Please do not reply to this email- if you want to comment on the bug, go to the URL shown below and enter your comments there.
Changed by [EMAIL PROTECTED] http://bugzilla.ximian.com/show_bug.cgi?id=82059 --- shadow/82059 2007-07-10 10:24:56.000000000 -0400 +++ shadow/82059.tmp.1985 2007-07-10 10:24:56.000000000 -0400 @@ -0,0 +1,50 @@ +Bug#: 82059 +Product: Mono: Class Libraries +Version: 1.2 +OS: +OS Details: FC6 +Status: NEW +Resolution: +Severity: +Priority: Normal +Component: Sys.Web +AssignedTo: [EMAIL PROTECTED] +ReportedBy: [EMAIL PROTECTED] +QAContact: [EMAIL PROTECTED] +TargetMilestone: --- +URL: +Cc: +Summary: HttpPostedFile.FileName might contain Windows paths (e.g. "C:\TMP\test.txt") + +Mono's behaviour is consistent with MS.NET's but might lead to problems: + +<html> +<script runat="server"> +void DoUpload(object o, EventArgs e) { + string fileName = Uploader.PostedFile.FileName; + fileName = System.IO.Path.GetFileName(fileName); + fileName = MapPath("~/uploads/" + fileName); + Response.Write(fileName); +} +</script> +<body> +<form runat="server"> + <input id="Uploader" type="file" runat="server" /> + <asp:Button onclick="DoUpload" text="Upload" runat="server" /> +</form> +</body> +</html> + +When I post a file to the page above using Firefox, everything works okay. +If I do so using IE, I get an exception: + +System.Web.HttpException: '~/uploads/c:\windows\win.ini' is not a valid +virtual path. + +IE posts the file including its full path. The full path is only of +interest on the client's PC, so we could get rid of it in HttpPostedFile +(stripping everything up to and including the last '\'). Then the page +above would work using IE as well. + +The stripping could be made dependent on whether (Request.Browser.Win16 || +Request.Browser.Win32). _______________________________________________ mono-bugs maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-bugs
