Opened 4 weeks ago
Last modified 4 weeks ago
#64212 new defect (bug)
Stream-to-file may fail or overwrite existing temporary file
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Milestone: | Awaiting Review | Priority: | normal |
| Severity: | normal | Version: | |
| Component: | HTTP API | Keywords: | has-patch |
| Focuses: | Cc: |
Description
Consider this request:
wp_remote_request( 'https://example.org/style.css', [ 'stream' => true ] );
If /tmp/style.css exists and can't be overwritten, the request will fail with:
class WP_Error#5189 (3) {
public $errors =>
array(1) {
'http_request_failed' =>
array(1) {
[0] =>
string(63) "fopen(/tmp/style.css): Failed to open stream: Permission denied"
}
}
}
Likewise, if multiple requests occur at the same time, there's a chance the file will be overwritten.
WP_HTTP should ensure that either a) The filename is unique, or b) the path is unique.
This can be worked around by passing the filename parameter like so:
wp_remote_request( 'https://example.org/style.css', [ 'stream' => true, 'filename' => wp_tempnam( 'style.css' ) ] );
This does result in the filename of the streamed file being /tmp/style-XXXXXX.tmp but given the location of the file storage, this seems reasonable and unlikely to break back-compat significantly.
Change History (1)
This ticket was mentioned in PR #10483 on WordPress/wordpress-develop by @dd32.
4 weeks ago
#1
- Keywords has-patch added
Note: See
TracTickets for help on using
tickets.
This only is for the case of
stream => truewithout a specified filename to stream to, in that case, it's expected that a temporary file path would be returned.Trac ticket: https://core.trac.wordpress.org/ticket/64212