contaminate Squeak with JavaScript !!!

Thanks

Edgar

Andreas Raab wrote: Andreas and all,

I tried to point to another image in a web browser, but all I get is a
wide, 1 line rectangular box. Here's the html file that I have. I added
that "PARAM" from an html file on squeakland. What am I doing wrong?:

<html>
<head>
<title>Squeak Plugin Test</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#FFFFFF">
<OBJECT
ID="SqueakOCX Control"
WIDTH=1024 HEIGHT=768
ALIGN=center BORDER=2
CLASSID="CLSID:2BE9C39E-8386-4435-B337-FCDAD8EAB006"
CODEBASE="http://www.squeakland.org/installers/SqueakPluginInstaller.exe">
<PARAM name="update" value="546">
<PARAM name="pluginspage" value="http://www.squeakland.org/detect.html">
<PARAM name="update_url" value="http://www.squeakland.org/update/">
<PARAM name="apiSupported" value="true">
<PARAM name="imageName" value="/home/bfuller/Squeak3.8-6665.image">
<embed
type="application/x-squeak-source"
imageName="/home/bfuller/Squeak3.8-6665.image"
ALIGN="CENTER"
WIDTH="1024"
HEIGHT="768"
update="546"
apiSupported="TRUE"
pluginspage="http://www.squeakland.org/detect.html"
update_url="http://www.squeakland.org/update/"
></embed>
</OBJECT>
</body>
</html>


--
Brad Fuller
Sonaural Audio Studio

<http://www.oreillynet.com/pub/au/2184>

Brad Fuller wrote:

> <PARAM name="imageName" value="/home/bfuller/Squeak3.8-6665.image">

IIRC the image has to be in the same directory as the
SqueakPlugin.image, not absolute filenames, otherwise that would be a
huge security whole.

Michael

Michael Rueger wrote:
> Brad Fuller wrote:
>
>> <PARAM name="imageName" value="/home/bfuller/Squeak3.8-6665.image">
>
> IIRC the image has to be in the same directory as the
> SqueakPlugin.image, not absolute filenames, otherwise that would be a
> huge security whole.
Thanks that worked -- however it's complaining that it can't find the
changes file, but it's in the same directory, and with the same permissions.
?

On your other note: Can you explain why this is a big security risk? I
guess it's at least the known location of where npsqueak was installed
by root when the user/root downloaded the package.  But, if you're on a
system like Windows, couldn't SqueakPlugin.image be easily overwritten
by anyone?

What other issues are there with running the squeak plugin with one's
own image?  For instance, can I just change the plugin source to
download the plugin and image into a user accessible directory to allow
the user the ability to change/add/save the image?

Or maybe the initial intent of the squeak plugin was temporary -- e.g.
dnl "projects" to use per session and not save image state? A browser
doesn't really have computing accessibility - so, use the computing
power of squeak in a browser window - something you can't get with
javascript.


brad

Brad Fuller wrote:

> Thanks that worked -- however it's complaining that it can't find the
> changes file, but it's in the same directory, and with the same permissions.

> On your other note: Can you explain why this is a big security risk? I
> guess it's at least the known location of where npsqueak was installed
> by root when the user/root downloaded the package.  But, if you're on a
> system like Windows, couldn't SqueakPlugin.image be easily overwritten
> by anyone?

Hmm, take a look at the squeak.ini file, the VM is launched in a mode
with the default directory is then your My Squeak\<username> directory.
That is all part of the Squeak secure mode code.

The SqueakPlugin.image is also set so that downloading any file from the
web turns on secure mode, restricting access to your file system to the
safe directory (see above). "Normal" image don't have that, so if
somebody knows/guesses you have the Squeak3.8 image somewhere on your
filesystem they might build a squeak project launching page that guesses
  a location in your filesystem and then executes something nasty. By
restricting it to the plugin directory you need to consciously put an
image there to enable launching of other images than the squeakland image.

> What other issues are there with running the squeak plugin with one's
> own image?  For instance, can I just change the plugin source to
> download the plugin and image into a user accessible directory to allow
> the user the ability to change/add/save the image?

You can probably do that, except you are getting into all kinds of
interesting security issues as squeak project files can contain
arbitrary code.

> Or maybe the initial intent of the squeak plugin was temporary -- e.g.
> dnl "projects" to use per session and not save image state? A browser
> doesn't really have computing accessibility - so, use the computing
> power of squeak in a browser window - something you can't get with
> javascript.

The main intend was to not have the user save the image in an
unpredictable state. Actually the automatic update of squeakland does
save the image, but before the user has any chance to do anything or
before the image has downloaded anything but the updates. And the
location for the updates is hardcoded into the image. Which can of
course be defeated by DNS pollution hacks, we don't sign the updates
(which we probably should do, thinking about it...).

Michael

Michael Rueger wrote:
> The SqueakPlugin.image is also set so that downloading any file from the
> web turns on secure mode, restricting access to your file system to the
> safe directory (see above). "Normal" image don't have that, so if
> somebody knows/guesses you have the Squeak3.8 image somewhere on your
> filesystem they might build a squeak project launching page that guesses
> a location in your filesystem and then executes something nasty.

Worse than that: If you allow an absolute location, all some code needs
to do is to download an image into the accessible location and once
done, redirect the browser to a page that refers to that location (via
argument). No guessing necessary, this works simply and direct.

Cheers,
   - Andreas