From 063fb5b5da7db55f0f8532aef9d5eda458d73b71 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Mon, 9 Jan 2012 22:28:27 +0100
Subject: do not rely on tmpfile() in the AJAX uploader backend FS#2417

---
 inc/media.php | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

(limited to 'inc')

diff --git a/inc/media.php b/inc/media.php
index af4647ecb..508869b3b 100644
--- a/inc/media.php
+++ b/inc/media.php
@@ -230,16 +230,18 @@ function media_upload_xhr($ns,$auth){
     $id = $_GET['qqfile'];
     list($ext,$mime,$dl) = mimetype($id);
     $input = fopen("php://input", "r");
-    $temp = tmpfile();
-    $realSize = stream_copy_to_stream($input, $temp);
-    fclose($input);
-    if ($realSize != (int)$_SERVER["CONTENT_LENGTH"]) return false;
     if (!($tmp = io_mktmpdir())) return false;
     $path = $tmp.'/'.md5($id);
     $target = fopen($path, "w");
-    fseek($temp, 0, SEEK_SET);
-    stream_copy_to_stream($temp, $target);
+    $realSize = stream_copy_to_stream($input, $target);
     fclose($target);
+    fclose($input);
+    if ($realSize != (int)$_SERVER["CONTENT_LENGTH"]){
+        unlink($target);
+        unlink($path);
+        return false;
+    }
+
     $res = media_save(
         array('name' => $path,
             'mime' => $mime,
-- 
cgit v1.2.3