By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
424,955 Members | 1,768 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 424,955 IT Pros & Developers. It's quick & easy.

input type="file" grabs ENTIRE file path in IE?

P: n/a
I have an input type="file" field that I am using to accept a file upload.
This works, but I'm having problems with the filename property.

In firefox, this:

MyInputField.postedfile.filename

returns the filename...and just the filename. Which is what I want.

In IE, however, this returns the ENTIRE local user's system path to the file
+ the filename. Which, is pretty useless for most applications. (Actually,
it seems like a security issue.)

Is there a workaround for this short of parsing the entire filepath looking
for backslashes? I can certainly do that, but maybe there is a better way to
grab just the filename when the end-user is using IE.

-Darrel
Nov 19 '05 #1
Share this Question
Share on Google+
10 Replies


P: n/a
Check the FileInfo class.

Nov 19 '05 #2

P: n/a
Darrel,

System.IO.Path.GetFileName (MyInputField.postedfile.filename)

will always return the filename and extension regardless of the browser
type.

Eliyahu

"darrel" <no*****@hotmail.com> wrote in message
news:Oi*************@TK2MSFTNGP12.phx.gbl...
I have an input type="file" field that I am using to accept a file upload.
This works, but I'm having problems with the filename property.

In firefox, this:

MyInputField.postedfile.filename

returns the filename...and just the filename. Which is what I want.

In IE, however, this returns the ENTIRE local user's system path to the file + the filename. Which, is pretty useless for most applications. (Actually,
it seems like a security issue.)

Is there a workaround for this short of parsing the entire filepath looking for backslashes? I can certainly do that, but maybe there is a better way to grab just the filename when the end-user is using IE.

-Darrel

Nov 19 '05 #3

P: n/a
System.IO.Path.GetFileName(string);

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"darrel" <no*****@hotmail.com> wrote in message
news:Oi*************@TK2MSFTNGP12.phx.gbl...
I have an input type="file" field that I am using to accept a file upload.
This works, but I'm having problems with the filename property.

In firefox, this:

MyInputField.postedfile.filename

returns the filename...and just the filename. Which is what I want.

In IE, however, this returns the ENTIRE local user's system path to the
file
+ the filename. Which, is pretty useless for most applications. (Actually,
it seems like a security issue.)

Is there a workaround for this short of parsing the entire filepath
looking
for backslashes? I can certainly do that, but maybe there is a better way
to
grab just the filename when the end-user is using IE.

-Darrel

Nov 19 '05 #4

P: n/a
> System.IO.Path.GetFileName (MyInputField.postedfile.filename)

will always return the filename and extension regardless of the browser
type.


Easy enough.

Out of curiosity, isn't IE's default behavior a bit of a security issue? It
seems odd that I can grab somone's entire directory structure to the file
they are uploading.

-Darrel
Nov 19 '05 #5

P: n/a
> Out of curiosity, isn't IE's default behavior a bit of a security issue?
It
seems odd that I can grab somone's entire directory structure to the file
they are uploading.


First, you are only getting the directory path to a single file, not their
entire directory structure. Second, your server-side app has no access to
the client's file system. Third, the entire path is used by IE to upload the
file. Fourth, the app is not "grabbing" the file path; the user is
voluntarily supplying it.

IOW, if there was a security issue, it would have been taken care of, as
have the existing security issues.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"darrel" <no*****@hotmail.com> wrote in message
news:us**************@TK2MSFTNGP09.phx.gbl...
System.IO.Path.GetFileName (MyInputField.postedfile.filename)

will always return the filename and extension regardless of the browser
type.


Easy enough.

Out of curiosity, isn't IE's default behavior a bit of a security issue?
It
seems odd that I can grab somone's entire directory structure to the file
they are uploading.

-Darrel

Nov 19 '05 #6

P: n/a
i disagree, i believe it to be a security bug, but a low priority one. after
upload, the server knows one valid dir path, it can use in an attack.

-- bruce (sqlwork.com)

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:OD**************@TK2MSFTNGP12.phx.gbl...
Out of curiosity, isn't IE's default behavior a bit of a security issue?
It
seems odd that I can grab somone's entire directory structure to the file
they are uploading.


