Closed Bug 451856 Opened 16 years ago Closed 16 years ago

FileUpload blindness for full path name COMPLETELY blocks browser from local file system

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 405630

People

(Reporter: gildnerr, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.1) Gecko/2008070206 Firefox/3.0.1

The full file path on the local machine is no longer accessible from the <input type="file"> tag. This was done to make opaque the file structure of the local machine to other computers. However, it also makes it opaque to the browser. 

There are many reasons to allow access to the complete file path. As an example, a good, user-friendly application provides feedback, such as letting the user see an image they want to upload before sending it, in the browser window. This "fix" makes that impossible.

Are the security and privacy concerns severe enough to lock the user out of their own computer? If so, is locking out the browser the best (or wisest) way to lock out the outside world? Would it not make more sense to place the block between the local machine and the Internet, rather than the local machine and the browser?

WHY DID I SET THIS PRIORITY TO MAJOR? Functionality which had existed before is now missing. Every reference to the contents of the .value I've read say it should be full path, not just file name.

Reproducible: Always

Steps to Reproduce:
In a page, create an input object of type FILE: <input id="getPicBtn" type="file" />
In a JavaScript <script>, read document.getElementById( "getPicBtn" ).value. It is the file name, only, with NO path information.

Although the user has navigated to and selected the image file, nothing can be done with it on the local machine?
Actual Results:  
File name is returned, rather than the complete file path.

Expected Results:  
document.getElementById( "getPicBtn" ).value should return the complete file path.
If we allowed scripts on web pages to see the full path, they would be able to send those paths to "other computers"...
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
I took a look at bug 405630 - there are references to 19 total defect reports relating to the change in the definition of the return value of "value", dating back 9 months.

In what version was this change implemented? I need to know so I can give the users information on how to work around this "feature." Thanks.
It was changed between Firefox 2 and Firefox 3 (see bug 143220).  But I hope you find a workaround other than "go back to Firefox 2", because Firefox 3 was full of security improvements and Firefox 2 is going out of support soon.
You need to log in before you can comment on or make changes to this bug.