Syntax - Mozilla

[Ken]

What is the correct syntax for fileSize in Mozilla?

This works in IE but not in Mozilla:

<input type=file size=65 name="picture1" onChange="image_size(this.value);"
Id="pt111">
<div id="image_size_display"></div>
<script type="text/javascript">
// Image size to be under max limit
function image_size(field){
if ((document.createElement) && (document.getElementById)) {
var image_display=document.createElement('img');
image_display.onload = function() {
im_size = image_display.fileSize;
}
image_display.src='file://' + field;
image_display.name = 'pict';
image_display.alt = 'image';
document.getElementById('image_size_display').appendChild(image_display);
alert("im_size = " + im_size);
if(im_size >2000000){alert("This picture ( file ) is geater than
2,000,000.\n\n" + "Select another picture or reduce the size of the picture
( file )")};
} }
</script>

Thanks.

Ken

 

[Randy Webb]

What is the correct syntax for fileSize in Mozilla?

There isn't one.

This works in IE but not in Mozilla:

Thats because the IE security model has as many holes in it as 87,000
kitchen strainers and you are exploiting one of them.

 

[Ken]

There isn't one.


Thats because the IE security model has as many holes in it as 87,000
kitchen strainers and you are exploiting one of them.

Randy,

What is the security problem if a program running on a personal computer
reads the file size on a his/her own computer?

It saves significant time of downloading a Mb file and then ending up with
no file because the size went over the MAX_FILE_SIZE.

I appreciate the responses.

Ken

 

[Grant Wagner]

The moment a security hole becomes 'a' problem it is sealed - generally.

The issue is with the 4,328 uses that *might* cause a security problem
as well as the two you have not discovered yet that are security problems.

The first two potential security concerns with allowing file sizes
to be read are that the author of the script can
a) analyse the local file-system, by searcing for common files.

No, because the "trick" uses (new Image()).src. If you attempt to load any
file type other than an image, the onerror, not onload event gets triggered.
As a result, it's impossible to determine the size of any file type other than
real images.

<script type="text/javascript">
var loadFile = new Image();
loadFile.onload = function() {
alert('Loaded: ' + this.fileSize);
}
loadFile.onerror = function() {
alert('Error: ' + this.fileSize);
}
</script>
<a href="#" onclick="loadFile.src =
'c:\\windows\\web\\wallpaper\\Home.jpg';return false;">Load Home.jpg</a>
<!-- the above alerts "Loaded: 42728" (Windows XP) -->
<a href="#" onclick="loadFile.src =
'c:\\windows\\system32\\krnl386.exe';return false;">Load krnl386.exe</a>

b) Test whether 'writes' are successful, by checking a file size
before and after a write attempt.

As long as you attempt to write an actual image. And even if that succeeds,
there is no guarantee writing another type of file (or overwrite an existing
file) will work. Of course, if your script can write a file to the local file
system in the first place, I think the fact that you can read it's size is
probably much, much less of a security issue.

The other 4,326 are left as an exercise for the reader.

I'm not going to argue that something I haven't thought can't possibly be a
security issue. However, being able to retrieve the size of a file on the
local file system is not, in my mind, that large of a security issue (although
it probably shouldn't be allowed).

 

[Kevin Freitas]

So, for those of us in search of a way to make this happen, I offer up a
comparison: How does the "Page Info" feature in Moz/Firefox read the
page and media file sizes? I'd like to write an extension that uses this
info to provide an actual total page size.

Cheers! ~ Kevin

 

[Grant Wagner]

So, for those of us in search of a way to make this happen, I offer up a
comparison: How does the "Page Info" feature in Moz/Firefox read the
page and media file sizes? I'd like to write an extension that uses this
info to provide an actual total page size.

An extension does not run in the sandbox provided to protect the system from
client-side JavaScript downloaded from untrusted Internet sites, it runs in
the context of a "trusted zone" where it can do anything (including writing
to the local file system).

This is equivilent to running a script in the "Local Computer zone" (and in
Windows XP Service Pack 2 agreeing to let the dynamic content load) and
using the FileSystem Object ActiveX control to manipulate the file system.

As for the requested task (determining the total page size in Gecko-based
browsers), this can not be done by a client-side JavaScript downloaded from
an untrusted Internet site in the default security environment.