access is denied error in a FileUpload control

[Paolo]

Hi to all,

I have an error that drove me crazy. Try the following page that should only
allow to upload a file:

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1" runat="server" enctype="multipart/form-data">
<div>
<asp:FileUpload ID="FileUpload1" runat="server" />
<asp:Button ID="Button1" runat="server" Text="Submit"
UseSubmitBehavior="false" />
</div>
</form>
</body>
</html>

The code behind is empty.

Well. It works if you select a file from the Browse button, and it works if
you enter a file name like "C:\text.txt", also if the file doesn't exist,
but it doesn't work if you enter a file name like "pippo.txt".

The javascript error you get is "Access is denied" at the end of the
__doPostBack() function, near the call to "theForm.submit();"

This behaviour has been verified in Intenet explorer 6.0 and 7.0, while it
doesn't occur in Firefox nor in Pocket Internet Explorer. Opera is not
showing any error but doesn't submit the page since the file doesn't exist.

I know that the problem is caused by the UseSubmitBehavior="false"
attribute, because if you remove it, no problems occur.
The fact is that in my code I cannot remove the UseSubmitBehaviour attribute
because I deactivate the buttons when submitting.

Any suggestion?

I'm thinking to verify the text entered in the text area with a regular
expression or something similar. Do you think this would solve the problem
in the proper way?

Regards,
Paolo.

 

[Tim_Mac]

hi paolo,
if you type in pippo.txt, how could you expect the browser to know where on
your computer that is? you would be basically providing a relative path
from nowhere.

i would guess that you'd be looking at a microscopic proportion of strange
users who would try typing in a relative path into a file upload box.

you could add an onkeyup to the fileupload control, and check the input with
a function like this:
<script>
function check(source)
{
if(!..put your regex here...)
alert("don't be a tool, give me a proper file!");
}
</script>

i can see how it could be annoying to a developer, although you can
understand why IE does this and it is probably by design that it tells the
user it cannot access a certain file that they themselves provided. masking
the error like firefox or Opera isn't exactly desirable either.

tim

 

[Paolo]

Hi Tim,

i would guess that you'd be looking at a microscopic proportion of strange
users who would try typing in a relative path into a file upload box.

This is exactly the case, and in particular I was thinking at that
nanoscopic portion of strange users who will test my application typing in
the text fields a lot of "asdlgij09324mf" random texts to check if something
will crash.....
My further problem is that I have implemented an automatic upload control
that upload the file in the onchange event of the FileUpload control, so I
have to check if the field contains valid text in the onchange event, not in
the onkeyup.
Do you have a suggestion on the regex to adopt? It seems that I have to
check if a "drive" is specified at the beginning of the string, either in
the '\\' form or in the "X:\" form, but also the '\' form must be accepted,
since I will be using pda too to upload files, and the paths in pda use this
last form.

Regarding the design issue. I do not agree with your consideration. The
problem is that you have two different behaviours between the file that
doesn't exist (posted file of 0 bytes) and file written in a wrong format
(javascript error). In addiction, the response to the same entered text is
different if you set the button to have submit behaviour or not, so things
are really confusing.
This would be acceptable if I had a way to manage the error without breaking
the page, but unfortunately it seems I have no way to do so.

However, thank you for supporting.
Paolo.