Hi Everyone,
I'm trying to track down what is the cause of the non-logged-in user
and the 0-sized file written to /tmp. I'm having trouble auditing the
use of tempnam for my Mediawiki installation.
I think Mediawiki should provide a wrapper for tempnam, like
$wfTempName(...). Ensure the wrapper uses sys_get_temp_dir().
Additionally, the Mediawiki linter should flag direct use of tempnam
and point authors to use the wrapper function.
Even better, provide a complete wrapper for the tempnam so tempnam is
not used. Allow us to put tempnam on the banned function list.
Here's the PHP documentation in tempname:
https://www.php.net/manual/en/function.tempnam.php.
Here's what we get back when trying to audit the use of tempnam:
# grep -wIR tempnam /var/www/html/w 2>/dev/null | grep -v sys_get_temp_dir
/var/www/html/w/includes/import/WikiImporter.php: $filename =
tempnam( wfTempDir(), 'importupload' );
/var/www/html/w/includes/import/ImportableUploadRevisionImporter.php:
$tempo = tempnam( wfTempDir(), 'download' );
/var/www/html/w/includes/diff/TextSlotDiffRenderer.php:
$tempName1 = tempnam( $tmpDir, 'diff_' );
/var/www/html/w/includes/diff/TextSlotDiffRenderer.php:
$tempName2 = tempnam( $tmpDir, 'diff_' );
/var/www/html/w/includes/resourceloader/ResourceLoaderImage.php:
$tempFilenameSvg = tempnam( wfTempDir(), 'ResourceLoaderImage' );
/var/www/html/w/includes/resourceloader/ResourceLoaderImage.php:
$tempFilenamePng = tempnam( wfTempDir(), 'ResourceLoaderImage' );
/var/www/html/w/includes/GlobalFunctions.php: $oldtextFile = fopen(
$oldtextName = tempnam( $td, 'merge-old-' ), 'w' );
/var/www/html/w/includes/GlobalFunctions.php: $mytextFile = fopen(
$mytextName = tempnam( $td, 'merge-mine-' ), 'w' );
/var/www/html/w/includes/GlobalFunctions.php: $yourtextFile =
fopen( $yourtextName = tempnam( $td, 'merge-your-' ), 'w' );
/var/www/html/w/includes/GlobalFunctions.php: $oldtextFile = fopen(
$oldtextName = tempnam( $td, 'merge-old-' ), 'w' );
/var/www/html/w/includes/GlobalFunctions.php: $newtextFile = fopen(
$newtextName = tempnam( $td, 'merge-your-' ), 'w' );
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php_laravel_blade.js:tcpwrap_check|tempnam|textdomain|tidy|tidy_access_count|tidy_config_count|tidy_diagnose|tidy_error_count|tidy_get_error_buffer|\
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php_laravel_blade.js:
"tempnam": [.
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php_laravel_blade.js:
"string tempnam(string dir, string prefix)",
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php.js:tcpwrap_check|tempnam|textdomain|tidy|tidy_access_count|tidy_config_count|tidy_diagnose|tidy_error_count|tidy_get_error_buffer|\
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php.js: "tempnam": [.
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php.js:
"string tempnam(string dir, string prefix)",
/var/www/html/w/maintenance/mwdocgen.php: $tmpFile = tempnam(
wfTempDir(), 'MWDocGen-' );
/var/www/html/w/vendor/phpunit/phpunit/src/Util/PHP/DefaultPhpProcess.php:use
function tempnam;
/var/www/html/w/vendor/zordius/lightncandy/src/LightnCandy.php:
$fn = tempnam($tmpDir, 'lci_');
/var/www/html/w/vendor/phan/phan/src/Phan/Plugin/Internal/UseReturnValuePlugin.php:
'tempnam' => true,
/var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionSignatureMapReal_php73.php:'tempnam'
=> '?false|?string',
/var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionSignatureMap.php:'tempnam'
=> ['string|false', 'dir'=>'string', 'prefix'=>'string'],
/var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionSignatureMapReal.php:'tempnam'
=> 'false|string',
/var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionDocumentationMap.php:'tempnam'
=> 'Create file with unique file name',
/var/www/html/w/vendor/psy/psysh/src/Configuration.php: return
\tempnam($this->getRuntimeDir(), $type . '_' . $pid . '_');
/var/www/html/w/vendor/psy/psysh/src/Command/EditCommand.php:
$filePath = \tempnam($this->runtimeDir, 'psysh-edit-command');
/var/www/html/w/vendor/composer/xdebug-handler/src/XdebugHandler.php:
if (!$this->tmpIni = @tempnam($tmpDir, '')) {
/var/www/html/w/vendor/pear/pear-core-minimal/src/System.php:
$tmp = tempnam($tmpdir, $prefix);
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
I'm trying to track down what is the cause of the non-logged-in user
and the 0-sized file written to /tmp. I'm having trouble auditing the
use of tempnam for my Mediawiki installation.
