Changeset 52761

Timestamp:

02/17/2022 05:42:09 PM (3 years ago)

Author:

SergeyBiryukov

Message:

Filesystem API: Use a temp folder for Content-Disposition files.

#38231 added support for files fetched remotely to have their filename defined by the host using the Content-Disposition header. This would then take priority over the existing temporary file name created with wp_tempnam() earlier in the process.

The change unintentionally omitted the temporary directory path used during uploads, since the wp_tempnam() function would have added it previously, so that files with this header ended up being stored in the WordPress root folder, or wp-admin folder, when triggered by WP_Cron or user interactions respectively.

This change makes sure the file path includes the temporary directory location when the header is used.

Follow-up to [51939].

Props antonynz, azouamauriac, Clorith.
Merges [52734] and [52760] to the 5.9 branch.
Fixes #55109.

Location:

branches/5.9

Files:

• . (modified) (1 prop)
• src/wp-admin/includes/file.php (modified) (1 diff)
• tests/phpunit/tests/admin/includesFile.php (modified) (1 diff)

branches/5.9/src/wp-admin/includes/file.php

@@ -1199 +1199 @@
             && ( 0 === validate_file( $tmpfname_disposition ) )
         ) {
+            $tmpfname_disposition = dirname( $tmpfname ) . '/' . $tmpfname_disposition;
+
             if ( rename( $tmpfname, $tmpfname_disposition ) ) {
                 $tmpfname = $tmpfname_disposition;

branches/5.9/tests/phpunit/tests/admin/includesFile.php

@@ -112 +112 @@
             'path traversal'   => array( 'filter_content_disposition_header_with_filename_with_path_traversal' ),
             'no quotes'        => array( 'filter_content_disposition_header_with_filename_without_quotes' ),
+        );
+    }
+
+    /**
+     * @ticket 55109
+     * @dataProvider data_save_to_temp_directory_when_getting_filename_from_content_disposition_header
+     *
+     * @covers ::download_url
+     *
+     * @param $filter A callback containing a fake Content-Disposition header.
+     */
+    public function test_save_to_temp_directory_when_getting_filename_from_content_disposition_header( $filter ) {
+        add_filter( 'pre_http_request', array( $this, $filter ), 10, 3 );
+
+        $filename = download_url( 'url_with_content_disposition_header' );
+        $this->assertStringContainsString( get_temp_dir(), $filename );
+        $this->unlink( $filename );
+
+        remove_filter( 'pre_http_request', array( $this, $filter ) );
+    }
+
+    /**
+     * Data provider for test_save_to_temp_directory_when_getting_filename_from_content_disposition_header.
+     *
+     * @return array
+     */
+    public function data_save_to_temp_directory_when_getting_filename_from_content_disposition_header() {
+        return array(
+            'valid parameters' => array( 'filter_content_disposition_header_with_filename' ),
         );
     }