[BUGFIX] Do not use realpath for temporary file names 83/51083/2
authorStefan Froemken <froemken@gmail.com>
Thu, 3 Nov 2016 10:44:51 +0000 (11:44 +0100)
committerHelmut Hummel <typo3@helhum.io>
Sat, 31 Dec 2016 18:21:47 +0000 (19:21 +0100)
Generating a temporary file with the PHP function tempnam,
returns the realpath of the file. There are however
situations where PATH_site has some symlinks or mounts, thus
comparing those paths will fail.

Instead of just using the path the function returns, we only
use the filename and prefix that with PATH_site, so that
the check if the temporary path is within PATH_site will succeed.

Resolves: #70106
Releases: master, 7.6, 6.2
Change-Id: I39a1830ff1a5791aa3fdc91056e3870fbb6dde1f
Reviewed-on: https://review.typo3.org/51083
Reviewed-by: Helmut Hummel <typo3@helhum.io>
Tested-by: Helmut Hummel <typo3@helhum.io>
typo3/sysext/core/Classes/Utility/GeneralUtility.php

index 5172a48..c1c8275 100644 (file)
@@ -4111,7 +4111,7 @@ class GeneralUtility
     {
         $temporaryPath = PATH_site . 'typo3temp/';
         if ($fileSuffix === '') {
-            $tempFileName = static::fixWindowsFilePath(tempnam($temporaryPath, $filePrefix));
+            $tempFileName = $temporaryPath . basename(tempnam($temporaryPath, $filePrefix));
         } else {
             do {
                 $tempFileName = $temporaryPath . $filePrefix . mt_rand(1, PHP_INT_MAX) . $fileSuffix;