[File Upload] Security problems with File Upload
I'm concerned about the open() method on the FileDialog interface. It seems like it would make it possible, through an attack like the famous fast clicking game, to cause a user to select a file (probably at random, but from the user's home directory, so likely a confidential file). I would feel much more comfortable if the FileList API was provided merely as an extension to the HTMLInputElement interface, thus requiring authors to use an input type=file control, and requiring users to click the Browse button before the dialog would appear. (UAs can then guarentee that the fast clicking game attack will be unsuccessful, by positioning the file dialog such that the button location doesn't coincide with a sensitive part of the dialog.) -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [File Upload] Security problems with File Upload
On Fri, 22 Sep 2006, Robin Berjon wrote: I would feel much more comfortable if the FileList API was provided merely as an extension to the HTMLInputElement interface, thus requiring authors to use an input type=file control, and requiring users to click the Browse button before the dialog would appear. The problem with this solution is that it then requires that the environment supports input type=file, which isn't always the case. Hm. Could we split the spec into two parts, one for those environments without HTML, and one for those with? It would be good to keep the APIs for browsers to an absolute minimum, especially now with the ballooning number of new APIs that are being specified, and for HTML browsers I really think it would be much simpler (and safer) to stick this on the end of HTMLInputElement rather than have a whole new API. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [File Upload] Security problems with File Upload
Hi Ian, On Sep 22, 2006, at 17:15, Ian Hickson wrote: It seems like it would make it possible, through an attack like the famous fast clicking game, to cause a user to select a file (probably at random, but from the user's home directory, so likely a confidential file). There are well-known workarounds for this, notably delayed activation of the dialogue. This could be noted in the specification. I would feel much more comfortable if the FileList API was provided merely as an extension to the HTMLInputElement interface, thus requiring authors to use an input type=file control, and requiring users to click the Browse button before the dialog would appear. The problem with this solution is that it then requires that the environment supports input type=file, which isn't always the case. -- Robin Berjon Senior Research Scientist Expway, http://expway.com/
