Re: Testing a file-type input element

Chris Morris scribed:

Ed Jay <edMbj@xxxxxxxxxxxx> writes:
I'm not sure it's involuntarily accessing the file system. The user selects
a filename...I would think there's some client-side manner to ascertain what
the filename selected is, or whether one was selected at all. It's trivial
to do it serverside.

That's not necessarily true. The web browser sends a comment that
usually looks somewhat like a filename, yes, but it needn't be the
filename that the file had on the user's filesystem (indeed, in some
cases with automated HTTP requests, the file may never actually exist
on any filesystem).

It's absolutely true in my specific case.

My users focus a camera image on-screen and press a key that takes a
snapshot of the screen and auto-saves the image to a known folder. They can
snap/save from one to up to five screens...it's arbitrary. The user is given
'n' file input elements and asked to select the files for uploading.
Example: The user snaps/saves three screens, so three file input elements
are printed. When the user is finished, he presses a button and the form is
submitted to a server side script (CGI) that uploads the files. The issue
may arise when the user inadvertently submits the form without selecting all
files for uploading.

I can test for an empty file form element name at the server side script,
but I want to do it client side, before the form is submitted to the server.

Certainly major browsers differ in whether the full filesystem path is
sent to the server or not, for example.

Irrelevant, or at least unimportant in my specific case.

As far as client-side security goes:
http://www.securityfocus.com/archive/82/436876/30/150/threaded
is an interesting bug that involved messing around with browser focus
to get the user to upload a file of your choice to you. Consider how
much easier that would have been to exploit if Javascript had direct
access to the contents of the file field and it's understandable that
browsers generally don't (unfortunately at the time that bug was
reported they hadn't considered that they shouldn't let you focus a
file field either).
--
Ed Jay (remove 'M' to respond by email)
.

Relevant Pages

  • Re: fetch extension - use local filename from content-dispositionheader (new diff)
    ... Previously giving this non-argument -O flag would use the ... Now this flag takes an expected filename as an argument. ... if we make a mistake in the URL or if the server changes the mapping. ... +If the server sent a Content-Disposition header, the +.Fa content_disposition +field will contain the suggested local filename. ...
    (freebsd-current)
  • Re: ASP.Net Newbie Questions
    ... I think of JavaScript and stuff like form ... and the server has no memory either. ... The client-side event triggers a JavaScript function ... >> single page to only the appropriate functionality for that page. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: How to fire an event when a DropDownList is clicked
    ... the client side function will call the server side code. ... > client-side script blocks in the Page. ... > Private Sub Page_Init(ByVal sender As System.Object, ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: User Interface Question
    ... I just hate mixing Server Side & Client Side programming ... Well, you must hate ASP.Net, because that's how client-side events are ... When you create an event handler in ASP.Net, ... rendered HTML, which adds several hidden form fields, and some JavaScript ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Why is KDE 4 so messed up?
    ... a server in the form you and your browser see. ... what was the filename on the server? ... No need I've used opera in the past, but I didn't stick with it so my ...
    (alt.os.linux.suse)