I had a bug this morning where the input field for a file upload box was being cleared during a postback to the server. The bug suggested that the server action should not clear the field because we weren't uploading the file yet. In ASP.NET you cannot change the value of that field.
After thinking about this for a while, it makes sense. The vulnerability would be that some rogue web page would set the value to something private like your Quicken datafile and you'd unknowingly upload that to the server.
It is good that I as a programmer cannot set a value to this field, but am I looking at this correctly? Can anyone out there confirm that this is the expected behavior of <input type="file"> ?