Formfield not updated

[SomeDude]

Hi group,

I'm trying to check file-extensions before allowing file-uploads.
My script reads the value perfectly but can not update it.
Firefox's Javascript Console even mentions the following:

Error: uncaught exception: [Exception... "Security error" code: "1000"
nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location:
"http://www.prosess.nl/fideldidel/final/website/mmc/includes/cuptech.js
Line: 56"]

Am I doing something incredibly dumb (again ?

TIA,
SomeDude


My form:
<form name ="upload" enctype="multipart/form-data" action="<?php echo $page_url . "&mode=upload";?>" method="POST">
<input type="hidden" name="MAX_FILE_SIZE" value="1000000" />
Add picture:
<input id="userfile" name="userfile2" size="50" type="file" onChange="checkFileExtension('userfile');" />
<input type="submit" value="Uploaden" onSubmit="checkFileExtension('filename', document.getElementById('userfile').value);"/>
<input type="hidden" name="collection" value="<?php echo $collection;?>" />
</form>

My function:
function checkFileExtension (caller){
alert ('Check extension for ' + caller) ;

objField = document.getElementById(caller);
strFileName = objField.value;
alert ('strFileName = ' + strFileName);

objField.value = 'n00b'; // VALUE IS NOT SET !!!
alert ('objField.value = ' . objField.value);
}

 

[Richard Cornford]

I'm trying to check file-extensions before allowing file-uploads.
My script reads the value perfectly but can not update it.
Firefox's Javascript Console even mentions the following:

Error: uncaught exception: [Exception... "Security error" code: "1000"
nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location:
"http://www.prosess.nl/fideldidel/final/website/mmc/includes/cuptech.js
Line: 56"]

Am I doing something incredibly dumb (again ?

<snip>

There is no point in even trying to write to the value of an <input
type="file"> field. Allowing such an action would be a serious security
violation in any browser, as it would allow a remote web site to
automate the uploading of any file from the user's computer.

Richard.

 

[chonny]

Javascript security


SomeDude напиÑа:

 

[SomeDude]

I'm trying to check file-extensions before allowing file-uploads.
My script reads the value perfectly but can not update it.
Firefox's Javascript Console even mentions the following:

Error: uncaught exception: [Exception... "Security error" code: "1000"
nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location:
"http://www.prosess.nl/fideldidel/final/website/mmc/includes/cuptech.js
Line: 56"]

Am I doing something incredibly dumb (again ?

<snip>

There is no point in even trying to write to the value of an <input
type="file"> field. Allowing such an action would be a serious security
violation in any browser, as it would allow a remote web site to
automate the uploading of any file from the user's computer.

Richard.

Thanks a million for pointing that out Richard. You've got a good point
there :-[
Ah well, knowing that it is impossible certainly feels a lot better
than thinking it should work

I'll add some serverside checks to handle the validation.


All the best,
SomeDude

 

[RobG]

Which is a complete waste of time as file extensions do not provide any
guarantee of the file's content.


[...]

I'll add some serverside checks to handle the validation.

Don't base them on file extensions, they are utterly unreliable in
determining what type of data a file contains. As far as I know, only
Windows uses them exclusively as an indicator of file type and even
then, only to determine the default application to use when opening them.

No other OS is so gullible, though Mac OS X has decided to copy Windows'
use of file name extensions to associate files with applications to some
extent.

 

[Randy Webb]

RobG said the following on 7/10/2006 10:20 AM:

Which is a complete waste of time as file extensions do not provide any
guarantee of the file's content.

No, but it does give some decent indication. The only way to truly know
is to open the file and look at it though.

[...]

I'll add some serverside checks to handle the validation.

Don't base them on file extensions, they are utterly unreliable in
determining what type of data a file contains. As far as I know, only
Windows uses them exclusively as an indicator of file type and even
then, only to determine the default application to use when opening them.

That is the only thing Windows uses the extension for.

No other OS is so gullible,

How does using the extension to attempt to determine what application to
open a file with make it "gullible"? All extensions on Windows based
OS'es can be changed to use whatever program you choose - even none.

though Mac OS X has decided to copy Windows'
use of file name extensions to associate files with applications to some
extent.

Does that make Mac OS X "gullible" also?

 

[RobG]

RobG said the following on 7/10/2006 10:20 AM:

No, but it does give some decent indication. The only way to truly know
is to open the file and look at it though.

Precisely. It can't be done reliably using JavaScript on the client,
so it should be done at the server. Hence, inferring a file type based
on the file extension at the client and then refusing to upload it if
it doesn't fit some criterion is pretty much a waste of time, though it
might be a good idea to warn the user the file extension indicates it
may not be the type of file that's wanted.

[...]

How does using the extension to attempt to determine what application to
open a file with make it "gullible"? All extensions on Windows based
OS'es can be changed to use whatever program you choose - even none.

I think it's bad design for an OS (or any program) to rely on the file
extension as the sole criterion for deciding which application should
open a particular file. From a system design viewpoint, it is a poor
method of determining the content of a file, even though it's a pretty
good guess 99% of the time.

Does that make Mac OS X "gullible" also?

Yes. But at least is retains the ability to define which application
should open a file on a file-by-file basis regardless of the file
extension (if it exists at all) or even content. It is probably quite
possible in some variants of Linux too, there is at least one UNIX GUI
I've used that allowed it (LookingGlass I think - it was quite a few
years back...).

My point is that from a system design point of view, using the file
extension of some user-supplied file to allow or disallow actions is
bad design because it is based on unreliable information that is easily
spoofed.

 

[Randy Webb]

RobG said the following on 7/11/2006 6:51 PM:

Precisely. It can't be done reliably using JavaScript on the client,
so it should be done at the server.

I am not sure it can be done *reliably* by server software either for
the same reason.

Hence, inferring a file type based on the file extension at the client
and then refusing to upload it if it doesn't fit some criterion is pretty
much a waste of time, though it might be a good idea to warn the user the
file extension indicates it may not be the type of file that's wanted.

The same failure can occur if it is based on the server also.

It goes back to trying to save the user time by doing validation client
side first, then doing it on the server.

[...]

How does using the extension to attempt to determine what application to
open a file with make it "gullible"? All extensions on Windows based
OS'es can be changed to use whatever program you choose - even none.

I think it's bad design for an OS (or any program) to rely on the file
extension as the sole criterion for deciding which application should
open a particular file. From a system design viewpoint, it is a poor
method of determining the content of a file, even though it's a pretty
good guess 99% of the time.

99% success for PC users who don't know the difference versus forcing
newbies to try to determine what app to use to open a file?

Yes.

Precisely my point.

But at least is retains the ability to define which application
should open a file on a file-by-file basis regardless of the file
extension (if it exists at all) or even content.

That would actually be nice on Windows but I doubt it will ever happen
but who knows.