Re: Form-based File Upload in HTML

wmperry@spry.com
Fri, 27 Jan 95 08:23:29 EST

dwm@shell.portal.com writes:
> For security reasons, hidden fields should never be allowed to influence
> what files might be retrieved. Hidden fields shouldn't ever be thought
> of as anything but server state information to be returned to the server
> without presentation to the user and without modification. If hidden
> data formed some part of the identification of the file to be retrived,
> a nasty server could possibly retrieve unauthorized data.

This was brought up at the html-wg meeting in san jose. After a little
more thought, I've come to the conclusion that it is fairly easy to do a
secure implementation.

1. Never have form hidden be able to sepcify a file. Keep along with the
current implmenetations where hidden == text, but not shown.
2. Take the 'value' as the label of the pushbutton, ala submit and reset.
This covers the <input type=file value=/etc/passwd> type of attack.
3. make _damn_ sure your browser never gets installed as setuid root. :)

-Bill P.