Make WordPress Core

Changeset 52761


Ignore:
Timestamp:
02/17/2022 05:42:09 PM (2 years ago)
Author:
SergeyBiryukov
Message:

Filesystem API: Use a temp folder for Content-Disposition files.

#38231 added support for files fetched remotely to have their filename defined by the host using the Content-Disposition header. This would then take priority over the existing temporary file name created with wp_tempnam() earlier in the process.

The change unintentionally omitted the temporary directory path used during uploads, since the wp_tempnam() function would have added it previously, so that files with this header ended up being stored in the WordPress root folder, or wp-admin folder, when triggered by WP_Cron or user interactions respectively.

This change makes sure the file path includes the temporary directory location when the header is used.

Follow-up to [51939].

Props antonynz, azouamauriac, Clorith.
Merges [52734] and [52760] to the 5.9 branch.
Fixes #55109.

Location:
branches/5.9
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/5.9

  • branches/5.9/src/wp-admin/includes/file.php

    r52425 r52761  
    11991199            && ( 0 === validate_file( $tmpfname_disposition ) )
    12001200        ) {
     1201            $tmpfname_disposition = dirname( $tmpfname ) . '/' . $tmpfname_disposition;
     1202
    12011203            if ( rename( $tmpfname, $tmpfname_disposition ) ) {
    12021204                $tmpfname = $tmpfname_disposition;
  • branches/5.9/tests/phpunit/tests/admin/includesFile.php

    r52382 r52761  
    112112            'path traversal'   => array( 'filter_content_disposition_header_with_filename_with_path_traversal' ),
    113113            'no quotes'        => array( 'filter_content_disposition_header_with_filename_without_quotes' ),
     114        );
     115    }
     116
     117    /**
     118     * @ticket 55109
     119     * @dataProvider data_save_to_temp_directory_when_getting_filename_from_content_disposition_header
     120     *
     121     * @covers ::download_url
     122     *
     123     * @param $filter A callback containing a fake Content-Disposition header.
     124     */
     125    public function test_save_to_temp_directory_when_getting_filename_from_content_disposition_header( $filter ) {
     126        add_filter( 'pre_http_request', array( $this, $filter ), 10, 3 );
     127
     128        $filename = download_url( 'url_with_content_disposition_header' );
     129        $this->assertStringContainsString( get_temp_dir(), $filename );
     130        $this->unlink( $filename );
     131
     132        remove_filter( 'pre_http_request', array( $this, $filter ) );
     133    }
     134
     135    /**
     136     * Data provider for test_save_to_temp_directory_when_getting_filename_from_content_disposition_header.
     137     *
     138     * @return array
     139     */
     140    public function data_save_to_temp_directory_when_getting_filename_from_content_disposition_header() {
     141        return array(
     142            'valid parameters' => array( 'filter_content_disposition_header_with_filename' ),
    114143        );
    115144    }
Note: See TracChangeset for help on using the changeset viewer.