Robert Kaiser wrote:
See https://bugzilla.mozilla.org/attachment.cgi?id=17860 from bug
57770 (https://bugzilla.mozilla.org/show_bug.cgi?id=57770). The
problem is that the *user* did all the interaction with the form, and
still managed to attempt an upload of a system file (whether the code
should be able to *read* the value is another question, but I suspect
there is some long and silly history about allowing that).
The real problem I see there is that the doc can trigger a submit before
I even unfocus the file control. That should never be possible IMO, as I
should be able to realize what I've typed in before I send it to a server.
Robert Kaiser
A solution to that would be to set a flag (preventing automatic
submission) of a form when a file control is being edited. This may get
complicated by a user leaving focus on the file control and trying to
submit, but I am sure something can be worked out from that.
~Justin Wood (Callek)
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security
