Hi all,

I have just developed a simple application with perl + CGI

Everything works fine as expected.

Its an application to load a file, process and return it back.

But there is a lack of nice to have feature.

Using file upload I upload the file and the file name is erased from the textbox. I just want to retain that as such the same way as how *any text* would be retained if typed in a text box.

Reason for this request is, since am testing I don't have to click browse and then execute each time. If the filename is retained as such then it would be easier for me to use that filename.

Any pointers ?

Thanks

Hi

You can't set the filename in a file upload field. The problem is that if you could, it would be very easy to include for example /etc/passwd on a page, hide it, or make it hard to see. It would be a big security problem.

For testing, while not just click reload page? It will ask you if you want to send POST data again, and you just click ok.

Thanks for your reply.

Correct me if am wrong.

Are you saying given a filename it should fetch the file from server ?

I didn't mean that.

Its about specifying a file and uploading that, so in that case why would that be a security threat at all.

Could you please explain that ?

Hi

No, if you could set the filename, the server could get any file from the client, and that's no better.

Let's say I make a form for login. Two fields for username and password, and a submit button. Below them, I write <br> 1000 times then something like
<input type="file" name="uploadfile" value="/etc/passwd">

If the client did send the file when the submit button is clicked, there would be a problem. So you can't specify the file in the file upload field.

I see that. There is definitely a security hole. Thanks much for the clarification.