[whatwg] Fakepath revisited
Arve Bersvendsen
arveb at opera.com
Fri Sep 4 14:39:54 PDT 2009
On Fri, 04 Sep 2009 20:07:19 +0200, Alex Henrie <alexhenrie24 at gmail.com>
wrote:
> Whether or not you implement hacks for poorly designed router
> firmwares as you have done for other sites is entirely up to you.
> IE and Opera recognize that some web pages, in particular someold router
> firmwares, are poorly designed. These firmwares were
> designed to apply superfluous validation to foo.value, only
> allowing new firmware to be uploaded from Windows, and only in
> an old web browser which provides the full path to the file.
I assume this claim comes from
<URL:http://blogs.msdn.com/ie/archive/2009/03/20/rtm-platform-changes.aspx>
which does not actually say what you are implying.
The reason behind browsers no longer revealing the real path is given here:
For IE8 Beta-1, we closed off the information-disclosure
problem whereby JavaScript can read the .value attribute
of a file upload control and determine the full local
pathname, which might include information like the user’s
name, profile directory, etc.
However, here is what the MSIE team actually says what they discovered
when closing of that information loophole:
Over the last few months, we’ve run into a significant
number of sites (e.g. education products, several movie
sharing sites, etc) and devices (e.g. popular home routers)
that this security improvement breaks, because the sites
use JavaScript to attempt to parse the filename (e.g. to
determine its extension).
Opera has independently arrived at a similar conclusion: That omitting a
fake path causes web content way beyond what you say to break.
--
Arve Bersvendsen
Opera Software ASA, http://www.opera.com/
More information about the whatwg
mailing list