Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firefox focus stealing vulnerability (possibly other browsers)

From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Mon, 12 Feb 2007 21:53:47 +0100 (CET)
On Mon, 12 Feb 2007, [ISO-8859-1] Claus Färber wrote:


A proper solution would be to keep a list of files explicitly selected
by the user and only allow uploads of files in this list. Then even if a
script can manipulate the field, the browser won't upload files that
have not been selected by the user.


Not necessarily that easy: notice that it is the user who enters the name
of a target file.

Unless you want to prevent the browser from accepting any files that were
not chosen using a visual file selector widget - but in such a case,
there's not much point in having a manual file path entry box in the first
place.

/mz
Previous By Date Next
Previous By Thread Next

Current thread: