W3C home > Mailing lists > Public > www-html@w3.org > May 2002

Re: XHTML/XForms limits "preview submission" idiom

From: Karl O . Pinc <kop@meme.com>
Date: Mon, 20 May 2002 10:18:01 -0500
To: Rowland Shaw <Rowland.Shaw@crystaldecisions.com>
Cc: www-html@w3.org
Message-id: <20020520101801.Q1759@mofo.meme.com>
Yes, thanks.  I missed his point completely.

The (X)HTML specification,
http://www.w3.org/TR/html4/interact/forms.html,
makes no mention I can find that <input type="file"> should not
accept a preset value.  If that's the story, the spec should
be fixed.  I wouldn't have had to go through any of this.


On 2002.05.20 09:50 Rowland Shaw wrote:
> I think you've missed David's point.
> <input type="file" /> will not, and should not, accept a preset value --
> after all HTTP is a stateless protocol, and there's no distinction
> between
> what is safe and what isn't -- example of unsafe:
> <input type="file" value="c:/my documents/my money.mny" />
> Even by your idea of having the client determine what's safe, this would
> be
> less obvious than say:
> <input type="file" value="c:/windows/oemuser.pwl" />
> 
> 
> The solution to your issue would be to accept the file on initial upload,
> send back a reference to it in the confirm form, with a "choose other"
> option or something similar...

The difficulty with that approach is the stateless nature of HTML, the
server has no way to tell that the client never intends to confirm
the upload.  So, the server needs to periodiclly run a job to purge
old, unconfirmed, uploads.  That's a bit kludge-y, especially as if
it goes wrong your filesystem fills up.

> 
> 
> 
> -----Original Message-----
> From: Karl O . Pinc [mailto:kop@meme.com]
> Sent: 20 May 2002 15:25
> To: Dave J Woolley
> Cc: www-html@w3.org
> Subject: Re: XHTML/XForms limits "preview submission" idiom
> 
> 
> On 2002.05.20 05:26 Dave J Woolley wrote:
> >
> >
> > > My question to the w3 is why can't I allow the user to input the
> > > data all at once, identifying uploaded files by pathname, and have
> > > only the pathname make the round trip, and then submit the binary
> > > data for the
> > >
> > 	[DJW:]  The browser must trust the pathname, otherwise
> > 	you have a "read any file" security problem.
> 
> That's a very good answer.  But <input type="file" value="foo"> has
> exactly
> the same problem.  In fact, _that's_ where the problem is because that's
> how
> an upload has to be done.  (If you didn't read my entire, humgous,
> e-mail I
> propose a way to deliver just a pathname to the server (<input
> type="pathname" name="pnam">.  The server would send back a <input
> type="file" value="foo"> for the user to approve a final upload.)
> 
> This wouldn't introduce a new flaw.  It might make it more likely that
> the
> existing problem is exploited. This seems more a client implimentation
> issue.  Clients could issue warnings when they receive a <input
> type="file"
> value="foo"> when "foo" is anything but "", or is a fully qualified
> pathname, or whatever, perhaps depending on the client's currrent working
> directory.
> 
> Thanks.
> 
> Karl <kop@meme.com>

Karl <kop@meme.com>
Received on Monday, 20 May 2002 11:12:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:51 GMT