TechWhirl (TECHWR-L) is a resource for technical writing and technical communications professionals of all experience levels and in all industries to share their experiences and acquire information.
For two decades, technical communicators have turned to TechWhirl to ask and answer questions about the always-changing world of technical communications, such as tools, skills, career paths, methodologies, and emerging industries. The TechWhirl Archives and magazine, created for, by and about technical writers, offer a wealth of knowledge to everyone with an interest in any aspect of technical communications.
Subject:Re: Web file submission form security From:Isaac Rabinovitch <isaacr -at- mailsnare -dot- net> To:"TECHWR-L" <techwr-l -at- lists -dot- raycomm -dot- com> Date:Mon, 10 Nov 2003 12:08:00 -0800
Nothing to forgive -- you're asking a very interesting (and tricky) question.
The direct answer to your question describes the HTML that submits the file to the web server.
Which, stripped of extraneous stuff, consists of these lines:
The first <input> tag creates the two controls (the text field and the browse button) that allow you
to specify a file to be uploaded. The second <input> tag specifies that the entire contents of the
form (including the file) be uploaded when the "process" button is pressed. The browser logic behind
<input type="file"> should allow the browser to upload the file you specify, and no other.
But you're really asking a bigger question: How do you know whether a web page is snooping in your
computer? The answer does not involve looking out for pages that ask you to upload files, or to
examine the code behind a suspicious web page. There's no code (or at least no official code) that
allows web designers to upload arbitrary files. If there were, the web would be unusable. So no web
browser supports this behavior by design. Sometimes they support it unintentionally, and that's a bug.
The question you need to ask is: Who do I trust? Before you install any program on your computer,
you have to decide whether you trust whoever provided that software. If you don't trust the vendor
of a web browser to not do stuff like that, you shouldn't use the web browser. (Or, if you're
technically savvy, you can add your own safeguards.) And that goes for any software you download and
install. That's the logic behind all those "Do you trust software from Jekyll/Hyde Productions?"
dialogs you keep seeing.
Goldstein, Dan wrote:
Forgive my ignorance of code: On a site like the one below, how can I be
certain that the "Process" button uploads the file that I specified, as
opposed to a site deliberately uploading a different file with a standard
name in Windows?
-----Original Message-----
From: Steve Arrants
Sent: Friday, November 07, 2003 2:31 PM
To: TECHWR-L
Subject: Re: T-letter, a good, good, thing.
RoboHelp for FrameMaker is a NEW online publishing tool for FrameMaker that
lets you easily single-source content to online Help, intranet, and Web.
The interface is designed for FrameMaker users, so there is little or no
learning curve and no macro language required! Call 800-718-4407 for
competitive pricing or download a trial at: http://www.ehelp.com/techwr-l4
---
You are currently subscribed to techwr-l as:
archive -at- raycomm -dot- com
To unsubscribe send a blank email to leave-techwr-l-obscured -at- lists -dot- raycomm -dot- com
Send administrative questions to ejray -at- raycomm -dot- com -dot- Visit http://www.raycomm.com/techwhirl/ for more resources and info.
