Ray wrote:
On Saturday 22 September 2007 7:39:01 pm Dan Parry wrote:
This would be the exploitable 'feature' I mentioned... Client-side files
should never be readable
Dan
If the contents of a file were readable, I would definitely agree with you.
I'm not convinced that the ability to detect the filesize of a file that the
user selected would be exploitable, but it's a moot point as it doesn't work
in javascript. (as someone else pointed out, maybe activeX?)
If Javascript can read the *directory* (and, thus, the size of the file)
i'd be a bit nervous about that.
I'm not a javaScript expert, but I am learning, so I dug out the book, and put
together the following script. (Ugly, insecure, and doesn't really do
anything, but quick and It works, at least on my machine/browser combo)
Select a file, and the page will tell you everything It can about the file. My
machine reports size as zero.
Wouldn't that suggest that it's not working, then? ;-)
Anyway, your script is interrogating the file *input element*, not the
file, itself. Where you're trying to get the file size
(document.test.fileTest.size) you're actually grabbing the value of the
input's "size" attribute, which has a default of 0. You'll see this if
you edit the input to have, eg. size="100"
brian
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
