[Mono-bugs] [Bug 82059][Nor] New - HttpPostedFile.FileName might contain Windows paths (e.g. "C:\TMP\test.txt")

bugzilla-daemon at bugzilla.ximian.com bugzilla-daemon at bugzilla.ximian.com
Tue Jul 10 10:24:56 EDT 2007

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by juraj at hotfeet.ch.


--- shadow/82059	2007-07-10 10:24:56.000000000 -0400
+++ shadow/82059.tmp.1985	2007-07-10 10:24:56.000000000 -0400
@@ -0,0 +1,50 @@
+Bug#: 82059
+Product: Mono: Class Libraries
+Version: 1.2
+OS Details: FC6
+Status: NEW   
+Priority: Normal
+Component: Sys.Web
+AssignedTo: mhabersack at novell.com                            
+ReportedBy: juraj at hotfeet.ch               
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+Summary: HttpPostedFile.FileName might contain Windows paths (e.g. "C:\TMP\test.txt")
+Mono's behaviour is consistent with MS.NET's but might lead to problems:
+<script runat="server">
+void DoUpload(object o, EventArgs e) {
+  string fileName = Uploader.PostedFile.FileName;
+  fileName = System.IO.Path.GetFileName(fileName);
+  fileName = MapPath("~/uploads/" + fileName);
+  Response.Write(fileName);
+<form runat="server">
+ <input id="Uploader" type="file" runat="server" />
+ <asp:Button onclick="DoUpload" text="Upload" runat="server" />
+When I post a file to the page above using Firefox, everything works okay.
+If I do so using IE, I get an exception:
+System.Web.HttpException: '~/uploads/c:\windows\win.ini' is not a valid
+virtual path.
+IE posts the file including its full path. The full path is only of
+interest on the client's PC, so we could get rid of it in HttpPostedFile
+(stripping everything up to and including the last '\'). Then the page
+above would work using IE as well.
+The stripping could be made dependent on whether (Request.Browser.Win16 ||

More information about the mono-bugs mailing list