ASP.NET FileUpload Control - Security concerns when buffered to disk

Question

The MSDN states that when a file is uploaded using the ASP.NET ( v.2.0 ) Fileupload control or the underlying HttpPostedFile that "Files are uploaded in MIME multipart/form-data format. By default, all requests, including form fields and uploaded files, larger than 256 KB are buffered to disk, rather than held in server memory." MSDN Link

Does anyone know where on the disk it is buffered to and when this buffer is purged / removed i.e. is it when the request ends and what happens in the case of an error or unexpected scenario where the request doesn't end gracefully?

My concern is that if an application has the ability to upload sensitive information ( CC Data, Personal Data etc ) this file will be buffered on the disk and potentially not removed at the end of the request. Would this be a problem on a shared host i.e. could this buffer be accessed from outside the application?

Maybe I have misunderstood something but any advice / insight / help would be much appreciated, thanks.

Answer 1

OK have managed to find some answers to the questions posed above so just going to stick them here in case it helps anyone else.

By default ( in the machine.config ) the settings for file uploads / request in general are

4mb as the maximum size for a request and 256bytes stored in memory before the request is buffered to disk. These settings can be overridden in the web.config in the httpRuntime section.

<httpRuntime maxRequestLength="8192" requestLengthDiskThreshold="512" />

The example above would allow a request size up to 8mb and would start buffering on disk after 512bytes. The file is buffered to

C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\ [APP_NAME] \ [SOME_HEX_NAME_DIR] \ [SOME_HEX_NAME_DIR] \uploads\

at this path a file will be created with [unique_name]_post.tmp this exists for the duration of the request but cannot be accessed due to the request having a lock on it.

I tried to interrupt the request in a few ways ( stopping IIS, killing the process, closing the page whilst uploading ) and in all instances the tmp file was removed.

So from this it doesn't appear that the sensitive data being buffered is much of an issue as the buffered file does not hang around long.

Answer 2

Some more info if it helps anyone:

From MSDN: "The RequestLengthDiskThreshold property specifies the input-stream buffering threshold limit in number of bytes. Its value should not exceed the MaxRequestLength property value. After a request entity exceeds this threshold, it is buffered transparently onto disk."

I believe that if maxRequestLength is set to the same level as requestLengthDiskThreshold (noting that the former in kB and the latter bytes), then the uploaded content will never be written to disk.

The downside is of course that you will use more memory to service file uploads.

eg.

<httpRuntime maxRequestLength="256" requestLengthDiskThreshold="262144"></httpRuntime>