- A POST request with multipart/form-data and appropriately sized attached file downloads the file to the temporary disk folder
- Antivirus agent may detect malicious file(s) in the folder after a similar POST request
- Liferay DXP 7.0+
- The hardship with multipart is that the server does not know what is inside the request until it reads the request in full length.
- This means, the portal cannot throw away the request - to avoid DoS on the memory, the requests are saved temporarily to disk.
- For example: the
portletIdis the last thing in the request, in this case, DXP does not know which portlet/action the request targets until the very end of the multipart body.
- When the size of the request is too big it is saved to disk: https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/upload/LiferayInputStream.java#L74-L76
- There are also limits on the max size of the request to control that: https://github.com/liferay/liferay-portal/blob/master/portal-impl/src/com/liferay/portal/upload/UploadServletRequestImpl.java#L118
- This behavior is specific to tomcat and not for Liferay as a product, here is a short description about the /temp/ folder of tomcat:
Tomcat temp directory is used to store temporary files generated by Tomcat during its runtime, such as compiled JSP pages, session data, and uploaded files. These files are automatically deleted when Tomcat is shut down. The location of the temp directory can be configured in Tomcat's server.xml configuration file using the "tempdir" attribute of the <Host> element.