do not rely on tmpfile() in the AJAX uploader backend FS#2417

author: Andreas Gohr <andi@splitbrain.org> 2012-01-09 22:28:27 +0100
committer: Andreas Gohr <andi@splitbrain.org> 2012-01-09 22:28:27 +0100
commit: 063fb5b5da7db55f0f8532aef9d5eda458d73b71 (patch)
tree: e35429f3eb36e8535e34e49cd18772a5fad9a105 /inc/media.php
parent: d5d19f6f45af17260583d7f7a8e753343afbaaad (diff)
download: rpg-063fb5b5da7db55f0f8532aef9d5eda458d73b71.tar.gz
rpg-063fb5b5da7db55f0f8532aef9d5eda458d73b71.tar.bz2
1 files changed, 8 insertions, 6 deletions
diff --git a/inc/media.php b/inc/media.php
index af4647ecb..508869b3b 100644
--- a/inc/media.php
+++ b/inc/media.php
@@ -230,16 +230,18 @@ function media_upload_xhr($ns,$auth){
     $id = $_GET['qqfile'];
     list($ext,$mime,$dl) = mimetype($id);
     $input = fopen("php://input", "r");
-    $temp = tmpfile();
-    $realSize = stream_copy_to_stream($input, $temp);
-    fclose($input);
-    if ($realSize != (int)$_SERVER["CONTENT_LENGTH"]) return false;
     if (!($tmp = io_mktmpdir())) return false;
     $path = $tmp.'/'.md5($id);
     $target = fopen($path, "w");
-    fseek($temp, 0, SEEK_SET);
-    stream_copy_to_stream($temp, $target);
+    $realSize = stream_copy_to_stream($input, $target);
     fclose($target);
+    fclose($input);
+    if ($realSize != (int)$_SERVER["CONTENT_LENGTH"]){
+        unlink($target);
+        unlink($path);
+        return false;
+    }
+
     $res = media_save(
         array('name' => $path,
             'mime' => $mime,
author	Andreas Gohr <andi@splitbrain.org>	2012-01-09 22:28:27 +0100
committer	Andreas Gohr <andi@splitbrain.org>	2012-01-09 22:28:27 +0100
commit	063fb5b5da7db55f0f8532aef9d5eda458d73b71 (patch)
tree	e35429f3eb36e8535e34e49cd18772a5fad9a105 /inc/media.php
parent	d5d19f6f45af17260583d7f7a8e753343afbaaad (diff)
download	rpg-063fb5b5da7db55f0f8532aef9d5eda458d73b71.tar.gz rpg-063fb5b5da7db55f0f8532aef9d5eda458d73b71.tar.bz2