File inputs can disclose the path to selected files – Opera Security Advisories


Less severe


When a file is selected in a file upload input, the path to that file is not exposed through the input’s value property. This is done to protect any sensitive information which may be contained in the directory names. When manipulated by DOM this information should also not be exposed. Certain DOM manipulations may be used to bypass this restriction, and can reveal the full file path.

Opera’s response

Opera Software has released Opera 10.54 for Windows and Mac, and Opera 10.60 for Linux and FreeBSD, where this issue has been fixed.