Use md5sum of id and client ip as temporary filename in XML-RPC

Before this patch the temporary filename was the uncleaned id. This allowed everyone with upload-privileges (on the whole wiki) and XML-RPC privileges on a XML-RPC-enabled DokuWiki to (over)write any file PHP is allowed to write with any content he wants. If you have XML-RPC enabled and users with XML-RPC and upload privileges you don't trust in a way you would allow them to write any file PHP may write, consider this as an important security fix. By default XML-RPC is disabled, so if you don't know what I'm talking about you are probably not affected by the problem.

Use md5sum of id and client ip as temporary filename in XML-RPC
Before this patch the temporary filename was the uncleaned id. This allowed everyone with upload-privileges (on the whole wiki) and XML-RPC privileges on a XML-RPC-enabled DokuWiki to (over)write any file PHP is allowed to write with any content he wants. If you have XML-RPC enabled and users with XML-RPC and upload privileges you don't trust in a way you would allow them to write any file PHP may write, consider this as an important security fix. By default XML-RPC is disabled, so if you don't know what I'm talking about you are probably not affected by the problem.
c77fa67b · Michael Hamann · 5ce4ea15 · c77fa67b
Commit c77fa67b authored 15 years ago by Michael Hamann
--- a/lib/exe/xmlrpc.php
+++ b/lib/exe/xmlrpc.php
@@ -578,7 +578,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
                return new IXR_ERROR(1, 'Filename not given.');
            }

-            $ftmp = $conf['tmpdir'] . '/' . $id;
+            $ftmp = $conf['tmpdir'] . '/' . md5($id.clientIP());

            // save temporary file
            @unlink($ftmp);