Re: Even better from zoran knezevic on 2007-09-28 (www-validator@w3.org from September 2007)

From: zoran knezevic <zoransa@gmail.com>
Date: Fri, 28 Sep 2007 20:07:03 +0200
To: "Brett Bieber" <brett.bieber@gmail.com>
Cc: "Kim Daugaard" <kim.daugaard@gmail.com>, "www-validator Community" <www-validator@w3.org>
Message-ID: <ecea34890709281107k190eaf34hd95912021a522d24@mail.gmail.com>
Yes, that's true because of security reasons browsers do not allow
pre-populated file fields, just imagine what could be possible to do
if that would be allowed. Just display: none element with CSS and user
would submit any file from his local computer without knowing it, only
attacker would have to guess file location but for many files it is
standard path possible to guess.

Best

Zoran
http://www.fragrantica.com/

On 9/28/07, Brett Bieber <brett.bieber@gmail.com> wrote:
>
> On 9/28/07, Kim Daugaard <kim.daugaard@gmail.com> wrote:
> > Hi Brett Bieber,
> >
> > Thanks for your reply.
> >
> > Of cause browsers do not support automatic file upload. And that is not what
> > I am asking for.
> >
> > What I am asking for is just a tiny server service:
> >
> > When the http://validator.w3.org/#validate_by_upload server
> > receives the initial URL GET with a parameter, like
> > ?filename=C:\folder\file.html, it should validate it, and if it is a valid
> > file name, the server should pre-populate the input field with the file
> > name, returning the form page to the browser.
> >
> >
> > From page source:
> >
> > <input type="file" id="uploaded_file" name="uploaded_file" size="30"
> > value="C:\folder\file.html" />
> > <input title="Submit for validation" type="submit" value="Check" />
> >
> >  In real life the folder is way down the file system, and the file to
> > validate is among hundreds of files.
> >
> > By adding the value attribute to the input field holding the file name from
> > Get request, you will serve our needs. Our testers still have to press the
> > 'Check' button -  no security issue.
> >
> > On pages we will use javascript and window.document.URL to define the
> > validator link like:
> >
> > http://validator.w3.org/#validate_by_upload?filename=C:\folder\file.html
> >
> > This would be a great service to us, making our validation process for
> > prototyping more simple.
> >
>
>
> Hi Kim,
>
> You must have missed the first line of my response ---
>
> "Browsers do not support pre-populated (default values for) file input fields."
>
> The security issue is that if this were possible and you could set a
> default value for an input type="file" by something simple like this -
> var uploadel = document.getElementById('uploadfileel');
> uploadel.value = 'C:\foo.html';
>
> You could then say document.myform.submit();
>
> This is why the W3C specifies "A user agent should not send any file
> that the user has not explicitly asked to be sent."
>
> http://www.w3.org/TR/html4/appendix/notes.html#h-B.10.1
>
> If what you're suggesting were possible, you could just as easily
> create a file for your own development and point action attribute of
> the form to http://validator.w3.org/check (mirroring the file-upload
> form on the w3 validator's website).
> I might suggest this as a good exercise for understanding the security
> issues surrounding forms+file-uploads.
>
> > Thanks again.
> >
> > Kind regards
> > Kim Daugaard
> >
> >
> >
> >
> > On 9/28/07, Brett Bieber <brett.bieber@gmail.com > wrote:
> > > On 9/24/07, Kim Daugaard <kim.daugaard@gmail.com> wrote:
> > > > Hi,
> > > >
> > > > I have a suggestion for making W3C validator even more attractive.
> > > >
> > > > We are making all html prototyping without any web server (hundreds of
> > > > pages). We can place a link to the 'Validate by file upload,'
> > > > http://validator.w3.org/#validate_by_upload on each
> > page
> > > > (and we do) but we still have to browse for the file each time we want
> > to
> > > > validate it.
> > > >
> > > > What I would like, was the ability to add the file name to the
> > get-request
> > > > (using javascript, like:
> > > >
> > http://validator.w3.org/#validate_by_upload?file=C:\folder\file.html
> > > > ), and have it filled into the file input field of the upload page. Then
> > we
> > > > only need to press 'Check'.
> > > >
> > > > That would be really cool!
> > > >
> > >
> > > Hi Kim,
> > >
> > > Browsers do not support pre-populated (default values for) file input
> > > fields. As you can imagine, if this were possible it would be trivial
> > > to upload specific files off an end user's computer with malicious
> > > intentions.
> > >
> > > For security reasons, any file which is uploaded to a web site must be
> > > manually selected by the end user. Unfortunately you'll either have to
> > > manually select and upload the files for validation  - or - look into
> > > one of the documented libraries for connecting to the Validator's API
> > > and create your own intermediate script which will upload the file to
> > > the validator, or send the file's content as direct input.
> > >
> > > http://validator.w3.org/docs/api.html#libs
> > >
> > > --
> > > -Brett Bieber
> > >
> > > http: saltybeagle.com aim:ianswerq
> > >
> >
> >
>
>
> --
> -Brett Bieber
>
> http:saltybeagle.com aim:ianswerq
>
>
Received on Friday, 28 September 2007 18:07:13 UTC