I'm building a portal that will allow users to upload files. I need to make sure that these files do not contain viruses. My ideal solution would be to have the host OS AV keep a watch on temporary folders and scan any incoming files.
When a file is uploaded in ASP.Net 2, does it get written to disk in a temp folder, or is it persisted in memory? If it is written to disk, will IIS lock it so that the AV cannot remove it? And if it is written to disk, where?
Best Answer
Here's the actual dirt on how ASP.NET handles files. It's version dependant, but 2.0 and all subsequent versions do write uploads to disk before you get a chance to handle them. The above answers are actually wrong -- ASP.NET above 2.0 will write the file to disk. If you think about it, loading an upload into memory opens you to a DDOS hole as large files would take up increasing amounts of server memory. By version, here's how ASP.NET acts:
ASP.NET 1.0 and 1.1 loaded the whole request in memory before you could access it. This meant that large files could potentially fill all memory, causing exceptions and otherwise bringing down the server.
ASP.NET 2.0 introduced a disk caching scheme for uploads, again snagging the upload and processing it before client code can handle it. The temporary folder can be accessed as follows:
string uploadFolder = Path.Combine(HttpRuntime.CodegenDirInternal, "uploads");
As of ASP.NET 4.0, the property name referenced above is HttpRuntime.CodegenDir:
string uploadFolder = Path.Combine(HttpRuntime.CodegenDir, "uploads");
At least now it's cached to disk so you don't have the memory issues from 1.0 and 1.1, but you still can't access it until it's been fully retrieved.