From dd472b7d2ed4a59b1d3c04b9a0dad29f9afeeeb2 Mon Sep 17 00:00:00 2001 From: Dion Hulse Date: Tue, 31 May 2016 02:20:58 +0000 Subject: [PATCH] Updates: Only use the filename component of URLs to form part of the temporary filename. Previously we were passing the entire URL to `wp_tempnam()` (incorrectly) which caused the query string to be used as part of the temporary filename. We now only use the file component of a url such as `https://example.com/filename.zip?arg1=1&arg2=2....&arg100=100` to prevent a long filename. Fixes #34938 git-svn-id: https://develop.svn.wordpress.org/trunk@37598 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/includes/file.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/wp-admin/includes/file.php b/src/wp-admin/includes/file.php index 6b48978e0d..3b754dfd6f 100644 --- a/src/wp-admin/includes/file.php +++ b/src/wp-admin/includes/file.php @@ -493,7 +493,9 @@ function download_url( $url, $timeout = 300 ) { if ( ! $url ) return new WP_Error('http_no_url', __('Invalid URL Provided.')); - $tmpfname = wp_tempnam($url); + $url_filename = basename( parse_url( $url, PHP_URL_PATH ) ); + + $tmpfname = wp_tempnam( $url_filename ); if ( ! $tmpfname ) return new WP_Error('http_no_file', __('Could not create Temporary file.'));