firefox file-upload broken?
Simon Andrews
simon.andrews at bbsrc.ac.uk
Wed Sep 9 11:48:13 UTC 2009
Mike Wright wrote:
> Hi all,
>
> F10, firefox-3.0.13. Don't know if this is a firefox or fedora firefox
> bug.
>
> Any web developers out there???
>
> Given this html:
>
> <form><input type='file' /></form>
>
> View that in the browser and you will see an input text box with a
> "Browse" button.
>
> Click inside the text box.
>
> If your experience matches mine it will act as if the "Browse" button
> has been pressed and a "File Open" dialog box opens. That is broken
> with a capital F!
This is a deliberate change by the mozilla developers. The problem was
that there were too many ways to exploit a user editable file entry
field to trick people into uploading files they didn't mean to.
Some of the possible exploits, and the change you saw are explained at:
https://bugzilla.mozilla.org/show_bug.cgi?id=258875
They mention that this will annoy people who know what they're doing -
but the security implications overrode this consideration.
Maybe a better place to address the concern is whoever provides your
file browser dialog?
Simon.
More information about the users
mailing list