POST request with multipart/form-data downloads the file
Solyom Nagy-Györkös
更新
Issue
A POST request with multipart/form-data and appropriately sized attached file downloads the file to the temporary disk folder
Antivirus agent may detect malicious file(s) in the folder after a similar POST request
Environment
Liferay DXP 7.0+
Resolution
The hardship with multipart is that the server does not know what is inside the request until it reads the request in full length.
This means, the portal cannot throw away the request - to avoid DoS on the memory, the requests are saved temporarily to disk.
For example: the portletId is the last thing in the request, in this case, DXP does not know which portlet/action the request targets until the very end of the multipart body.
This behavior is specific to tomcat and not for Liferay as a product, here is a short description about the /temp/ folder of tomcat: Tomcat temp directory is used to store temporary files generated by Tomcat during its runtime, such as compiled JSP pages, session data, and uploaded files. These files are automatically deleted when Tomcat is shut down. The location of the temp directory can be configured in Tomcat's server.xml configuration file using the "tempdir" attribute of the <Host> element.