tracker issue : CF-3043891

select a category, or use search below
(searches all categories and all time range)
Title:

Bug 86971:If you upload a file to CF using a <input type="file" the server will automatically create a temporary file regardless if CFFILE action=upload is used

| View in Tracker

Status/Resolution/Reason: Closed/Won't Fix/

Reporter/Name(from Bugbase): Eric Twilegar / Eric Twilegar (twillerror)

Created: 07/07/2011

Components: Security, General

Versions: 9.0.1

Failure Type: Unspecified

Found In Build/Fixed In Build: 0000 /

Priority/Frequency: Trivial / Unknown

Locale/System: English / Platforms All

Vote Count: 0

Problem:

If you upload a file to CF using a <input type="file" the server will automatically create a temporary file regardless if CFFILE action=upload is used. The file looks something like this.C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\neotmp2427946694526678969.tmpThis can cause an issue say if the file has credit card numbers within it. PCI ( credit card regulations ) require that CC numbers never be written to disk. If the file was written in an encrypted format this might get around the issue. It would be nice if there way a way to prevent ColdFusion from writing the file in the first place or allowing cf to write to a ram disk.cfspreadsheet also requires that the file be read from a disk, but we could write to a ramdisk now in cf 9 and read from it.I suppose a work around would be to setup a ram disk and have CF 9 write all temporary files to it. It would be nice if we could do this via the ColdFusion config files in general...maybe it is already possible.
Method:

Upload a file to a .CFM script.Watch the tmp directory with a tool like ProcMon ( in windows ). You will see the tmp file being written.
Result:

Uploading a file <input type="file" to Coldfusion results in the writing of a tmp file that the end user cannot control. CFFILE with action = upload allows for the renaming\moving of this file, but it can't prevent it being written. If the uploaded file has sensitive information this could violate standards such as PCI.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	3043891

External Customer Info:
External Company:  
External Customer Name: Eric Twilegar
External Customer Email: 3D9A02F5446CCE0A992015D5
External Test Config: 07/07/2011

Attachments:

Comments: