Peculiarities in Posting Files in ASP.NET

It's pretty easy in ASP.NET to build a form that supports the posting of binary data through the HtmlInputFile control. This wasn't so easy in classic ASP.

I just stumbled on a browser difference that well written code should handle, but still is a bit interesting to think about. The PostedFile object has a FileName property that according to MS, is: "The fully-qualiified path of the file from client's computer, such as 'C:\MyFiles\test.txt.'"

I thought this kind of seemed like a security violation to have the complete path in there. But I noticed that while IE sends the complete path (as per the documention), FireFox will only send the filename, such as "test.txt."

I like FireFox's implementation better -- there's no reason the web server should know the path of the file on my machine. It took me awhile to come to that conclusion, though, since it was FireFox causing me issues. I'm kind of annoyed at IE for sending the complete filename, but also for the docs that are IE-centric.

Comments (2) -

James Byrd
James Byrd
9/5/2004 9:02:58 AM #

Oops. Sorry about the last incomplete entry. I somehow hit the submit button before I was done.



Anyway, as I was saying, browser developers have a lot of leeway for interpreting RFC 1867, which describes the "posting acceptor" feature you are talking about here.



The RFC is pretty vague about whether the file name should include a full path or not. In fact, the name appears to be optional, although browsers are encouraged to "make best effort to supply the file name."



While I agree that supplying the full path could be seen as a security risk, I have used that information to good effect when users try to figure out where they originally got the file they uploaded.



As for IE-centric documentation, well, since the RFC is open to interpretation, it makes sense that MS would document the feature the way they chose to implement it.



I consider it yet one more browser-specific standard that isn't really a standard. In fact, RFC 1867 was written in 1995, and is still considered "experimental" as far as I can tell.

hdcqiqi
hdcqiqi
9/16/2004 5:22:07 AM #

Comments are closed

My Apps

Dark Skies Astrophotography Journal Vol 1 Explore The Moon
Mars Explorer Moons of Jupiter Messier Object Explorer
Brew Finder Earthquake Explorer Venus Explorer  

My Worldmap

Month List