Can websites see your computer's directory structure when you upload files through web forms (especially JavaScript)?
If so, what are ways to avoid this when uploading?
Asked
Active
Viewed 164 times
2
-
using an `` to upload a deep tree will expose the _relative_ paths from the upload root, but not outside structure. – dandavis Jul 27 '17 at 20:42
2 Answers
0
Through Javascript File API, which should be used as a standard for any web file interaction the only things about file that are known to the javascript and the server are:
- bytes of the file (for readability)
- name of the file
- size of the file
- type of the file (.txt etc.)
direct answer to your question is in this SO question when somebody wanted to do exactly that (try the jfiddle examples to test that not one will show full path when you select a file): How to get full path of selected file on change of input file using javascript
There are some APIs that allowed you to do this (ActiveX) but they are mostly getting phased out.
Ladislav Louka
- 573
- 3
- 11
0
If the browser and specially its javascript engine have no vulnerability, it will never return a view on the local file systems. So the best you can do is to consistently apply security updates to your browser.
BTW uploading a file does not require javascript. Plain HTML forms provide the <input type='file'> tag that is enough for it.
Serge Ballesta
- 25,636
- 4
- 42
- 84