First, you are only getting the directory path to a single file, not their
entire directory structure. Second, your server-side app has no access to
the client's file system. Third, the entire path is used by IE to upload
the file. Fourth, the app is not "grabbing" the file path; the user is
voluntarily supplying it.

IOW, if there was a security issue, it would have been taken care of, as
have the existing security issues.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.

"darrel" <no*****@hotmail.com> wrote in message
news:us**************@TK2MSFTNGP09.phx.gbl...
System.IO.Path.GetFileName (MyInputField.postedfile.filename)

will always return the filename and extension regardless of the browser
type.


Easy enough.

Out of curiosity, isn't IE's default behavior a bit of a security issue?
It
seems odd that I can grab somone's entire directory structure to the file
they are uploading.

-Darrel


Nov 19 '05 #7

P: n/a
Well, Bruce, if you're correct, it will be addressed at some future point.
Personally, I don't see the need to send the entire path to the server, so
it could be remedied by browser manufacturers, working with the W3C.

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"Bruce Barker" <br******************@safeco.com> wrote in message
news:Ow**************@TK2MSFTNGP15.phx.gbl...
i disagree, i believe it to be a security bug, but a low priority one.
after upload, the server knows one valid dir path, it can use in an attack.

-- bruce (sqlwork.com)

"Kevin Spencer" <ke***@DIESPAMMERSDIEtakempis.com> wrote in message
news:OD**************@TK2MSFTNGP12.phx.gbl...
Out of curiosity, isn't IE's default behavior a bit of a security issue?
It
seems odd that I can grab somone's entire directory structure to the
file
they are uploading.


First, you are only getting the directory path to a single file, not
their entire directory structure. Second, your server-side app has no
access to the client's file system. Third, the entire path is used by IE
to upload the file. Fourth, the app is not "grabbing" the file path; the
user is voluntarily supplying it.

IOW, if there was a security issue, it would have been taken care of, as
have the existing security issues.

--
HTH,

Kevin Spencer
Microsoft MVP
.Net Developer
What You Seek Is What You Get.

"darrel" <no*****@hotmail.com> wrote in message
news:us**************@TK2MSFTNGP09.phx.gbl...
System.IO.Path.GetFileName (MyInputField.postedfile.filename)

will always return the filename and extension regardless of the browser
type.

Easy enough.

Out of curiosity, isn't IE's default behavior a bit of a security issue?
It
seems odd that I can grab somone's entire directory structure to the
file
they are uploading.

-Darrel



Nov 19 '05 #8

P: n/a
> First, you are only getting the directory path to a single file, not their
entire directory structure. Second, your server-side app has no access to
the client's file system. Third, the entire path is used by IE to upload the file. Fourth, the app is not "grabbing" the file path; the user is
voluntarily supplying it.

IOW, if there was a security issue, it would have been taken care of, as
have the existing security issues.


Well, everything you said made perfect sense. Well, except that last
sentence, which we all know isn't entirely true. ;o) ;o) ;o)

-Darrel
Nov 19 '05 #9

P: n/a
>Well, except that last
sentence, which we all know isn't entirely true. ;o) ;o) ;o)


Note that I didn't say in my response to Bruce that he was correct. I said
"IF he is correct." My feeling is that there is no security issue there.
Otherwise, it would have been addressed by now. But I can't say with any
authority.

Perhaps it would be better to say that the last point is debatable. ;-)

--
HTH,

Kevin Spencer
Microsoft MVP
..Net Developer
What You Seek Is What You Get.

"darrel" <no*****@hotmail.com> wrote in message
news:eE*************@TK2MSFTNGP09.phx.gbl...
First, you are only getting the directory path to a single file, not
their
entire directory structure. Second, your server-side app has no access to
the client's file system. Third, the entire path is used by IE to upload

the
file. Fourth, the app is not "grabbing" the file path; the user is
voluntarily supplying it.

IOW, if there was a security issue, it would have been taken care of, as
have the existing security issues.


Well, everything you said made perfect sense. Well, except that last
sentence, which we all know isn't entirely true. ;o) ;o) ;o)

-Darrel

Nov 19 '05 #10

P: n/a
Perhaps it would be better to say that the last point is debatable. ;-)


We can agree on that. ;o)

-Darrel
Nov 19 '05 #11

This discussion thread is closed

Replies have been disabled for this discussion.