Learn More
Resend Email
3
Spam
7y

Hey ... Is it possible to figure out the clients path (f.e. C:\Users\...) to a file he uploaded to a website on the server side?

My boss thinks it could be done and wants me to programm it. But I think we'd need a zero day vulnerability in a specific (and probably very old) browser to do something like that... That would be a huge security issue...
Wouldn't it?

What do you think?

undefined

i need some backup
Favorite
Ranter
Comments
  • 0
    7y
    lot of sites use a file selector where when you choose your file, the selector displays the path, so it should be possible
  • 0
    7y
    @BindView
    What language do you use?
    Save the path
  • 0
    7y
    Depends on your point of entry...is your code running before or after upload? The file chooser generally includes the path but it is not a given
  • 0
    7y
    @BindView - thats exactly what he said... But I've no idea how to access that information on the server side and google isn't very helpful either.
  • 0
    7y
    @Spam
    Make an form input field from the path
  • 2
    7y
    Nope. You cannot access actual file path. It usually shows fake path to protect privacy of the user!
  • 2
    7y
    Pretty sure you can't directly,ie, it's not passed to the server, just the original name.

    Maybe with some js trickery you can retrieve it and pass it as hidden parameter in the form.
  • 0
    7y
    @nbamaral That would be breach of personal data if it can be done. Path name in which the file is stored might be confidential right? The uploader would not want to expose under which directory he stores his files!
  • 0
    7y
    @code-god
    I agree with you on privacy matter.
    Just wondering if js can expose the properties of the file field once the file is selected.
    Never tried it though, probably can't be done like you said :)
  • 1
    7y
    @nbamaral I have worked with it. Modern Browsers just give you fakepath of the file. JS can access the content of the file but not the real path where it is stored.
  • 1
    7y
    @nbamaral
    If you input it you can send it to the server. But I have no clue what the added value is. I only see to the point of @code-god the downside of privacy breach it won't work with drag n drop
  • 0
    7y
    @Triskelion
    I never saw it on the server side either, I'm thinking of $_FILE in php.
    I am in a phone, can't really test if it can be retrieved / hijacked by means of js. The path must be somewhere, or is the file read on selection?
  • 0
    7y
    It's not possible to get the real path of the file upload. The Browser will not allow as this would be a security risk. Cannot be done with JS.
devRant © 2021 Hexical Labs LLC
Privacy Policy  |  Terms of Service
Add Comment