SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    ♪♪ ♪ ♪ ♪ ♪♪ ♪ ♪♪ Markdidj's Avatar
    Join Date
    Sep 2002
    Location
    Bournemouth, South UK
    Posts
    1,551
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    What's the problem with file preview?

    In IE, a little bit of code can be added to a file input so to allow previewing. ie..
    Code:
    <input type="file" onblur="document.getElementByTagName('img')[0].src=this.value">
    Would just like to know why it is not possible in other browsers?
    LiveScript: Putting the "Live" Back into JavaScript
    if live output_as_javascript else output_as_html end if

  2. #2
    SitePoint Author silver trophybronze trophy

    Join Date
    Nov 2004
    Location
    Ankh-Morpork
    Posts
    12,158
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    For security reasons. What if a nefarious individual put in a pre-populated file selector that uploads your password file, and then hid it with CSS?

    The receiving application doesn't need to know the exact path on the client's computer. It will receive the file data in the POST request, anything else is the user's own business.
    Birnam wood is come to Dunsinane

  3. #3
    ♪♪ ♪ ♪ ♪ ♪♪ ♪ ♪♪ Markdidj's Avatar
    Join Date
    Sep 2002
    Location
    Bournemouth, South UK
    Posts
    1,551
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    But even with IE it can't be pre-populated anyway. It can only be read. Or am I wrong in this presumption?
    LiveScript: Putting the "Live" Back into JavaScript
    if live output_as_javascript else output_as_html end if

  4. #4
    SitePoint Author silver trophybronze trophy

    Join Date
    Nov 2004
    Location
    Ankh-Morpork
    Posts
    12,158
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    It's still a security risk to expose the client's full pathname, even if the property is readonly.
    Birnam wood is come to Dunsinane

  5. #5
    ♪♪ ♪ ♪ ♪ ♪♪ ♪ ♪♪ Markdidj's Avatar
    Join Date
    Sep 2002
    Location
    Bournemouth, South UK
    Posts
    1,551
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Ah, gotcha. So I could populate another text field with the file input's value, thus knowing where that file is based on their computer. So if the file was from C:\Inetpub\wwwroot\etc I would know that the user may be running IIS, and with the IP address I could see the rest of the directory if they haven't denied it. Thanks AutisticCuckoo
    LiveScript: Putting the "Live" Back into JavaScript
    if live output_as_javascript else output_as_html end if

  6. #6
    ♪♪ ♪ ♪ ♪ ♪♪ ♪ ♪♪ Markdidj's Avatar
    Join Date
    Sep 2002
    Location
    Bournemouth, South UK
    Posts
    1,551
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    So, I've been thinking of this abit more.

    If it is such a threat, why hasn't microsoft stopped it's use?

    It seems I could only get my files if I had IIS running, my firewall was turned off, and the entered file was from my wwwroot directory (or other root). If the file was an asp file, it would only show the output and not the actual file.

    I'm sure the operating system always defaults to being installed on C drive, so wouldn't default system files always be placed in the same location? If it were possible to download users system files, surely it would be easier to guess the location than to use a file input box.

    I still don't see where the problem lies.

    Enlighten me please........
    LiveScript: Putting the "Live" Back into JavaScript
    if live output_as_javascript else output_as_html end if


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •