Re: Web file submission form security

Subject: Re: Web file submission form security
From: Isaac Rabinovitch <isaacr -at- mailsnare -dot- net>
To: "TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com>
Date: Mon, 10 Nov 2003 12:08:00 -0800

Nothing to forgive -- you're asking a very interesting (and tricky) question.

The direct answer to your question describes the HTML that submits the file to the web server. Which, stripped of extraneous stuff, consists of these lines:

<form enctype="multipart/form-data" action="index.html" method="post">
<input type="file" name="userfile">
<input type="submit" value="process" class="button">

The first <input> tag creates the two controls (the text field and the browse button) that allow you to specify a file to be uploaded. The second <input> tag specifies that the entire contents of the form (including the file) be uploaded when the "process" button is pressed. The browser logic behind <input type="file"> should allow the browser to upload the file you specify, and no other.

But you're really asking a bigger question: How do you know whether a web page is snooping in your computer? The answer does not involve looking out for pages that ask you to upload files, or to examine the code behind a suspicious web page. There's no code (or at least no official code) that allows web designers to upload arbitrary files. If there were, the web would be unusable. So no web browser supports this behavior by design. Sometimes they support it unintentionally, and that's a bug.

The question you need to ask is: Who do I trust? Before you install any program on your computer, you have to decide whether you trust whoever provided that software. If you don't trust the vendor of a web browser to not do stuff like that, you shouldn't use the web browser. (Or, if you're technically savvy, you can add your own safeguards.) And that goes for any software you download and install. That's the logic behind all those "Do you trust software from Jekyll/Hyde Productions?" dialogs you keep seeing.

Goldstein, Dan wrote:

Forgive my ignorance of code: On a site like the one below, how can I be
certain that the "Process" button uploads the file that I specified, as
opposed to a site deliberately uploading a different file with a standard
name in Windows?

-----Original Message-----
From: Steve Arrants
Sent: Friday, November 07, 2003 2:31 PM
Subject: Re: T-letter, a good, good, thing.

For small documents without a lot of formatting whiz-bang, I've found textism's online tool does a very good job. for more info.



RoboHelp for FrameMaker is a NEW online publishing tool for FrameMaker that
lets you easily single-source content to online Help, intranet, and Web. The interface is designed for FrameMaker users, so there is little or no
learning curve and no macro language required! Call 800-718-4407 for competitive pricing or download a trial at:

You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit for more resources and info.

Previous by Author: Re: IMPROVING WRITERS' EFFICIENCY (free food)
Next by Author: Re: So Much for that
Previous by Thread: Web file submission form security
Next by Thread: student survey

What this post helpful? Share it with friends and colleagues:

Sponsored Ads