[wp-trac] [WordPress Trac] #28208: in wp_handle_upload setting the overwrite `test_upload` to false won't work for move_uploaded_file

[WordPress Trac]

#28208: in wp_handle_upload setting the overwrite `test_upload` to false won't work
for move_uploaded_file
--------------------------+------------------------------
 Reporter:  bassjobsen    |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  Upload        |     Version:  3.9.1
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------
Changes (by dd32):

 * component:  Filesystem API => Upload


Old description:

> `move_uploaded_file()` also checks `is_uploaded_file` so if you skip
> `is_uploaded_file` by setting `test_upload` to false you can still upload
> your file cause move_uploaded_file() blocks it.
>
> Possible solution
>
> replace
> {{{
>  if ( false === @ move_uploaded_file( $file['tmp_name'], $new_file ) ) {
> }}}
>
> with:
>

> {{{
> if ( (false === $test_upload && false === @ rename( $file['tmp_name'],
> $new_file ))     || false === @ move_uploaded_file( $file['tmp_name'],
> $new_file ) ) {
> }}}
>
>                 `

New description:

 `move_uploaded_file()` also checks `is_uploaded_file` so if you skip
 `is_uploaded_file` by setting `test_upload` to false you can still upload
 your file cause move_uploaded_file() blocks it.

 Possible solution

 replace
 {{{
  if ( false === @ move_uploaded_file( $file['tmp_name'], $new_file ) ) {
 }}}

 with:


 {{{
 if ( (false === $test_upload && false === @ rename( $file['tmp_name'],
 $new_file ))     || false === @ move_uploaded_file( $file['tmp_name'],
 $new_file ) ) {
 }}}

--

--
Ticket URL: <https://core.trac.wordpress.org/ticket/28208#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform