1

According to this great article about HTTP uploads by Scott Hanselman, the browser typically sends a file name with the file's contents. Can I rely on the file name always being transmitted or do I have to give the user the option to enter a name if none was submitted? (If a name was submitted I do not want to prompt him for a specific reason that is not important). I would rather save myself the effort of implementing that feature if I can rely on the file name being present in all relevant browsers (meaning IE6+).

I am looking for some practical experience here. The wording of the standard is not that important to me as is the actual browser behavior today.

usr
  • 168,620
  • 35
  • 240
  • 369
  • Are you asking just so you can plan your UI or for determining backend assumptions? ...because on the backend, you should never ever assume anything about what the user agent will do. HTTP is simple enough that I could craft a malformed HTTP request with /usr/bin/telnet. (My advice for the backend is to just make sure to fall back to a generated filename if none is provided) – ssokolow Sep 22 '10 at 08:54
  • I will not make security assumptions based on the file name. But I do not care if the attacker produces a 500 error (as long as it is safe). But I want to avoid a legitimate user seeing an error message because his browser did not send the file name. – usr Sep 22 '10 at 09:16
  • Would like to have browser matrix (http://www.quirksmode.org/ type) for that too! – Ev Dolzhenko Jan 27 '11 at 15:01

1 Answers1

1

As ssokolow has noted you can never rely on anything coming from the client, but you can probably assume that 99% of the time you will get a filename.

Generate a filename on the possibility you dont and notify the user if you had to generate a filename.

Toby Allen
  • 10,997
  • 11
  • 73
  • 124