IE8 Breaking fixes with the Input File control

  • Thread starter Thread starter Nick
  • Start date Start date
N

Nick

Hey there,

I'm pretty shocked to find that IE8 has completely crippled our website.
We were relying on javascript to pull the filename from an input file field
within the onchange event. This still works as expected in IE7 and the full
path of the filename is stored in a hidden field ready to upload to the
server. This is *essential* for our sites operation as we do not allow for
uploading of content.

Anyway, IE8 is only returning the filename, and not the full path. Is
there a fix for this issue? Many thanks in advance for your time and help.

Nick.
 
Hi Patrice,
From :
http://blogs.msdn.com/ie/archive/2008/07/02/ie8-security-part-v-comprehensive-protection.aspx :

"
Additionally, the "Include local directory path when uploading files"
URLAction has been set to "Disable" for the Internet Zone. This change
prevents leakage of potentially sensitive local file-system information to
the Internet. For instance, rather than submitting the full path
C:\users\ericlaw\documents\secret\image.png, Internet Explorer 8 will now
submit only the filename image.png.
"

So if this is for an internal public you should be able to control this at
the client side level (not an amin guy but a GPO when connecting to your
network should do the trick).

If this is for the general public you could try to switch back to the IE 7
rendering mode to see if it solves the problem.
Click to expand...

Indeed I have read this article shortly after posting this question
which merely confirmed my suspicions, but we are already running in IE7
compatability mode and it does not fix the issue. It still uses the newer
"more secure" controls.
"as we do not allow for uploading of content". You may want to elaborate
about how you are using this value as it seems this is not for just
uploading the file ???
Click to expand...

The web site stores the file name and invokes client side applications
as well as web services that provide a "software as a service" solution for
securing documents. Believe it or not, not everyone wants to upload files,
when just the filename will suffice. This has broken many sites from
functioning, not just ours.

Logically speaking, us uploading the document and storing a content
would make the system far less secure than it is now, so this "fix" making
websites more "secure" is merely a matter of interpretation. We
specifically do not copy the authors documents so that security lays
entirely in their hands.

Now I'm not quite sure how we can do this, possibly via Flash?

Nick.
 
this was a long standing security hole in ie, that was finally fixed.
don't expect it to come back. if you need access to the filesystem, even
just valid paths, then you will need to write an active/x control. btw
flash, java and javascript are not allowed to access the filesystem. you
can use .net or flash, if installed as trusted applications (use sets
permission with cas)


-- bruce (sqlwork.com)
 
Hi Nick,

Besides ActiveX control you can also try XBAP:

http://msdn.microsoft.com/en-us/library/aa970060.aspx

However, from your description your users don't want to upload file. So I
think you can simply use <input/> instead of <input type="file"/>. Your
user can paste the file path there. Is there any particular reason that you
have to use <input type="file"/>?

Regards,
Allen Chen
Microsoft Online Support

Delighting our customers is our #1 priority. We welcome your comments and
suggestions about how we can improve the support we provide to you. Please
feel free to let my manager know what you think of the level of service
provided. You can send feedback directly to my manager at:
(e-mail address removed).

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications.

Note: MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 2 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions. Issues of this
nature are best handled working with a dedicated Microsoft Support Engineer
by contacting Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Nick,,

Do you have any progress on this issue?

Regards,
Allen Chen
Microsoft Online Community Support
 
Hi everyone,

I'm encountering the same problems as Nick with an existant web
application.

Indeed this application uses client side Java applet to compute Sha1
digests of files before being uploaded. The user selects its file to
be uploaded classically with an inputfile and when submittin,g a
Javascript event triggered the complete file names to the applet in
order to do the digest encryption. The complete filepath is no
required to be uploaded, only the digest string which allows to check
on server that the file has been correctly uploaded.

Theses operations are transparent for the user who upload files like
on every sites. So using an input instead of an inputfile is not
option as it's also terribly not user-friendly.

We encountered same problems with the Firefox 3 release and we
resolved it by using some signed Javascript which enables to require
some privileges from the user.

So have IE8 the same kind of mecanism as signed Javascripts ? Or could
you explicit me how I could do that with ActiveX ?

Regards,

Curu
 
Back
Top