From c77fa67b50d49455e3b518eeb2bcbd0531d07165 Mon Sep 17 00:00:00 2001
From: Michael Hamann <michael@content-space.de>
Date: Tue, 16 Mar 2010 15:33:58 +0100
Subject: [PATCH] Use md5sum of id and client ip as temporary filename in
 XML-RPC

Before this patch the temporary filename was the uncleaned id. This
allowed everyone with upload-privileges (on the whole wiki) and XML-RPC
privileges on a XML-RPC-enabled DokuWiki to (over)write any file PHP is
allowed to write with any content he wants. If you have XML-RPC enabled
and users with XML-RPC and upload privileges you don't trust in a way
you would allow them to write any file PHP may write, consider this as
an important security fix. By default XML-RPC is disabled, so if you
don't know what I'm talking about you are probably not affected by the
problem.
---
 lib/exe/xmlrpc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/exe/xmlrpc.php b/lib/exe/xmlrpc.php
index 670ab5d7e..b6b9f0e52 100644
--- a/lib/exe/xmlrpc.php
+++ b/lib/exe/xmlrpc.php
@@ -578,7 +578,7 @@ class dokuwiki_xmlrpc_server extends IXR_IntrospectionServer {
                 return new IXR_ERROR(1, 'Filename not given.');
             }
 
-            $ftmp = $conf['tmpdir'] . '/' . $id;
+            $ftmp = $conf['tmpdir'] . '/' . md5($id.clientIP());
 
             // save temporary file
             @unlink($ftmp);
-- 
GitLab