If I'm uploading a file to a website from a folder called "XXX", does the website know that I'm uploading that file from "XXX"?
In essence, will the website know the folder name?
Note: I use Safari on Mac.
Answer
The browser is not supposed to send the folder part to the website, as this might be taken as a form of attack.
From RFC 6266 - Use of the Content-Disposition Header Field in the Hypertext Transfer Protocol (HTTP) :
Recipients MUST NOT be able to write into any location other than one to which they are specifically entitled. To illustrate the problem, consider the consequences of being able to overwrite well-known system locations (such as "/etc/passwd"). One strategy to achieve this is to never trust folder name information in the filename parameter, for instance by stripping all but the last path segment and only considering the actual filename (where 'path segments' are the components of the field value delimited by the path separator characters "\" and "/").
Any browser that includes the folder-part in the sent file-name risks being cut-off by security services on the server website. As far as I know, no browser does it.
No comments:
Post a Comment