This topic gives information about security approach used during Image Uploader development.
During the development of Image Uploader Aurigma took care of avoiding any potential security problems. As Image Uploader is a software which is installed from the web, neglecting these problems might lead to security holes. For this reason any feature that could potentially cause security risks was rejected.
If any security holes in the Image Uploader are found, all the customers are immediately informed about possible issues and the problem is fixed as soon as possible.
Those customers, who would like to make sure whether the code safety is ok themselves, can purchase the Image Uploader source code. In addition to security audit these customers can carry out customization. Please contact Aurigma sales department if you are interested.
The main principle of Image Uploader architecture is a sandbox. It means that Image Uploader API does not provide any access to the file system or other resources. Unlike some competing uploading components, Image Uploader does not have such unsafe features as the ability to get a list of files in a given folder or add files to the upload list via client scripts, etc. These features would allow malicious persons to steal files from those computers where Image Uploader is installed.
Image Uploader requires the user to carry out all potentially dangerous operations through the user interface. None of such operations can be done without user's knowledge.
Image Uploader does provide an access to the list of files which are already choosen by the user for the upload. However, it does not compromise security, because the user adds these files to the upload list manually.
By the way, similar functionality is available in Internet Explorer: you can get
a name of the file opened in the standard
<input type="file">
element.
Some people are worried about low safety of the ActiveX technology against high safety of Java applets. Sometimes they ask whether the Java version of Image Uploader is more secure than the ActiveX one.
The answer is NO. To be able to work with files on a local machine, the Java applet has to go out from Java sandbox (in other words, make the security level the same as in ActiveX). This way using Java applets for uploading would not bring any security benefits.