{"id":20,"date":"2004-09-08T09:00:14","date_gmt":"2004-09-08T09:00:14","guid":{"rendered":"http:\/\/lachy.id.au\/log\/2004\/09\/file-upload-security"},"modified":"2006-04-30T23:53:38","modified_gmt":"2006-04-30T23:53:38","slug":"file-upload-security","status":"publish","type":"post","link":"https:\/\/lachy.id.au\/log\/2004\/09\/file-upload-security","title":{"rendered":"File Upload Security"},"content":{"rendered":"<p>Recently, from a post sent by <a href=\"http:\/\/www.quirksmode.org\/\" title=\"QuirksMode - for all your browser quirks\">Peter-Paul Koch<\/a> to <a href=\"http:\/\/www.css-discuss.org\/\">css-discuss<\/a>, I discovered a security flaw using <code>&lt;input type=\"file\"&gt;<\/code> controls, <abbr title=\"Cascading Style Sheets\">CSS<\/abbr> and JavaScript.  Peter&#8217;s explained a <a href=\"http:\/\/www.quirksmode.org\/dom\/inputfile.html\" title=\"Styling an input type=&quot;file&quot;\">techniqe<\/a> that allows authors to have more control over the style of file upload controls.  For those of you who don&#8217;t know, browser vendors limit the amount of styling and <abbr title=\"Document Object Model\">DOM<\/abbr> access to file upload controls for security reasons.  This technique can be used to make the user think they are simply entering text into an ordinary text box, when infact they are entering it into a file upload control.<\/p>\r\n\r\n<p>It works by positioning an ordinary text box underneath a file upload control and then setting <code>opacity<\/code> for the file upload control to <code>0<\/code>:<\/p>\r\n\r\n<pre><code>input.file {\r\n    \/* Assumes the file upload control has a\r\n     * class=\"file\" attribute\r\n     *\/\r\n    -moz-opacity: 0; \/* For Mozilla *\/\r\n    opacity: 0;      \/* For CSS3 compliant UAs including\r\n                      * recent Mozilla builds *\/\r\n    filter:alpha(opacity: 0); \/* For IE *\/\r\n}<\/code><\/pre>\r\n\r\n<p>JavaScript is used to copy the text from the file upload control to the text box behind, as it\u2019s entered by the user.  This security hole applies to <a href=\"http:\/\/www.mozilla.org\/\">Mozilla<\/a>, <a href=\"http:\/\/getfirefox.com\/\">Firefox<\/a> and <span title=\"Sorry, I never link to IE\u2019s home page, I don\u2019t want to increase it\u2019s page rank.\">Internet Explorer<\/span>.<\/p>\r\n\r\n<p>I created some <a href=\"http:\/\/lachy.id.au\/dev\/markup\/examples\/forms\/file\/\">demonstrations<\/a> to show how this could potentially be used.  Combine that with the security holes discussed in <a href=\"http:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=57770\" title=\"Bugzilla: Using styles, clipboard to confuse text entry into file upload control\">bug 57770<\/a>, and that\u2019s quite a serious exploit.  I reported it on <a href=\"http:\/\/bugzilla.mozilla.org\/show_bug.cgi?id=57770#c54\" title=\"bug 57770 - Comment 54\">bugzilla<\/a>, and to Microsoft.  Although Microsoft\u2019s feedback mechanism was not very easy to find, I eventually found an e-mail address and actually recieved a prompt reply thanking me for taking the time to contact them with my constructive feedback (It was not just an automated response).  I&#8217;m yet to hear anything from Bugzilla, nor a reply to my <a href=\"http:\/\/listserver.dreamhost.com\/pipermail\/whatwg-whatwg.org\/2004-September\/002200.html\">post<\/a> to the <a href=\"http:\/\/www.whatwg.org\/\"><abbr title=\"Web Hypertext Application Technology - Working Group\">WHAT-WG<\/abbr><\/a> <a href=\"http:\/\/www.whatwg.org\/mailing-list\">mailing list<\/a>. Let me know how serious you think this is, <em>or if you feel like putting it to some practical use<\/em>. ?<\/p>\r\n\r\n<p>PS. I still have 2 GMail invites available.  <a href=\"mailto:spam.my.gspot@gmail.com?subject=%5BGSpot%5D%20Invite%20Me\">e-mail<\/a> me if you want one.<\/p>","protected":false},"excerpt":{"rendered":"Recently, from a post sent by Peter-Paul Koch to css-discuss, I discovered a security flaw using &lt;input type=&#8221;file&#8221;&gt; controls, CSS and JavaScript. Peter&#8217;s explained a techniqe that allows authors to have more control over the style of file upload controls. For those of you who don&#8217;t know, browser vendors limit the amount of styling and &hellip; <a href=\"https:\/\/lachy.id.au\/log\/2004\/09\/file-upload-security\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">File Upload Security<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a>","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[15,11,17,6],"tags":[],"_links":{"self":[{"href":"https:\/\/lachy.id.au\/log\/wp-json\/wp\/v2\/posts\/20"}],"collection":[{"href":"https:\/\/lachy.id.au\/log\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lachy.id.au\/log\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lachy.id.au\/log\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lachy.id.au\/log\/wp-json\/wp\/v2\/comments?post=20"}],"version-history":[{"count":0,"href":"https:\/\/lachy.id.au\/log\/wp-json\/wp\/v2\/posts\/20\/revisions"}],"wp:attachment":[{"href":"https:\/\/lachy.id.au\/log\/wp-json\/wp\/v2\/media?parent=20"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lachy.id.au\/log\/wp-json\/wp\/v2\/categories?post=20"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lachy.id.au\/log\/wp-json\/wp\/v2\/tags?post=20"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}