I think Mediawiki should provide a wrapper for tempnam, like
$wfTempName(...). Ensure the wrapper uses sys_get_temp_dir().
Additionally, the Mediawiki linter should flag direct use of tempnam
and point authors to use the wrapper function.
Even better, provide a complete wrapper for the tempnam so tempnam is
not used. Allow us to put tempnam on the banned function list.
Here's the PHP documentation in tempname:
https://www.php.net/manual/en/function.tempnam.php.
Here's what we get back when trying to audit the use of tempnam:
# grep -wIR tempnam /var/www/html/w 2>/dev/null | grep -v sys_get_temp_dir
/var/www/html/w/includes/import/WikiImporter.php: $filename =
tempnam( wfTempDir(), 'importupload' );
/var/www/html/w/includes/import/ImportableUploadRevisionImporter.php:
$tempo = tempnam( wfTempDir(), 'download' );
/var/www/html/w/includes/diff/TextSlotDiffRenderer.php:
$tempName1 = tempnam( $tmpDir, 'diff_' );
/var/www/html/w/includes/diff/TextSlotDiffRenderer.php:
$tempName2 = tempnam( $tmpDir, 'diff_' );
/var/www/html/w/includes/resourceloader/ResourceLoaderImage.php:
$tempFilenameSvg = tempnam( wfTempDir(), 'ResourceLoaderImage' );
/var/www/html/w/includes/resourceloader/ResourceLoaderImage.php:
$tempFilenamePng = tempnam( wfTempDir(), 'ResourceLoaderImage' );
/var/www/html/w/includes/GlobalFunctions.php: $oldtextFile = fopen(
$oldtextName = tempnam( $td, 'merge-old-' ), 'w' );
/var/www/html/w/includes/GlobalFunctions.php: $mytextFile = fopen(
$mytextName = tempnam( $td, 'merge-mine-' ), 'w' );
/var/www/html/w/includes/GlobalFunctions.php: $yourtextFile =
fopen( $yourtextName = tempnam( $td, 'merge-your-' ), 'w' );
/var/www/html/w/includes/GlobalFunctions.php: $oldtextFile = fopen(
$oldtextName = tempnam( $td, 'merge-old-' ), 'w' );
/var/www/html/w/includes/GlobalFunctions.php: $newtextFile = fopen(
$newtextName = tempnam( $td, 'merge-your-' ), 'w' );
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php_laravel_blade.js:tcpwrap_check|tempnam|textdomain|tidy|tidy_access_count|tidy_config_count|tidy_diagnose|tidy_error_count|tidy_get_error_buffer|\
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php_laravel_blade.js:
"tempnam": [.
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php_laravel_blade.js:
"string tempnam(string dir, string prefix)",
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php.js:tcpwrap_check|tempnam|textdomain|tidy|tidy_access_count|tidy_config_count|tidy_diagnose|tidy_error_count|tidy_get_error_buffer|\
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php.js: "tempnam": [.
/var/www/html/w/extensions/CodeEditor/modules/ace/mode-php.js:
"string tempnam(string dir, string prefix)",
/var/www/html/w/maintenance/mwdocgen.php: $tmpFile = tempnam(
wfTempDir(), 'MWDocGen-' );
/var/www/html/w/vendor/phpunit/phpunit/src/Util/PHP/DefaultPhpProcess.php:use
function tempnam;
/var/www/html/w/vendor/zordius/lightncandy/src/LightnCandy.php:
$fn = tempnam($tmpDir, 'lci_');
/var/www/html/w/vendor/phan/phan/src/Phan/Plugin/Internal/UseReturnValuePlugin.php:
'tempnam' => true,
/var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionSignatureMapReal_php73.php:'tempnam'
=> '?false|?string',
/var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionSignatureMap.php:'tempnam'
=> ['string|false', 'dir'=>'string', 'prefix'=>'string'],
/var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionSignatureMapReal.php:'tempnam'
=> 'false|string',
/var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionDocumentationMap.php:'tempnam'
=> 'Create file with unique file name',
/var/www/html/w/vendor/psy/psysh/src/Configuration.php: return
\tempnam($this->getRuntimeDir(), $type . '_' . $pid . '_');
/var/www/html/w/vendor/psy/psysh/src/Command/EditCommand.php:
$filePath = \tempnam($this->runtimeDir, 'psysh-edit-command');
/var/www/html/w/vendor/composer/xdebug-handler/src/XdebugHandler.php:
if (!$this->tmpIni = @tempnam($tmpDir, '')) {
/var/www/html/w/vendor/pear/pear-core-minimal/src/System.php:
$tmp = tempnam($tmpdir, $prefix);
_______________________________________________
MediaWiki-l mailing list
To unsubscribe, go to:
https://lists.wikimedia.org/mailman/listinfo/mediawiki-l