[wp-trac] [WordPress Trac] #34562: `wp_tempnam()` can return a path that already exists

WordPress Trac noreply at wordpress.org
Tue Nov 3 03:25:20 UTC 2015


#34562: `wp_tempnam()` can return a path that already exists
----------------------------+-----------------------
 Reporter:  dd32            |      Owner:
     Type:  defect (bug)    |     Status:  new
 Priority:  normal          |  Milestone:  4.4
Component:  Filesystem API  |    Version:
 Severity:  normal          |   Keywords:  has-patch
  Focuses:                  |
----------------------------+-----------------------
 At present it's possible for the `wp_tempnam()` to generate a filename
 which already exists on the server, it requires two processes to attempt
 to create the same filename within the same short period of time. The
 period of time varies on the IO operation time, so is more of an issue
 where the filesystem is remote (say a NFS share).

 There's two things we can do to improve this
 a) Suffix a random ID onto the filename to make it far more unique, and
 unlikely to conflict with an existing file
 b) verify the result from `touch()` to see if the file exists

 `a` uses `wp_generate_password( 6, $special_char=false )` which is the
 only real random string function we have - `uniq()` is possible but is
 mearly the same as `microtime()` converted to a-Z.

 `b` is actually a little complex, `touch()` isn't what we want here, what
 we want is more akin to `fopen( $file, 'x' )` - create the file if it
 doesn't exist, else bail.

 Attached is a patch that implements this with a few extra checks, it
 currently allows for an unwritable directory/filename to be returned (I
 mean, it's best-effort, the failure isn't likely to occur) to prevent
 infinite looping.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/34562>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list