[wp-trac] [WordPress Trac] #52844: wp_tempnam [download_url] unable to create temporary file if file name is too long

WordPress Trac noreply at wordpress.org
Thu Mar 18 07:15:59 UTC 2021 

#52844: wp_tempnam [download_url] unable to create temporary file if file name is
too long
--------------------------+-----------------------------
 Reporter:  nextendweb    |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 If the first parameter of the `wp_tempnam` function is too long, then the
 temporary file could not be created as filesystems has limit to the path
 and the file name length.

 This mainly impacts `download_url` function which takes an url argument
 and tries to create temporary file based on `basename( parse_url( $url,
 PHP_URL_PATH ) )`

 For example this url points to a Google avatar:
 {{{
 https://lh3.googleusercontent.com/a
 -/AOh14Gglfqpi2Kz6aFTysWWgDnP2PszwkmL55tl4QNSX62jNTt-
 GK7ERhWuIT9AehHIzIlTdxBrNUUeWLwGyZeqsM3W300OX8xDy6lOmUMIChjOUMmfM1qHUKRbpZmElOXyT4DNLJiixrPuwkAH24sy5cQLtp8YPhdKR1SrErcXzFLjO1EQ2JvgLFvihaL92ddDERbdFVziBgsl9R0VDplz-
 EX2Qr3q5ieaJ3d8pXBA-
 DyZB5FSQWx1RHUBXECE7CFGGKORHYwNrrJnvh8P57TlrdfYFNvzmPgoUJFGl7WITIKG7saB3nhdY2j9MdQ4j1a1lH-
 QuK6p_Pz1fYYJVHQEmYRhMWOXExh675j7k3xB4NYRbPnpKFjinayfkWNq7aZg5dfX0Pv_ZjhO9crZnpqAbfATL5DxG0zomMtY4KZqma3qKLq3MXpijXqD4vshMheoo90IcTKOUkopcP7RFES-
 R3TXb-R_JtNUQ-Uw-
 Wc41t03ySkvM4U8nuPX_XZ3nzc6fLlHtRKC0dw5Bm7cELv7Nb1YgSVIAqJveQ_QtzSwfbJo9-wXDgjv13jA24l34IPbieVfXJ2LIExKVuptVyfKy4G8FndRlMRbhhsAeQuHw6l3dmSxD8VOVfCTa3YPCFyQ66AI_B2ALHRwbdibkxI_DBhuH2WDZxHD8jPhKK0GrcPniIbIR0QwsZ7NBNGBQNGD4c3nf0xeYQQTr8VzteRhEpz2ERXiGboqslL10qTch8s7pz_mu5Xqty2Izs7Xm6vowIKAEYA=s96-c
 }}}

 The argument for `wp_tempnam` will be
 `AOh14Gglfqpi2Kz6aFTysWWgDnP2PszwkmL55tl4QNSX62jNTt-
 GK7ERhWuIT9AehHIzIlTdxBrNUUeWLwGyZeqsM3W300OX8xDy6lOmUMIChjOUMmfM1qHUKRbpZmElOXyT4DNLJiixrPuwkAH24sy5cQLtp8YPhdKR1SrErcXzFLjO1EQ2JvgLFvihaL92ddDERbdFVziBgsl9R0VDplz-
 EX2Qr3q5ieaJ3d8pXBA-
 DyZB5FSQWx1RHUBXECE7CFGGKORHYwNrrJnvh8P57TlrdfYFNvzmPgoUJFGl7WITIKG7saB3nhdY2j9MdQ4j1a1lH-
 QuK6p_Pz1fYYJVHQEmYRhMWOXExh675j7k3xB4NYRbPnpKFjinayfkWNq7aZg5dfX0Pv_ZjhO9crZnpqAbfATL5DxG0zomMtY4KZqma3qKLq3MXpijXqD4vshMheoo90IcTKOUkopcP7RFES-
 R3TXb-R_JtNUQ-Uw-
 Wc41t03ySkvM4U8nuPX_XZ3nzc6fLlHtRKC0dw5Bm7cELv7Nb1YgSVIAqJveQ_QtzSwfbJo9-wXDgjv13jA24l34IPbieVfXJ2LIExKVuptVyfKy4G8FndRlMRbhhsAeQuHw6l3dmSxD8VOVfCTa3YPCFyQ66AI_B2ALHRwbdibkxI_DBhuH2WDZxHD8jPhKK0GrcPniIbIR0QwsZ7NBNGBQNGD4c3nf0xeYQQTr8VzteRhEpz2ERXiGboqslL10qTch8s7pz_mu5Xqty2Izs7Xm6vowIKAEYA=s96-c`
 and it will result in a too long file name.

