Closed Bug 380293 Opened 18 years ago Closed 18 years ago

<input type="file"> still sends data even if it's removed from the dom using removeChild

Categories

(Core :: Layout: Form Controls, defect)

Product:
Core
Component:
Layout: Form Controls
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: oliver.stieber, Unassigned)

Details

Attachments

(1 file)

Page that removed input=type = file from the dom
2.52 KB, text/html
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3 <input type="file"> still sends data even if it's removed from the dom using removeChild, the only way to stop it is to set the value to '' before removing it. This is a security issue because the user could verify that the upload has been removed, by looking at the dom. the firefox will still send the unintended file to the server. Reproducible: Always Steps to Reproduce: Use the following html page, and something where the form can be posted to at the backend (here called FileUploader.aspx) <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <title>File Upload</title> <link rel="stylesheet" type="text/css" href="http://images.uk-plc.net/cssuk/purchasing.css"> <script type="text/javascript"> //<!-- document.files = new Array(); var uploaderCount = 0; function createNewFileUploader(){ uploaderCount++; newInput = document.createElement("input"); newInput.setAttribute("type","file"); newInput.setAttribute("name","file"+uploaderCount); newInput.setAttribute("id", "file"+uploaderCount); newInput.pid = uploaderCount; newInput.onchange = function(){ createFileDisplayDiv(this.pid, this.value); this.style.display = 'none'; createNewFileUploader(); } theform = document.getElementById('fileinputs'); theform.appendChild(newInput); } function createFileDisplayDiv(pid, filename) { newDiv = document.createElement("div"); newDiv.pid=pid; newDiv.setAttribute("id", "filediv"+pid); newDiv.innerHTML = '<input type="button" onclick="removeFile('+pid+')" value="remove">' + filename; filesdiv = document.getElementById('files'); filesdiv.appendChild(newDiv); } function removeFile(pid){ filesdiv = document.getElementById('files'); filediv = document.getElementById('filediv'+pid); filesdiv.removeChild(filediv); theform = document.getElementById('fileinputs'); fileinput = document.getElementById('file'+pid); // This is where the file input is removed theform.removeChild(fileinput); } //--> </script> </head> <body> <p> <br> </p> <form id="testform" method="post" action="FileUploader.aspx" enctype="multipart/form-data"> <input type="hidden" name="stylesheet" value="http://images.uk-plc.net/cssuk/purchasing.css"> <div id="fileinputs"> <input type="file" name="file0" id="file0" onchange="createFileDisplayDiv(this.pid, this.value); this.style.display = 'none'; createNewFileUploader();"> </div> <div id="files"> </div> <input type="submit" value="upload" name="upload" id="upload"><input type="hidden" name="dbKey" id="dbKey" value="X3H2FTSbfC2fxsy4omJqMA=="> <input type="hidden" name="filePath" id="filePath" value=""> <div id="closewindow"> <a href="javascript: self.close();">close window</a> </div> </form> </body> </html> Actual Results: the file is sent to the server Expected Results: the file not to be sent to the server This isn't a sever security issue as it requires the user to pick an incorrect file to send first.
Assignee: nobody → dveditz
Product: Firefox → Core
QA Contact: firefox → toolkit
Assignee: dveditz → nobody
Component: Security → Layout: Form Controls
QA Contact: toolkit → layout.form-controls
Please attach the testcase as an attachment instead.
Flags: blocking1.9?
Click on browse, Select a file Click on browse again, Remove a file from the list Click send (needs FileUploader.aspx setup to receive the post)
Flags: blocking1.9? → blocking1.9-
That page is buggy. It uses: <input name="file0" id="file0" onchange="createFileDisplayDiv(this.pid, this.value); this.style.display = 'none'; createNewFileUploader();" type="file"> but there is no "pid" property on that control, unlike the controls created by createNewFileUploader(). As a result the page tries to remove the input with id "fileundefined", which of course fails.
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: