[Looking for Charlie's main web site?]

CFMythbusters: For a file to be uploaded to a CFM page, it needs a CFFILE Upload tag, right? Wrong!

I was sharing some thoughts on a discussion list and figured others may appreciate the observation.

Have you ever assumed that for a file to be uploaded to a CFM page that it needs a CFFILE Action="upload" to "receive" the file? It does NOT. A CFM page will receive a file upload, whether that tag is there or not. The uploaded file will be put in a temp directory, at least until the end of the request.

What the CFFILE Action="upload" does is just move the uploaded file from a temp directory to your named DESTINATION (as well as validate its type, report the file name, protect against or allow overwrites, and more, if you use the attributes on the tag for those features).

Need proof? Want to learn more? Read on.

Just do an form file upload to a CFM page that has no CFFILE Action="upload". The file will still be uploaded, to a temp directory (from which CFFILE *would* move it). There's a trick, though. The temp file (literally with a .tmp extension) will be removed when the upload page processing is done. You need to pause the page long enough to watch the directory to see it uploaded. Fortunately, in CFMX and BD, that's easily done.

Here's a template that demonstrates it all (see the comments/explanation that would appear onscreen):

<form method="post" enctype="multipart/form-data">
   <input type="File" name="test"><br>
   <input type="Submit"><br>
</form>
File will be uploaded to this directory: <br>
<form>
<textarea cols="100">
<cfoutput>#gettempdirectory()#</cfoutput>
</textarea><br>
</form>

<cfif request_method is "post">
<cfscript>
thread = createObject("java", "java.lang.Thread");
thread.sleep(javaCast("long", 5000));
</cfscript>
</cfif>

Notice that there is is no CFFORM tag in that code above. Its just a CF page that will "receive" a file upload.

(The call to the gettempdirectory function above is placed in a textarea, having nothing to do with the form above it, just to make it easy for you to copy/paste the path to look at it.)

On first loading the page above, open that temp directory with Windows Explorer or its equivalent, and then run the upload, pointing at some file of your own. Then refresh the directory display to see the .tmp file that was uploaded. This CFM upload page has been set to pause for 5 seconds after the upload. The tmp file will disappear when the form submission page process has completed.

So what's really doing the "upload"?

So what's actually doing the upload? I would assume the web server.

Why is it going into a CF temp directory? I assume it's because the web server connector causes the web server to tell CF to do so. It might be useful to try to do an upload to a plain HTM extension file, but you need a means to cause the page to pause to see if the file was uploaded (to an OS-specific temp directory, I'd guess). (FWIW, I tried uploading large files to the CF page and just couldn't see them being uploaded to the temp directory without doing the pause.)

So lesson learned: don't assume that only a page with a CFFILE action="upload" can "receive" an uploaded file. In fact, any CF page can "receive" an uploaded file. This may seem rife for abuse, and indeed CF has for several releases had some settings in the CF Admin (in the first, main Settings page) to put some reasonable throttles on file uploads.

And remember, too, that the temp file is supposed to be deleted at the end of the request. I suppose if something caused the page to never finish (or never finish properly), you could end up with files stored in the temp directory which would never be removed.

But then, they are just .tmp files, so it would be hard for them to be used in any nefarious way.

Hope this helps someone.

Comments
Charlie,

I had learned from my first efforts with CFFile that it doesn't actually upload the file, it just transfers it from the server's temp directory to the specified directory, or to the application's memory. From what I understand, the file form field just gives a path to the uploaded file in the temp directory.

That said, even though CFFile may not be working as advertised, there are still ways you can upload the file and process the uploaded file using the java.io.String and FileReader classes. Samuel Neff gives a very nice discussion on how to do this on his blog:

http://www.rewindlif...

Of course this assumes that your shared hosting account allows you to use createObject and java in general.

See you at CFUnited.

larry
# Posted By Larry C. Lyons | 5/9/06 4:24 PM
Larry, thanks, but I wasn't asserting that it wasn't working. I was just explaining, for those who have thought CFFILE did the uploading, that it does not: that (as you say) all it does is the move on the server from temp to intended destination. I was just pointing this out for those who have wondered or want, in the future, a place to point those who would argue otherwise. See you at the conference.
# Posted By Charlie Arehart | 5/9/06 4:43 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.005.

Managed Hosting Services provided by
Managed Dedicated Hosting