Interesting. I'm not sure whether the text of this button is under the browser's control as it's a common dialog.

Unfortunately it looks like this is a system dialog and outside Chrome's control, so I don't think there's anything we can do.

On Windows at least, it looks like we may be able to override this text via BFFM_SETOKTEXT. 

I think we should let the Directory owners triage.

The Windows code is here: https://cs.chromium.org/chromium/src/ui/shell_dialogs/select_file_dialog_win.cc?l=374&rcl=cd2a25867d1d5bcfb723db453e56361b5dea18ee

Elsewhere, we see that GTK's code (https://cs.chromium.org/chromium/src/chrome/browser/ui/libgtkui/select_file_dialog_impl_gtk.cc?l=340&rcl=cd2a25867d1d5bcfb723db453e56361b5dea18ee) uses a custom string IDS_SELECT_UPLOAD_FOLDER_DIALOG_UPLOAD_BUTTON (default value of "Upload") as the button text, so changing the Windows code ought not even require a new localization.

And even if we don't control the dialog, we can still add heuristics around the dialog to check if the user was able to view it for a reasonable amount of time. E.g. If time delta between opening the dialog and receiving a result is less than <500ms, ignore the result.

I think comment #5 was meant for  Issue 637098 .

I would like to mention two points:

1. This is a security issue, yet publicly visible bug report. I could see it without logging in by directly going to this URL: https://bugs.chromium.org/p/chromium/issues/detail?id=780881#c2

2. This dialog box is under the control of browsers. I am adding a screenshot with this comment that will compare Firefox and Chrome. Firefox will control the name of button but chrome will not. Hence we can come to conclusion that it is under browser's control.

Deleted: FJ - Chrome and Firefox Comparison.png 109 KB

	FJ - Chrome and Firefox Comparison.png 109 KB View Download

re #7: 
1. Publicly disclosed vulnerabilities are not view restricted, and view restricting this doesn't protect anyone. This is not really a vulnerability, per-se. 
2. Firefox isn't using the platform's folder selection dialog as Chrome does. As noted in #3, however, we can control the button text, although I think it not especially more likely that the user will read the text of the button than the sentence preceding the folder list. 

re# 8
1. I wanted to know why this is not a security issue. Is it a functional issue according to you?

Re #9: The request here is a UI improvement which may decrease the likelihood of the user inadvertently leaking their own data. It's not considered a |vulnerability| in terms of how Chrome tracks issues (https://chromium.googlesource.com/chromium/src/+/master/docs/security/severity-guidelines.md).

On ChromeOS, the dialog title is "Select a folder to upload" and the button text is "Upload". On Mac, there's no title, but the button text is "Upload". On Android and iOS, there's no UI text at all, although I'm not sure if the attribute is even supported (as the UI looks the same as the usual "Choose a file" dialog).

So this is an issue for Windows and /maybe/ Linux. The Windows patch looks pretty straightforward.

ok

This is indeed a pretty small change to make.

  if (message == BFFM_INITIALIZED) {
    SendMessage(window, BFFM_SETOKTEXT, 0,
    (LPARAM)l10n_util::GetStringUTF16(
                IDS_SELECT_UPLOAD_FOLDER_DIALOG_UPLOAD_BUTTON).c_str());
  }

I think we should also OR in the BIF_NONEWFOLDERBUTTON flag to browse_info.ulFlags, because there isn't a scenario where uploading a new empty folder makes any sense.

Deleted: NewUI.png 14.0 KB

	NewUI.png 14.0 KB View Download

elawrence@ - are you going to push forward with the change for Windows?

Re #14: I have an in-progress CL at https://chromium-review.googlesource.com/c/chromium/src/+/777681 but this is a pretty low priority for me. Feel free to steal.

Re #11: Linux matches ChromeOS, so we only need this change on Windows.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5e0baf43250c2b2189bf24b106628210aa85379b

commit 5e0baf43250c2b2189bf24b106628210aa85379b
Author: Eric Lawrence <elawrence@chromium.org>
Date: Wed Dec 13 23:58:50 2017

Set Folder Upload prompt's button text

On Windows, the folder upload prompt previously used "OK" as the default
button text, leading to the possibility that the user would not
understand that their selected folder would be uploaded to the server.

This CL matches other platforms and uses a localized string ("Upload")
as the text of the prompt's commit button.

Bug:  780881 
Change-Id: I256d42fc8ba3fdd72d5af360585509b6573b7900
Reviewed-on: https://chromium-review.googlesource.com/777681
Reviewed-by: Scott Violet <sky@chromium.org>
Commit-Queue: Eric Lawrence <elawrence@chromium.org>
Cr-Commit-Position: refs/heads/master@{#523938}
[modify] https://crrev.com/5e0baf43250c2b2189bf24b106628210aa85379b/ui/shell_dialogs/select_file_dialog_win.cc

Fixed in 65.0.3294.0. Button text is now "Upload"

Verified using folder upload tests at https://bayden.com/test/upload.asp