Webspeed File Upload

Posted by MarkS on 04-Nov-2016 05:28

I've got a <input type="file"> on my webpage to allow users to upload a file. However I want to check that what they upload is only a certain format - don't want them uploading .exe etc. I could check the extension but this is easily changed. I've found the WEB-CONTEXT:FORM-INPUT function which returns the Content-Type of a file amongst other data. However if I have more than one <input type="file"> on my page it only returns the content type of the first file uploaded. The output from WEB-CONTEXT:FORM-INPUT just ends with the line "PK" after the first file upload is reached. So I can't get the content type of any other files uploaded.

Content-Disposition: form-data; name="q1File"; filename="cv.docx"
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document


Is this the right thing to do to check for file type?

If so what's happening with the output from WEB-CONTEXT:FORM-INPUT?

(OpenEdge 10.2b)


All Replies

Posted by Stefan Drissen on 04-Nov-2016 19:16

web-context:form-input is a character and thus limited to 32k. You may have more luck with web-context:form-long-input - with the ominous help file warning "The AVM performs no conversion on the data. Do not access this attribute."

But do not believe what either is telling you, the entire input can be maliciously manipulated. For easy to use POC try the Firefox Tamperdata add-on.

This thread is closed