[wp-trac] [WordPress Trac] #55109: Plugins no longer download to tmp folder

WordPress Trac noreply at wordpress.org
Tue Feb 8 04:34:58 UTC 2022

#55109: Plugins no longer download to tmp folder
 Reporter:  antonynz      |      Owner:  (none)
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:  5.9
 Severity:  normal        |   Keywords:
  Focuses:                |
 5.9 introduces a content-disposition check in the download_URL function to
 update the filename externally.

 However when this header is set, the temporary path is removed from the
 $tmpfname variable which is added earlier, i.e:

 $tmpfname = wp_tempnam( $url_filename );
 is overridden with:
 $tmpfname = $tmpfname_disposition;

 This results in plugins that are downloaded from the WordPress plugin
 repository (as they include the content-disposition header) being
 downloaded to the folder the user is in eg, wp-admin if updating via the
 plugins page or the home directory if updated via a cron auto-update job
 for example. The overriding of the variable also skips the writable
 directory checks within wp_tempnam.

 I've read over the comments for the addition of this code, but it's not
 clear what the use case is or if it was intended to apply to plugins?

Ticket URL: <https://core.trac.wordpress.org/ticket/55109>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list