[wp-trac] [WordPress Trac] #34562: `wp_tempnam()` can return a path that already exists
WordPress Trac
noreply at wordpress.org
Tue Nov 3 03:25:20 UTC 2015
#34562: `wp_tempnam()` can return a path that already exists
----------------------------+-----------------------
Reporter: dd32 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.4
Component: Filesystem API | Version:
Severity: normal | Keywords: has-patch
Focuses: |
----------------------------+-----------------------
At present it's possible for the `wp_tempnam()` to generate a filename
which already exists on the server, it requires two processes to attempt
to create the same filename within the same short period of time. The
period of time varies on the IO operation time, so is more of an issue
where the filesystem is remote (say a NFS share).
There's two things we can do to improve this
a) Suffix a random ID onto the filename to make it far more unique, and
unlikely to conflict with an existing file
b) verify the result from `touch()` to see if the file exists
`a` uses `wp_generate_password( 6, $special_char=false )` which is the
only real random string function we have - `uniq()` is possible but is
mearly the same as `microtime()` converted to a-Z.
`b` is actually a little complex, `touch()` isn't what we want here, what
we want is more akin to `fopen( $file, 'x' )` - create the file if it
doesn't exist, else bail.
Attached is a patch that implements this with a few extra checks, it
currently allows for an unwritable directory/filename to be returned (I
mean, it's best-effort, the failure isn't likely to occur) to prevent
infinite looping.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/34562>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list