WordPress.org

Make WordPress Core

Ticket #34562: 34562.diff

File 34562.diff, 1.5 KB (added by dd32, 4 years ago)
  • src/wp-admin/includes/file.php

    function wp_tempnam( $filename = '', $di 
    152152        }
    153153
    154154        if ( empty( $filename ) || '.' == $filename || '/' == $filename ) {
    155155                $filename = time();
    156156        }
    157157
    158158        // Use the basename of the given file without the extension as the name for the temporary directory
    159159        $temp_filename = basename( $filename );
    160160        $temp_filename = preg_replace( '|\.[^.]*$|', '', $temp_filename );
    161161
    162162        // If the folder is falsey, use its parent directory name instead.
    163163        if ( ! $temp_filename ) {
    164164                return wp_tempnam( dirname( $filename ), $dir );
    165165        }
    166166
     167        // Suffix some random data to avoid filename conflicts
     168        $temp_filename .= '-' . wp_generate_password( 6, false );
    167169        $temp_filename .= '.tmp';
    168170        $temp_filename = $dir . wp_unique_filename( $dir, $temp_filename );
    169         touch( $temp_filename );
     171
     172        $fp = @fopen( $temp_filename, 'x' );
     173        if ( ! $fp && is_writable( $dir ) && file_exists( $temp_filename ) ) {
     174                return wp_tempnam( $filename, $dir );
     175        }
     176        if ( $fp ) {
     177                fclose( $fp );
     178        }
    170179
    171180        return $temp_filename;
    172181}
    173182
    174183/**
    175184 * Make sure that the file that was requested to edit, is allowed to be edited
    176185 *
    177186 * Function will die if if you are not allowed to edit the file
    178187 *
    179188 * @since 1.5.0
    180189 *
    181190 * @param string $file file the users is attempting to edit
    182191 * @param array $allowed_files Array of allowed files to edit, $file must match an entry exactly
    183192 * @return string|null
    184193 */