Title:
Bug 86971:If you upload a file to CF using a <input type="file" the server will automatically create a temporary file regardless if CFFILE action=upload is used
| View in TrackerStatus/Resolution/Reason: Closed/Won't Fix/
Reporter/Name(from Bugbase): Eric Twilegar / Eric Twilegar (twillerror)
Created: 07/07/2011
Versions: 9.0.1
Failure Type: Unspecified
Found In Build/Fixed In Build: 0000 /
Priority/Frequency: Trivial / Unknown
Locale/System: English / Platforms All
Vote Count: 0
Problem:
If you upload a file to CF using a <input type="file" the server will automatically create a temporary file regardless if CFFILE action=upload is used. The file looks something like this.C:\ColdFusion9\runtime\servers\coldfusion\SERVER-INF\temp\wwwroot-tmp\neotmp2427946694526678969.tmpThis can cause an issue say if the file has credit card numbers within it. PCI ( credit card regulations ) require that CC numbers never be written to disk. If the file was written in an encrypted format this might get around the issue. It would be nice if there way a way to prevent ColdFusion from writing the file in the first place or allowing cf to write to a ram disk.cfspreadsheet also requires that the file be read from a disk, but we could write to a ramdisk now in cf 9 and read from it.I suppose a work around would be to setup a ram disk and have CF 9 write all temporary files to it. It would be nice if we could do this via the ColdFusion config files in general...maybe it is already possible.
Method:
Upload a file to a .CFM script.Watch the tmp directory with a tool like ProcMon ( in windows ). You will see the tmp file being written.
Result:
Uploading a file <input type="file" to Coldfusion results in the writing of a tmp file that the end user cannot control. CFFILE with action = upload allows for the renaming\moving of this file, but it can't prevent it being written. If the uploaded file has sensitive information this could violate standards such as PCI.
----------------------------- Additional Watson Details -----------------------------
Watson Bug ID: 3043891
External Customer Info:
External Company:
External Customer Name: Eric Twilegar
External Customer Email: 3D9A02F5446CCE0A992015D5
External Test Config: 07/07/2011
Attachments:
Comments: