Ray wrote:
> On Saturday 22 September 2007 7:39:01 pm Dan Parry wrote:
>
>>
>>This would be the exploitable 'feature' I mentioned... Client-side files
>>should never be readable
>>
>>Dan
>
>
> If the contents of a file were readable, I would definitely agree with you.
> I'm not convinced that the ability to detect the filesize of a file that the
> user selected would be exploitable, but it's a moot point as it doesn't work
> in javascript. (as someone else pointed out, maybe activeX?)

If Javascript can read the *directory* (and, thus, the size of the file)
i'd be a bit nervous about that.

> I'm not a javaScript expert, but I am learning, so I dug out the book, and put
> together the following script. (Ugly, insecure, and doesn't really do
> anything, but quick and It works, at least on my machine/browser combo)
> Select a file, and the page will tell you everything It can about the file. My
> machine reports size as zero.

Wouldn't that suggest that it's not working, then? ;-)

Anyway, your script is interrogating the file *input element*, not the
file, itself. Where you're trying to get the file size
(document.test.fileTest.size) you're actually grabbing the value of the
input's "size" attribute, which has a default of 0. You'll see this if
you edit the input to have, eg. size="100"

brian