Event 1056 - File Name Restriction

  • Logged Message
  • What Is It?
  • When Is This Event Logged?
  • Example
  • Remediation
  • Related topics

Logged Message

Windows Internet Explorer 8 form submission has been changed so that a file upload control (input type=file) only submits the file path to the server. Previously, the full path was sent to the server. Also, programmatic access to the value property of the file upload control also removes the path information from the file name.

What Is It?

The file upload control contains a property that holds the path of the file being uploaded. This is retrievable via a property on the control and is included in any HTTP POST involving a form that includes the file upload control.

In Internet Explorer 8 an enhancement was made so that on Internet and Restricted sites, the path is not available (instead access to the path returns only the filename portion).

When Is This Event Logged?

This event is logged when the file path is stripped away and replaced with only the file name.

Example

For this example you will need Visual Web Developer Express (VWDE).

  1. Create a new ASP.NET C# website in VWDE. Call it FileNameTest.

  2. Open the file default.aspx within VWDE and replace the content with the following:

    <%@ Page Language="C#" AutoEventWireup="true"  CodeFile="Default.aspx.cs" Inherits="_Default" %>
    
    
    <!DOCTYPE html>
    <html xmlns="http://www.w3.org/1999/xhtml" >
    <head id="Head1" >
        <title>FileUploadDemo</title>
        <script type="text/javascript">
            var enable = false;
            function CheckFileName()
            {
                var file = document.getElementById("file");
                alert(file.value);
            }
        </script>
    </head>
    <body>
        <form id="form1" >
        <div>
            <input type="file" id="file" name="file" />
            <input type="submit" value="submit" />
            <a href="#" onclick="CheckFileName()">Check file name through 
                JavaScript</a>        
        </div>
        </form>
    </body>
    </html>
    
  3. Now open Default.aspx.cs and replace its contents with the following:

    using System;
    public partial class _Default : System.Web.UI.Page 
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            if (IsPostBack)
            {
                Response.Write(Request["file"]);
            }
    
        }
    }
    
  4. Press F5 to compile and run the site.

  5. Once the default page is running in the browser change the server name in the URL from "localhost" to "127.0.0.1". This forces the webpage to run in the Internet Zone.

  6. Click the browse button and open a file (it doesn't matter which one). The full path of the file is displayed in the text box.

  7. Click the "Check file name through JavaScript" hyperlink. An alert box appears that displays the value property of the file input control. Note that only the file name is displayed. The path has been stripped out.

  8. Click the Browse button and open another file.

  9. Click the Submit button. This submits the form to the server using a POST request. The server writes the value of the file property at the top of the page. Once again, only the file name is accessible. The path has been stripped out.

Note that both client side and server side actions will trigger the File Name Restriction event to be logged.

Remediation

There is no workaround for this feature and it may not be turned off. Providing access to the full path of the file (for Internet and Restricted sites) is a security measure. Stripping out the full path in these instances prevents relatively uncontrolled sites from accessing information that can potentially be exploited.

Internet Explorer Application Compatibility

Events 1056 through 1073