Hi Everyone,
I'm trying to track down what is the cause of the non-logged-in user and the 0-sized file written to /tmp. I'm having trouble auditing the use of tempnam for my Mediawiki installation.
I think Mediawiki should provide a wrapper for tempnam, like $wfTempName(...). Ensure the wrapper uses sys_get_temp_dir(). Additionally, the Mediawiki linter should flag direct use of tempnam and point authors to use the wrapper function.
Even better, provide a complete wrapper for the tempnam so tempnam is not used. Allow us to put tempnam on the banned function list.
Here's the PHP documentation in tempname: https://www.php.net/manual/en/function.tempnam.php.
Here's what we get back when trying to audit the use of tempnam:
# grep -wIR tempnam /var/www/html/w 2>/dev/null | grep -v sys_get_temp_dir /var/www/html/w/includes/import/WikiImporter.php: $filename = tempnam( wfTempDir(), 'importupload' ); /var/www/html/w/includes/import/ImportableUploadRevisionImporter.php: $tempo = tempnam( wfTempDir(), 'download' ); /var/www/html/w/includes/diff/TextSlotDiffRenderer.php: $tempName1 = tempnam( $tmpDir, 'diff_' ); /var/www/html/w/includes/diff/TextSlotDiffRenderer.php: $tempName2 = tempnam( $tmpDir, 'diff_' ); /var/www/html/w/includes/resourceloader/ResourceLoaderImage.php: $tempFilenameSvg = tempnam( wfTempDir(), 'ResourceLoaderImage' ); /var/www/html/w/includes/resourceloader/ResourceLoaderImage.php: $tempFilenamePng = tempnam( wfTempDir(), 'ResourceLoaderImage' ); /var/www/html/w/includes/GlobalFunctions.php: $oldtextFile = fopen( $oldtextName = tempnam( $td, 'merge-old-' ), 'w' ); /var/www/html/w/includes/GlobalFunctions.php: $mytextFile = fopen( $mytextName = tempnam( $td, 'merge-mine-' ), 'w' ); /var/www/html/w/includes/GlobalFunctions.php: $yourtextFile = fopen( $yourtextName = tempnam( $td, 'merge-your-' ), 'w' ); /var/www/html/w/includes/GlobalFunctions.php: $oldtextFile = fopen( $oldtextName = tempnam( $td, 'merge-old-' ), 'w' ); /var/www/html/w/includes/GlobalFunctions.php: $newtextFile = fopen( $newtextName = tempnam( $td, 'merge-your-' ), 'w' ); /var/www/html/w/extensions/CodeEditor/modules/ace/mode-php_laravel_blade.js:tcpwrap_check|tempnam|textdomain|tidy|tidy_access_count|tidy_config_count|tidy_diagnose|tidy_error_count|tidy_get_error_buffer|\ /var/www/html/w/extensions/CodeEditor/modules/ace/mode-php_laravel_blade.js: "tempnam": [ /var/www/html/w/extensions/CodeEditor/modules/ace/mode-php_laravel_blade.js: "string tempnam(string dir, string prefix)", /var/www/html/w/extensions/CodeEditor/modules/ace/mode-php.js:tcpwrap_check|tempnam|textdomain|tidy|tidy_access_count|tidy_config_count|tidy_diagnose|tidy_error_count|tidy_get_error_buffer|\ /var/www/html/w/extensions/CodeEditor/modules/ace/mode-php.js: "tempnam": [ /var/www/html/w/extensions/CodeEditor/modules/ace/mode-php.js: "string tempnam(string dir, string prefix)", /var/www/html/w/maintenance/mwdocgen.php: $tmpFile = tempnam( wfTempDir(), 'MWDocGen-' ); /var/www/html/w/vendor/phpunit/phpunit/src/Util/PHP/DefaultPhpProcess.php:use function tempnam; /var/www/html/w/vendor/zordius/lightncandy/src/LightnCandy.php: $fn = tempnam($tmpDir, 'lci_'); /var/www/html/w/vendor/phan/phan/src/Phan/Plugin/Internal/UseReturnValuePlugin.php: 'tempnam' => true, /var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionSignatureMapReal_php73.php:'tempnam' => '?false|?string', /var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionSignatureMap.php:'tempnam' => ['string|false', 'dir'=>'string', 'prefix'=>'string'], /var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionSignatureMapReal.php:'tempnam' => 'false|string', /var/www/html/w/vendor/phan/phan/src/Phan/Language/Internal/FunctionDocumentationMap.php:'tempnam' => 'Create file with unique file name', /var/www/html/w/vendor/psy/psysh/src/Configuration.php: return \tempnam($this->getRuntimeDir(), $type . '_' . $pid . '_'); /var/www/html/w/vendor/psy/psysh/src/Command/EditCommand.php: $filePath = \tempnam($this->runtimeDir, 'psysh-edit-command'); /var/www/html/w/vendor/composer/xdebug-handler/src/XdebugHandler.php: if (!$this->tmpIni = @tempnam($tmpDir, '')) { /var/www/html/w/vendor/pear/pear-core-minimal/src/System.php: $tmp = tempnam($tmpdir, $prefix);
mediawiki-l@lists.wikimedia.org