input type="file" grabs ENTIRE file path in IE?

Discussion in 'ASP .Net' started by darrel, Mar 28, 2005.

  1. darrel

    darrel Guest

    I have an input type="file" field that I am using to accept a file upload.
    This works, but I'm having problems with the filename property.

    In firefox, this:

    MyInputField.postedfile.filename

    returns the filename...and just the filename. Which is what I want.

    In IE, however, this returns the ENTIRE local user's system path to the file
    + the filename. Which, is pretty useless for most applications. (Actually,
    it seems like a security issue.)

    Is there a workaround for this short of parsing the entire filepath looking
    for backslashes? I can certainly do that, but maybe there is a better way to
    grab just the filename when the end-user is using IE.

    -Darrel
     
    darrel, Mar 28, 2005
    #1
    1. Advertisements

  2. darrel

    Jeff @ Dart Guest

    Check the FileInfo class.
     
    Jeff @ Dart, Mar 28, 2005
    #2
    1. Advertisements

  3. Darrel,

    System.IO.Path.GetFileName (MyInputField.postedfile.filename)

    will always return the filename and extension regardless of the browser
    type.

    Eliyahu
     
    Eliyahu Goldin, Mar 28, 2005
    #3
  4. System.IO.Path.GetFileName(string);

    --
    HTH,

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    What You Seek Is What You Get.
     
    Kevin Spencer, Mar 28, 2005
    #4
  5. darrel

    darrel Guest

    System.IO.Path.GetFileName (MyInputField.postedfile.filename)
    Easy enough.

    Out of curiosity, isn't IE's default behavior a bit of a security issue? It
    seems odd that I can grab somone's entire directory structure to the file
    they are uploading.

    -Darrel
     
    darrel, Mar 28, 2005
    #5
  6. Out of curiosity, isn't IE's default behavior a bit of a security issue?
    First, you are only getting the directory path to a single file, not their
    entire directory structure. Second, your server-side app has no access to
    the client's file system. Third, the entire path is used by IE to upload the
    file. Fourth, the app is not "grabbing" the file path; the user is
    voluntarily supplying it.

    IOW, if there was a security issue, it would have been taken care of, as
    have the existing security issues.

    --
    HTH,

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    What You Seek Is What You Get.
     
    Kevin Spencer, Mar 28, 2005
    #6
  7. darrel

    Bruce Barker Guest

    i disagree, i believe it to be a security bug, but a low priority one. after
    upload, the server knows one valid dir path, it can use in an attack.

    -- bruce (sqlwork.com)
     
    Bruce Barker, Mar 28, 2005
    #7
  8. Well, Bruce, if you're correct, it will be addressed at some future point.
    Personally, I don't see the need to send the entire path to the server, so
    it could be remedied by browser manufacturers, working with the W3C.

    --
    HTH,

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    What You Seek Is What You Get.
     
    Kevin Spencer, Mar 28, 2005
    #8
  9. darrel

    darrel Guest

    First, you are only getting the directory path to a single file, not their
    Well, everything you said made perfect sense. Well, except that last
    sentence, which we all know isn't entirely true. ;o) ;o) ;o)

    -Darrel
     
    darrel, Mar 28, 2005
    #9
  10. Well, except that last
    Note that I didn't say in my response to Bruce that he was correct. I said
    "IF he is correct." My feeling is that there is no security issue there.
    Otherwise, it would have been addressed by now. But I can't say with any
    authority.

    Perhaps it would be better to say that the last point is debatable. ;-)

    --
    HTH,

    Kevin Spencer
    Microsoft MVP
    ..Net Developer
    What You Seek Is What You Get.
     
    Kevin Spencer, Mar 28, 2005
    #10
  11. darrel

    darrel Guest

    We can agree on that. ;o)

    -Darrel
     
    darrel, Mar 28, 2005
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.