.comment-link {margin-left:.6em;} <$BlogRSDURL$>

Tuesday, April 11, 2006

You're Kidding, Aren't You? 

So, for reasons that I won't go into, it became important to me today to be able to parse, using JavaScript in a browser window, the contents of a file specified by the User in a <input type = "file" name = "fileThingee" size = "40"> tag. For complicated reasons I couldn't do the super-bitchen AJAX thing and send the file to the server, get the info I wanted and send back the info. In a sane world what I wanted to do should be impossible. Well that might be a bit extreme. JavaScript shouldn't be able to open up and read an arbitrary file in the local file system. I can make the argument that if the User has selected a file for upload to a server then S/He has given up any expectation of file privacy, but I digress.

As the interweb is currently arranged it is almost impossible to do what I want to do. But if you're running Windows and Internet Explorer, it can be done. You have to use an ActiveXObject and do something like this:

var fname = "theFileName.txt";
var fso = new ActiveXObject("Scripting.FileSystemObject");
var theFile = fso.OpenTextFile(fname, 1, true);
var fileContents = theFile.readAll();
Once you've done that you can, behind the User's back do the AJAX thing and send the contents of the file to the server from which the page was accessed. There are other methods that will open binary files.

To reiterate, if I can guess the name of a file on your system, if you're running Windows and use IE to access a page on my webserver, I can, if you have JavaScript turned on, slurp the contents of said guessed file up onto my system and the only way you'll know it happened is if you have a packet sniffer running on your internets connection.

That's fucking insane.

Comments: Post a Comment

This page is powered by Blogger. Isn't yours?