Fileupload aways write to temp folder

gaia-jyh · June 17, 2022, 3:54am

my anti-virus(trendmicro) show virus in the folder "C:\lucee\tomcat\webapps\ROOT\WEB-INF\lucee\temp".
but i dont use fileupload function ,
anyone post file aways write to temp folder ,
i set cffile allowedextensions attribute cant block fileupload and 404 page will uploadfile too.

my temp folder is "C:\lucee\tomcat\webapps\ROOT\WEB-INF\lucee\temp"

sample code

<!DOCTYPE html>
<html>
<body>
<form action="index.cfm" method="post" enctype="multipart/form-data">
  Select file to upload:
  <input type="file" name="fileToUpload" id="fileToUpload">
  <input type="submit" value="Upload Image" name="submit">
</form>
</body>
</html>


https://github.com/lucee/Lucee/blob/6b946313eef7af374076e02f6852e6d116e7d7c0/core/src/main/java/lucee/runtime/type/scope/FormImpl.java#L124

Don’t forget to tell us about your stack!

OS: win10
Java Version: 11.0.7 (AdoptOpenJDK) 64bit
Tomcat Version: Apache Tomcat/9.0.50
Lucee Version: Lucee 5.3.7.48

carehart · June 17, 2022, 4:48am

Yes, that is how things work, though it’s a surprise for many. See a post I did on the topic, with a bit more that may help alleviate your concern. Granted, that was written for ACF, but you use the info to assess Lucee. Or maybe someone else will chime with other thoughts.