Closed Bug 5826 Opened 21 years ago Closed 21 years ago

paste allowed into file selection controls


(Core :: Security, defect, P3, minor)

Windows NT





(Reporter: cpratt, Assigned: norrisboyd)




build id: 1999043099
reproduced on: windows nt 4

not sure if this is a problem, but you can paste things directly into the file
selection control. this seems that it might be a security issue as
malicious javascript could paste a typical file path into the file selection
control and submit a form without a user's knowledge.

otoh, i am not knowledgeable about this kind of thing, so feel free to provide
feedback. on the mac version of nav 4.51, paste is not possible into a text
field, for example - but it is allowed on 4.6 under nt.
Assignee: tomw → lord
Assignee: lord → norris
yeah, this would definately be a problem.  Client technology security
(non-crypto) is only very recently starting to get added.  It is definately cool
to pop anything you think is 'fishy' into a bug, that way it'll be tracked.

(I couldn't get to the url)

So, in regards to file input field. "you can paste things directly into the file
selection control", Do you mean standard OS cut & paste? That would be ok.

The most recent discussion I'm aware of regarding the form file upload resulted
in a decision that in the future (5.0), we should have a separate warning dialog
specifically for form file uploads, because of all the times we've had security
firedrill surrounding this feature.

The dialog should specifically list the path and file names of the items being

It's possible with this dialog, we eliminate the need to try and control
automatic entry into the file upload field.  You could have default values, or
javascript that updates the value.  In the end, you would always get the dialog
that lists whats being sent, before it gets sent.

It should be possible to turn the dialog off (default being on), and turning it
back on again.  It should be the user's right to turn it off, but it would be
there decision and their risk.

Reassigning to norris for his thoughts, and perhaps reassignment to another
Hardware: PC → All
We don't have any JavaScript-directed way to paste text, do we? As long as the
user is doing the pasting, that's okay.
Target Milestone: M11
Blocks: 12633
Closed: 21 years ago
Resolution: --- → INVALID
Unless we can get a test case that shows how JavaScript can paste into the
widget, I think this bug is invalid.
Verified invalid.
Bulk moving all Browser Security bugs to new Security: General component.  The 
previous Security component for Browser will be deleted.
Component: Security → Security: General
You need to log in before you can comment on or make changes to this bug.