[Webkit-unassigned] [Bug 111255] FormData.append should prefer application-specified filename to filename in a File

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Mar 4 10:59:07 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=111255


Alexey Proskuryakov <ap at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #191128|review?                     |review-
               Flag|                            |




--- Comment #9 from Alexey Proskuryakov <ap at webkit.org>  2013-03-04 11:01:31 PST ---
(From update of attachment 191128)
View in context: https://bugs.webkit.org/attachment.cgi?id=191128&action=review

> Source/WebCore/platform/network/FormData.cpp:239
> +                        // Let the application specify a filename if it's going to generate a replacement file for the upload.

This part is questionable enough for me to say r-, although I could be convinced with a good argument.

The purpose of this code is to let a client create a ZIP archive of a bundle when selected for form upload (such as a .pages document or an application bundle on Mac). The archive is created in a temporary folder, and deleted when not needed any more.

With this change, we will no longer ask the client whether it wants to generate an archive in the case when the name is specified. So, we'll try to upload a folder, and fail while sending the request.

> LayoutTests/http/tests/local/formdata/send-form-data-with-filename.html:11
> +description("Test for sending FormData via XMLHttpRequest.");

It would be better to explain the purpose of the test in more detail (e.g. "Test that filename passed to FormData.append() takes precedence over name attribute of File").

> LayoutTests/http/tests/local/formdata/send-form-data-with-filename.html:17
> +        { 'type': 'file', 'name': 'file1', 'value': '../resources/file-for-drag-to-send.txt', 'filename': 'custom-name.txt' }

This is not directly related to the purpose of this patch, but now that we are looking at this, could you please check what happens if filename contains dangerous characters, like line feeds or quote marks? Anything in HTTP request headers that is client controllable is a huge attack target.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list