My apache config contains for every virtual host a line like this:
SetEnv TMP /home/www/example.com/tmp/
to have tempfiles in a directory specific to each virtual host.
Unfortunately MediaWiki ignores $TMP and always uses /tmp. AFAIK this behaviour was introduced in 1.16 - I did not notice it in 1.15.
The bug is in includes/GlobalFunctions.php:
function wfTempDir() {
if( function_exists( 'sys_get_temp_dir' ) ) { return sys_get_temp_dir(); } foreach( array( 'TMPDIR', 'TMP', 'TEMP' ) as $var ) { $tmp = getenv( $var ); if( $tmp && file_exists( $tmp ) && is_dir( $tmp ) && is_writable( $tmp ) ) { return $tmp; } } # Hope this is Unix of some kind! return '/tmp';
}
Basically the function does the checks in the wrong order. On PHP >= 5.2.1 sys_get_temp_dir() exists and will always return /tmp - it ignores $TMP, see the comments on http://php.net/sys_get_temp_dir
The correct order would be:
- $TMPDIR, $TMP, $TEMP
- sys_get_temp_dir()
- /tmp fallback
Patch: (3 lines moved)
- includes/GlobalFunctions.php (Revision 71214)
+++ includes/GlobalFunctions.php (Arbeitskopie)
@@ -2137,15 +2137,15 @@
- @return String */ function wfTempDir() {
- if( function_exists( 'sys_get_temp_dir' ) ) {
- return sys_get_temp_dir();
- } foreach( array( 'TMPDIR', 'TMP', 'TEMP' ) as $var ) { $tmp = getenv( $var ); if( $tmp && file_exists( $tmp ) && is_dir( $tmp ) && is_writable( $tmp ) ) { return $tmp; } }
+ if( function_exists( 'sys_get_temp_dir' ) ) {
+ return sys_get_temp_dir();
+ }
- Hope this is Unix of some kind! return '/tmp'; }
Rating as major because it causes some "interesting" problems - open_basedir restrictions or in my case AppArmor restrictions might apply.
Sidenote: The code trusts sys_get_temp_dir() blindly - it does not check if it exists, is a directory and is writeable. Maybe you should add a check for this, similar to the code used for $TMPDIR/$TMP/$TEMP. (This is NOT included in the above patch.)
Version: 1.17.x
Severity: major
OS: other
Platform: Other