Make WordPress Core

Changeset 52734


Ignore:
Timestamp:
02/15/2022 05:47:39 PM (3 years ago)
Author:
Clorith
Message:

Filesystem API: Use a temp folder for Content-Disposition files.

#38231 added support for files fetched remotely to have their filename defined by the host using the Content-Disposition header. This would then take priority over the existing temporary file name created with wp_tempnam() earlier in the process.

The change unintentionally omitted the temporary directory path used during uploads, since the wp_tempnam() function would have added it previously, so that files with this header ended up being stored in the WordPress root folder, or wp-admin folder, when triggered by WP_Cron or user interactions respectively.

This change makes sure the file path includes the temporary directory location when the header is used.

Follow-up to [51939].

Props antonynz, azouamauriac.
Fixes #55109.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/includes/file.php

    r52640 r52734  
    11991199            && ( 0 === validate_file( $tmpfname_disposition ) )
    12001200        ) {
     1201            $tmpfname_disposition = dirname( $tmpfname ) . '/' . $tmpfname_disposition;
     1202
    12011203            if ( rename( $tmpfname, $tmpfname_disposition ) ) {
    12021204                $tmpfname = $tmpfname_disposition;
  • trunk/tests/phpunit/tests/admin/includesFile.php

    r52382 r52734  
    103103
    104104    /**
     105     * @ticket #55109
     106     * @dataProvider data_save_to_temp_directory_when_getting_filename_from_content_disposition_header
     107     *
     108     * @covers ::download_url
     109     *
     110     * @param $filter A callback containing a fake Content-Disposition header.
     111     */
     112    public function test_save_to_temp_directory_when_getting_filename_from_content_disposition_header( $filter ) {
     113        add_filter( 'pre_http_request', array( $this, $filter ), 10, 3 );
     114
     115        $filename = download_url( 'url_with_content_disposition_header' );
     116        $this->assertStringContainsString( get_temp_dir(), $filename );
     117        $this->unlink( $filename );
     118
     119        remove_filter( 'pre_http_request', array( $this, $filter ) );
     120    }
     121
     122    /**
    105123     * Data provider for test_download_url_should_respect_filename_from_content_disposition_header.
    106124     *
     
    112130            'path traversal'   => array( 'filter_content_disposition_header_with_filename_with_path_traversal' ),
    113131            'no quotes'        => array( 'filter_content_disposition_header_with_filename_without_quotes' ),
     132        );
     133    }
     134
     135    /**
     136     * Data provider for test_save_to_temp_directory_when_getting_filename_from_content_disposition_header.
     137     *
     138     * @return array
     139     */
     140    public function data_save_to_temp_directory_when_getting_filename_from_content_disposition_header() {
     141        return array(
     142            'valid parameters' => array( 'filter_content_disposition_header_with_filename' ),
    114143        );
    115144    }
Note: See TracChangeset for help on using the changeset viewer.