Ed Jay <ed***@aes-intl.comwrites:
I'm not sure it's involuntarily accessing the file system. The user selects
a filename...I would think there's some client-side manner to ascertain what
the filename selected is, or whether one was selected at all. It's trivial
to do it serverside.
That's not necessarily true. The web browser sends a comment that
usually looks somewhat like a filename, yes, but it needn't be the
filename that the file had on the user's filesystem (indeed, in some
cases with automated HTTP requests, the file may never actually exist
on any filesystem).
Certainly major browsers differ in whether the full filesystem path is
sent to the server or not, for example.
As far as client-side security goes:
http://www.securityfocus.com/archive...0/150/threaded
is an interesting bug that involved messing around with browser focus
to get the user to upload a file of your choice to you. Consider how
much easier that would have been to exploit if Javascript had direct
access to the contents of the file field and it's understandable that
browsers generally don't (unfortunately at the time that bug was
reported they hadn't considered that they shouldn't let you focus a
file field either).
--
Chris