[Mono-bugs] [Bug 82059][Nor] New - HttpPostedFile.FileName might contain Windows paths (e.g. "C:\TMP\test.txt")

Tue Jul 10 10:24:56 EDT 2007

Please do not reply to this email- if you want to comment on the bug, go to the
URL shown below and enter your comments there.

Changed by juraj at hotfeet.ch.

http://bugzilla.ximian.com/show_bug.cgi?id=82059

--- shadow/82059	2007-07-10 10:24:56.000000000 -0400
+++ shadow/82059.tmp.1985	2007-07-10 10:24:56.000000000 -0400
@@ -0,0 +1,50 @@
+Bug#: 82059
+Product: Mono: Class Libraries
+Version: 1.2
+OS: 
+OS Details: FC6
+Status: NEW   
+Resolution: 
+Severity: 
+Priority: Normal
+Component: Sys.Web
+AssignedTo: mhabersack at novell.com                            
+ReportedBy: juraj at hotfeet.ch               
+QAContact: mono-bugs at ximian.com
+TargetMilestone: ---
+URL: 
+Cc: 
+Summary: HttpPostedFile.FileName might contain Windows paths (e.g. "C:\TMP\test.txt")
+
+Mono's behaviour is consistent with MS.NET's but might lead to problems:
+
+<html>
+<script runat="server">
+void DoUpload(object o, EventArgs e) {
+  string fileName = Uploader.PostedFile.FileName;
+  fileName = System.IO.Path.GetFileName(fileName);
+  fileName = MapPath("~/uploads/" + fileName);
+  Response.Write(fileName);
+}
+</script>
+<body>
+<form runat="server">
+ <input id="Uploader" type="file" runat="server" />
+ <asp:Button onclick="DoUpload" text="Upload" runat="server" />
+</form>
+</body>
+</html>
+
+When I post a file to the page above using Firefox, everything works okay.
+If I do so using IE, I get an exception:
+
+System.Web.HttpException: '~/uploads/c:\windows\win.ini' is not a valid
+virtual path.
+
+IE posts the file including its full path. The full path is only of
+interest on the client's PC, so we could get rid of it in HttpPostedFile
+(stripping everything up to and including the last '\'). Then the page
+above would work using IE as well.
+
+The stripping could be made dependent on whether (Request.Browser.Win16 ||
+Request.Browser.Win32).
