From 12c92db0e87aadbcaa6c43ddd3ac693a49ee32e0 Mon Sep 17 00:00:00 2001 From: Tim Starling Date: Wed, 15 Oct 2003 12:32:16 +0000 Subject: [PATCH] Security fix: wpReUpload --- includes/SpecialUpload.php | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/includes/SpecialUpload.php b/includes/SpecialUpload.php index cb08a423f9..98c686480e 100644 --- a/includes/SpecialUpload.php +++ b/includes/SpecialUpload.php @@ -141,14 +141,13 @@ function saveUploadedFile() function unsaveUploadedFile() { - global $wgSavedFile, $wgUploadOldVersion; - global $wpSavedFile, $wpUploadOldVersion; - global $wgUploadDirectory, $wgOut; - - $wgSavedFile = $wpSavedFile; + global $wpSessionKey, $wpUploadOldVersion; + global $wgUploadDirectory, $wgOut, $wsUploadFiles; + + $wgSavedFile = $wsUploadFiles[$wpSessionKey]; $wgUploadOldVersion = $wpUploadOldVersion; - if ( ! unlink( $wgSavedFile ) ) { + if ( ! @unlink( $wgSavedFile ) ) { $wgOut->fileDeleteError( $wgSavedFile ); return; } @@ -171,7 +170,11 @@ function uploadWarning( $warning ) global $wpUploadDescription, $wpIgnoreWarning; global $wpUploadSaveName, $wpUploadTempName, $wpUploadSize; global $wgSavedFile, $wgUploadOldVersion; - global $wpSavedFile, $wpUploadOldVersion; + global $wpSessionKey, $wpUploadOldVersion, $wsUploadFiles; + + # wgSavedFile is stored in the session not the form, for security + $wpSessionKey = mt_rand( 0, 0x7fffffff ); + $wsUploadFiles[$wpSessionKey] = $wgSavedFile; $sub = wfMsg( "uploadwarning" ); $wgOut->addHTML( "

{$sub}

\n" ); @@ -193,7 +196,7 @@ action=\"{$action}\"> - +
-- 2.20.1