RE: XHTML/XForms limits "preview submission" idiom from Rowland Shaw on 2002-05-20 (www-html@w3.org from May 2002)

From: Rowland Shaw <Rowland.Shaw@crystaldecisions.com>
Date: Mon, 20 May 2002 07:50:21 -0700
To: "'Karl O . Pinc'" <kop@meme.com>
Cc: www-html@w3.org
Message-ID: <963A03BCAFF059488BAFF33AE5C8709774BA44@IPSENT04>

I think you've missed David's point.
<input type="file" /> will not, and should not, accept a preset value --
after all HTTP is a stateless protocol, and there's no distinction between
what is safe and what isn't -- example of unsafe:
<input type="file" value="c:/my documents/my money.mny" />
Even by your idea of having the client determine what's safe, this would be
less obvious than say:
<input type="file" value="c:/windows/oemuser.pwl" />

The solution to your issue would be to accept the file on initial upload,
send back a reference to it in the confirm form, with a "choose other"
option or something similar...

-----Original Message-----
From: Karl O . Pinc [mailto:kop@meme.com] 
Sent: 20 May 2002 15:25
To: Dave J Woolley
Cc: www-html@w3.org
Subject: Re: XHTML/XForms limits "preview submission" idiom

On 2002.05.20 05:26 Dave J Woolley wrote:
> 
> 
> > My question to the w3 is why can't I allow the user to input the 
> > data all at once, identifying uploaded files by pathname, and have 
> > only the pathname make the round trip, and then submit the binary 
> > data for the
> >
> 	[DJW:]  The browser must trust the pathname, otherwise
> 	you have a "read any file" security problem.

That's a very good answer.  But <input type="file" value="foo"> has exactly
the same problem.  In fact, _that's_ where the problem is because that's how
an upload has to be done.  (If you didn't read my entire, humgous,  e-mail I
propose a way to deliver just a pathname to the server (<input
type="pathname" name="pnam">.  The server would send back a <input
type="file" value="foo"> for the user to approve a final upload.)

This wouldn't introduce a new flaw.  It might make it more likely that the
existing problem is exploited. This seems more a client implimentation
issue.  Clients could issue warnings when they receive a <input type="file"
value="foo"> when "foo" is anything but "", or is a fully qualified
pathname, or whatever, perhaps depending on the client's currrent working
directory.

Thanks.

Karl <kop@meme.com>

Received on Monday, 20 May 2002 10:50:55 UTC