Note: This blog post is from 2006. Some content, links and indeed comments from others may be outdated--though not necessarily. Corrections are welcome, in the comments. I may revise the content if necessary.I was sharing some thoughts on a discussion list and figured others may appreciate the observation.
Have you ever assumed that for a file to be uploaded to CF, in a post to a CFM page, that that page needs a CFFILE Action="upload" in order to "receive" the file? It does NOT. Now, I'm being a bit technical here, but to be clear, the uploaded file will be "received" by CF, if posted to ANY CFM page whether that tag is there or not to "receive it". The point is that this uploaded file will be put in a temp directory, with a temp file name and extension, at least until the end of the request.
What the CFFILE Action="upload" does is just move the uploaded file from a temp directory to your named DESTINATION (as well as validate its type, report the file name, protect against or allow overwrites, and more, if you use the attributes on the tag for those features).
And if you do NOT process it, then that temp file will be removed at the end of the request (unless perhaps the request terminates unexpectedly).
Need proof? Want to learn more? Read on.
Just do an form file upload to a CFM page that has no CFFILE Action="upload". The file will still be uploaded, to a temp directory (from which CFFILE *would* move it). There's a trick to "seeing this", though. Again, the temp file (literally with a .tmp extension) will be removed when the upload page processing is done. You will need to pause the request long enough to be able to look in the directory (such as with Windows explorer) to see the file as uploaded. Fortunately, that pause is easily done.
Here's a template that demonstrates it all (see the comments/explanation that would appear onscreen):
<input type="File" name="test"><br>
File will be uploaded to this directory: <br>
<cfif request_method is "post">
thread = createObject("java", "java.lang.Thread");
Notice that there is is no CFFORM tag in that code above. Its just a CF page that will "receive" a file upload.
(The call to the gettempdirectory function above is placed in a textarea, having nothing to do with the form above it, just to make it easy for you to copy/paste the path to look at it.)
On first loading the page above, open that temp directory with Windows Explorer or its equivalent, and then run the upload, pointing at some file of your own. Then refresh the directory display to see the .tmp file that was uploaded. This CFM upload page has been set to pause for 5 seconds after the upload. The tmp file will disappear when the form submission page process has completed.
So what's really doing the "upload"?
So what's actually doing the upload? I would assume the web server.
Why is it going into a CF temp directory? I assume it's because the web server connector causes the web server to tell CF to do so. It might be useful to try to do an upload to a plain HTM extension file, but you need a means to cause the page to pause to see if the file was uploaded (to an OS-specific temp directory, I'd guess). (FWIW, I tried uploading large files to the CF page and just couldn't see them being uploaded to the temp directory without doing the pause.)
So lesson learned: don't assume that only a page with a CFFILE action="upload" can "receive" an uploaded file. In fact, any CF page can "receive" an uploaded file. This may seem rife for abuse, and indeed CF has for several releases had some settings in the CF Admin (in the first, main Settings page) to put some reasonable throttles on file uploads.
And remember, too, that the temp file is supposed to be deleted at the end of the request. I suppose if something caused the page to never finish (or never finish properly), you could end up with files stored in the temp directory which would never be removed.
But then, they are just .tmp files, so it would be hard for them to be used in any nefarious way.
Hope this helps someone.
For more like this: