[whatwg] Fakepath revisited

[Arve Bersvendsen]

On Fri, 04 Sep 2009 20:07:19 +0200, Alex Henrie <alexhenrie24 at gmail.com>  
wrote:

> Whether or not you implement hacks for poorly designed router
> firmwares as you have done for other sites is entirely up to you.

> IE and Opera recognize that some web pages, in particular someold router  
> firmwares, are poorly designed. These firmwares were
> designed to apply superfluous validation to foo.value, only
> allowing new firmware to be uploaded from Windows, and only in
> an old web browser which provides the full path to the file.

I assume this claim comes from
<URL:http://blogs.msdn.com/ie/archive/2009/03/20/rtm-platform-changes.aspx>  
which does not actually say what you are implying.

The reason behind browsers no longer revealing the real path is given here:

     For IE8 Beta-1, we closed off the information-disclosure
     problem whereby JavaScript can read the .value attribute
     of a file upload control and determine the full local
     pathname, which might include information like the user’s
     name, profile directory, etc.

However, here is what the MSIE team actually says what they discovered  
when closing of that information loophole:

      Over the last few months, we’ve run into a significant
      number of sites (e.g. education products, several movie
      sharing sites, etc) and devices (e.g. popular home routers)
      that this security improvement breaks, because the sites
      use JavaScript to attempt to parse the filename (e.g. to
      determine its extension).

Opera has independently arrived at a similar conclusion: That omitting a  
fake path causes web content way beyond what you say to break.

-- 
Arve Bersvendsen

Opera Software ASA, http://www.opera.com/