views:

293

answers:

3

On Internet Explorer, the standard HTML file upload form also allows for direct input of the file name (instead of using the file selector dialog). This makes it possible to enter non-existing files. On other browsers (which do not let you do that) I suppose this case can still occur if you delete the file after having selected it.

In order to deal with bugs arising from this problem (like this one), I need to add some validation code on the server-side (which is only possible if the request actually goes to the server, of which I am not sure at this point), or on the client-side (which cannot be very straightforward, as you cannot access the actual file from the JavaScript sandbox). Other than that, the only (and possibly best) option seems to be to hide the input box with CSS magic, like GMail does for attachment files.

So, what happens when you try to upload a non-existing file? Is there still a POST request being sent? Or will the browser abort, and if it does, how can I detect that?

A: 

Really good question, in .net there is Request.IsClientConnected, but don't know if that will work for you in this case, or if you are even using .net in the first place.

I would try running it through Fiddler on the client end and WireShark at the server end, and see if you get any insights by looking at the traffic patterns. You may then be able to work out how to detect this.

Interested to see what you come up with. Sorry can't give a better answer.

seanb
A: 

The post occurs but ,at least in .Net, the System.Web.UI.WebControls.FileUpload control has a HasFile property which would be False (I tried to upload c:\tmp\foo.pdf). Checking that property prior to processing would prevent any bugs arising from a missing file.

Chuck
hmm, I tried Fiddler, as suggested by @seanb, and I cannot see the request happening. Also, I have breakpoints on the server side (Java/Struts) and cannot verify any incoming requests. This is IE6 on WinXP using FCKEditor's image upload.
Thilo
I ran my test with IE6 on WinXp against .Net. Sorry - I won't be much help with FCKEditor.
Chuck
+2  A: 

I think I figured it out.

First of all, it seems to make a difference whether it is just the file that does not exist, or the whole path is incorrect. If only the file is missing, apparently a POST does take place.

At least in the case I mentioned (FCKEditor's image upload dialog on WinXP and IE6), the browser does not submit the form at all (so that there is nothing that can be done server-side).

It is possible to detect the problem on the client, by not using the normal form submit, but by having an onSubmit handler that stops the submit (returns false) and instead submits the form itself using form.submit(). If the file is missing, there will be an exception.

try{
   form.submit();
}
catch (e){
// show some error message
}
return false;
Thilo