Have you ever assumed that for a file to be uploaded to a CFM page that it needs a CFFILE Action="upload" to "receive" the file? It does NOT. A CFM page will receive a file upload, whether that tag is there or not. The uploaded file will be put in a temp directory, at least until the end of the request.
What the CFFILE Action="upload" does is just move the uploaded file from a temp directory to your named DESTINATION (as well as validate its type, report the file name, protect against or allow overwrites, and more, if you use the attributes on the tag for those features).
Need proof? Want to learn more? Read on.
Just do an form file upload to a CFM page that has no CFFILE Action="upload". The file will still be uploaded, to a temp directory (from which CFFILE *would* move it). There's a trick, though. The temp file (literally with a .tmp extension) will be removed when the upload page processing is done. You need to pause the page long enough to watch the directory to see it uploaded. Fortunately, in CFMX and BD, that's easily done.
Here's a template that demonstrates it all (see the comments/explanation that would appear onscreen):
<input type="File" name="test"><br>
File will be uploaded to this directory: <br>
<cfif request_method is "post">
thread = createObject("java", "java.lang.Thread");
Notice that there is is no CFFORM tag in that code above. Its just a CF page that will "receive" a file upload.
(The call to the gettempdirectory function above is placed in a textarea, having nothing to do with the form above it, just to make it easy for you to copy/paste the path to look at it.)
On first loading the page above, open that temp directory with Windows Explorer or its equivalent, and then run the upload, pointing at some file of your own. Then refresh the directory display to see the .tmp file that was uploaded. This CFM upload page has been set to pause for 5 seconds after the upload. The tmp file will disappear when the form submission page process has completed.
So what's really doing the "upload"?
So what's actually doing the upload? I would assume the web server.
Why is it going into a CF temp directory? I assume it's because the web server connector causes the web server to tell CF to do so. It might be useful to try to do an upload to a plain HTM extension file, but you need a means to cause the page to pause to see if the file was uploaded (to an OS-specific temp directory, I'd guess). (FWIW, I tried uploading large files to the CF page and just couldn't see them being uploaded to the temp directory without doing the pause.)
So lesson learned: don't assume that only a page with a CFFILE action="upload" can "receive" an uploaded file. In fact, any CF page can "receive" an uploaded file. This may seem rife for abuse, and indeed CF has for several releases had some settings in the CF Admin (in the first, main Settings page) to put some reasonable throttles on file uploads.
And remember, too, that the temp file is supposed to be deleted at the end of the request. I suppose if something caused the page to never finish (or never finish properly), you could end up with files stored in the temp directory which would never be removed.
But then, they are just .tmp files, so it would be hard for them to be used in any nefarious way.
Hope this helps someone.