See https://bugzilla.mozilla.org/attachment.cgi?id=17860 from bug 57770 (https://bugzilla.mozilla.org/show_bug.cgi?id=57770). The problem is that the *user* did all the interaction with the form, and still managed to attempt an upload of a system file (whether the code should be able to *read* the value is another question, but I suspect there is some long and silly history about allowing that).
The real problem I see there is that the doc can trigger a submit before I even unfocus the file control. That should never be possible IMO, as I should be able to realize what I've typed in before I send it to a server.
Robert Kaiser _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
