Issue
- A POST request with multipart/form-data and appropriately sized attached file downloads the file to the temporary disk folder
- Antivirus agent may detect malicious file(s) in the folder after a similar POST request
Environment
- Liferay DXP 7.0+
Resolution
- The hardship with multipart is that the server does not know what is inside the request until it reads the request in full length.
- This means, the portal cannot throw away the request - to avoid DoS on the memory, the requests are saved temporarily to disk.
- For example: the
portletId
is the last thing in the request, in this case, DXP does not know which portlet/action the request targets until the very end of the multipart body.
Additional Information
- When the size of the request is too big it is saved to disk: https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/upload/LiferayInputStream.java#L74-L76
- There are also limits on the max size of the request to control that: https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/upload/UploadServletRequestImpl.java#L118
- This behavior is specific to tomcat and not for Liferay as a product, here is a short description about the /temp/ folder of tomcat:
Tomcat temp directory is used to store temporary files generated by Tomcat during its runtime, such as compiled JSP pages, session data, and uploaded files. These files are automatically deleted when Tomcat is shut down. The location of the temp directory can be configured in Tomcat's server.xml configuration file using the "tempdir" attribute of the <Host> element.
Conteúdo Excluesivo para Assinantes
Uma Subscrição do Liferay Enterprise fornece acesso a mais de 1.500 artigos que incluem práticas recomendadas, solução de problemas e outras soluções valiosas. Faça login para obter acesso completo.
Entrar