http://united-coders.com/taxonomy/term/103/0 en http://united-coders.com/matthias-reuter/circumvention-of-operas-upload-field-path-protection <p>If you have a form with a file upload field, in some browsers you cannot extract the path to the chosen file. This is meant as a security measure, because it might reveal some information about the user, e.g. the username.</p> <p>In earlier versions of Opera, if you tried to read the upload field's value, only the file name was given:</p> <p><div class="geshifilter"><div class="javascript geshifilter-javascript" style="font-family:monospace;"><span style="color: #003366; font-weight: bold;">var</span> uploadField <span style="color: #339933;">=</span> document.<span style="color: #660066;">getElementById</span><span style="color: #009900;">&#40;</span><span style="color: #3366CC;">&quot;upload&quot;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span><br /> <span style="color: #003366; font-weight: bold;">var</span> path <span style="color: #339933;">=</span> uploadField.<span style="color: #660066;">value</span><span style="color: #339933;">;</span> <span style="color: #006600; font-style: italic;">// was &quot;foo.jpg&quot;</span></div></div></p> <p>In the recent version, Opera for some reason reveals a full path, but it's a fake path:</p> <p><div class="geshifilter"><div class="javascript geshifilter-javascript" style="font-family:monospace;"><span style="color: #003366; font-weight: bold;">var</span> uploadFIeld <span style="color: #339933;">=</span> document.<span style="color: #660066;">getElementById</span><span style="color: #009900;">&#40;</span><span style="color: #3366CC;">&quot;upload&quot;</span><span style="color: #009900;">&#41;</span><span style="color: #339933;">;</span><br /> <span style="color: #003366; font-weight: bold;">var</span> path <span style="color: #339933;">=</span> uploadField.<span style="color: #660066;">value</span><span style="color: #339933;">;</span> <span style="color: #006600; font-style: italic;">// now &quot;C:\fake_path\foo.jpg&quot;</span></div></div><span class="read-more"><a href="/matthias-reuter/circumvention-of-operas-upload-field-path-protection"><strong>Read more</strong></a></span></p> <!-- <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:trackback="http://madskills.com/public/xml/rss/module/trackback/"> <rdf:Description rdf:about="http://united-coders.com/matthias-reuter/circumvention-of-operas-upload-field-path-protection" dc:identifier="http://united-coders.com/matthias-reuter/circumvention-of-operas-upload-field-path-protection" dc:title="Circumvention of Opera&#039;s Upload Field Path Protection" trackback:ping="http://united-coders.com/trackback/44" /> </rdf:RDF> --> <div class='sexybookmarks-default-9130'></div> http://united-coders.com/matthias-reuter/circumvention-of-operas-upload-field-path-protection#comments Opera security Sun, 20 Dec 2009 22:40:08 +0000 Matthias Reuter 44 at http://united-coders.com