input type="file" grabs ENTIRE file path in IE?

[darrel]

I have an input type="file" field that I am using to accept a file upload.
This works, but I'm having problems with the filename property.

In firefox, this:

MyInputField.postedfile.filename

returns the filename...and just the filename. Which is what I want.

In IE, however, this returns the ENTIRE local user's system path to the file
+ the filename. Which, is pretty useless for most applications. (Actually,
it seems like a security issue.)

Is there a workaround for this short of parsing the entire filepath looking
for backslashes? I can certainly do that, but maybe there is a better way to
grab just the filename when the end-user is using IE.

-Darrel

 

[Jeff @ Dart]

Check the FileInfo class.

 

[Eliyahu Goldin]

Darrel,

System.IO.Path.GetFileName (MyInputField.postedfile.filename)

will always return the filename and extension regardless of the browser
type.

Eliyahu

 

[Kevin Spencer]

System.IO.Path.GetFileName(string);

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[darrel]

System.IO.Path.GetFileName (MyInputField.postedfile.filename)

will always return the filename and extension regardless of the browser
type.

Easy enough.

Out of curiosity, isn't IE's default behavior a bit of a security issue? It
seems odd that I can grab somone's entire directory structure to the file
they are uploading.

-Darrel

 

[Kevin Spencer]

Out of curiosity, isn't IE's default behavior a bit of a security issue?

It
seems odd that I can grab somone's entire directory structure to the file
they are uploading.

First, you are only getting the directory path to a single file, not their
entire directory structure. Second, your server-side app has no access to
the client's file system. Third, the entire path is used by IE to upload the
file. Fourth, the app is not "grabbing" the file path; the user is
voluntarily supplying it.

IOW, if there was a security issue, it would have been taken care of, as
have the existing security issues.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[Bruce Barker]

i disagree, i believe it to be a security bug, but a low priority one. after
upload, the server knows one valid dir path, it can use in an attack.

-- bruce (sqlwork.com)

 

[Kevin Spencer]

Well, Bruce, if you're correct, it will be addressed at some future point.
Personally, I don't see the need to send the entire path to the server, so
it could be remedied by browser manufacturers, working with the W3C.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[darrel]

First, you are only getting the directory path to a single file, not their

entire directory structure. Second, your server-side app has no access to
the client's file system. Third, the entire path is used by IE to upload the
file. Fourth, the app is not "grabbing" the file path; the user is
voluntarily supplying it.

IOW, if there was a security issue, it would have been taken care of, as
have the existing security issues.

Well, everything you said made perfect sense. Well, except that last
sentence, which we all know isn't entirely true. ;o) ;o) ;o)

-Darrel

 

[Kevin Spencer]

Well, except that last

sentence, which we all know isn't entirely true. ;o) ;o) ;o)

Note that I didn't say in my response to Bruce that he was correct. I said
"IF he is correct." My feeling is that there is no security issue there.
Otherwise, it would have been addressed by now. But I can't say with any
authority.

Perhaps it would be better to say that the last point is debatable. ;-)

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

 

[darrel]

Perhaps it would be better to say that the last point is debatable. ;-)

We can agree on that. ;o)

-Darrel