 **Example code:**

 {{{
 $path = download_url('https://lh3.googleusercontent.com/a
 -/AOh14Gglfqpi2Kz6aFTysWWgDnP2PszwkmL55tl4QNSX62jNTt-
 GK7ERhWuIT9AehHIzIlTdxBrNUUeWLwGyZeqsM3W300OX8xDy6lOmUMIChjOUMmfM1qHUKRbpZmElOXyT4DNLJiixrPuwkAH24sy5cQLtp8YPhdKR1SrErcXzFLjO1EQ2JvgLFvihaL92ddDERbdFVziBgsl9R0VDplz-
 EX2Qr3q5ieaJ3d8pXBA-
 DyZB5FSQWx1RHUBXECE7CFGGKORHYwNrrJnvh8P57TlrdfYFNvzmPgoUJFGl7WITIKG7saB3nhdY2j9MdQ4j1a1lH-
 QuK6p_Pz1fYYJVHQEmYRhMWOXExh675j7k3xB4NYRbPnpKFjinayfkWNq7aZg5dfX0Pv_ZjhO9crZnpqAbfATL5DxG0zomMtY4KZqma3qKLq3MXpijXqD4vshMheoo90IcTKOUkopcP7RFES-
 R3TXb-R_JtNUQ-Uw-
 Wc41t03ySkvM4U8nuPX_XZ3nzc6fLlHtRKC0dw5Bm7cELv7Nb1YgSVIAqJveQ_QtzSwfbJo9-wXDgjv13jA24l34IPbieVfXJ2LIExKVuptVyfKy4G8FndRlMRbhhsAeQuHw6l3dmSxD8VOVfCTa3YPCFyQ66AI_B2ALHRwbdibkxI_DBhuH2WDZxHD8jPhKK0GrcPniIbIR0QwsZ7NBNGBQNGD4c3nf0xeYQQTr8VzteRhEpz2ERXiGboqslL10qTch8s7pz_mu5Xqty2Izs7Xm6vowIKAEYA=s96-c');
 }}}

 **Suggested changes**:
 - in the `download_url` function, generate temporary file with empty
 argument, which creates a random filename: $tmpfname = wp_tempnam( );
 - in the `wp_tempnam` function limit the length of the input filename:
 {{{
 function wp_tempnam( $filename = '', $dir = '' ) {
     if ( empty( $dir ) ) {
         $dir = get_temp_dir();
     }

     if ( empty( $filename ) || in_array( $filename, array( '.', '/', '\\'
 ), true ) ) {
         $filename = uniqid();
     }

     // Use the basename of the given file without the extension as the
 name for the temporary directory.
     $temp_filename = basename( $filename );
     $temp_filename = preg_replace( '|\.[^.]*$|', '', $temp_filename );

     // If the folder is falsey, use its parent directory name instead.
     if ( ! $temp_filename ) {
         return wp_tempnam( dirname( $filename ), $dir );
     }

     $temp_filename  = substr( $temp_filename, 0, 8 );

     // Suffix some random data to avoid filename conflicts.
     $temp_filename .= '-' . wp_generate_password( 6, false );
     $temp_filename .= '.tmp';
     $temp_filename  = $dir . wp_unique_filename( $dir, $temp_filename );

     $fp = @fopen( $temp_filename, 'x' );
     if ( ! $fp && is_writable( $dir ) && file_exists( $temp_filename ) ) {
         return wp_tempnam( $filename, $dir );
     }
     if ( $fp ) {
         fclose( $fp );
     }

     return $temp_filename;
 }
 }}}

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/52844>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list