[wp-hackers] wp_handle_upload() and test_upload=false

Davit Barbakadze jayarjo at gmail.com
Mon Jan 31 17:42:31 UTC 2011


wp_handle_upload() internally has a way to bypass a check for whether
file was uploaded, by passing in an override of test_upload=false.
Thus this will be bypassed:

 // A properly uploaded file will pass this test. There should be no
reason to override this one.
 if ( $test_upload && ! @ is_uploaded_file( $file['tmp_name'] ) )
        return call_user_func($upload_error_handler, $file, __(
'Specified file failed upload test.' ));

But, later on file is actually moved to the destination by
move_uploaded_file(), which basically does the same check as
is_uploaded_file() and there is no way to override it.

Our file is not uploaded, it is constructed out of chunks and in the
end in order to avoid code duplication we wanted to pass it to
wp_handle_upload().

It doesn't have sense - if file is already checked once for upload,
isn't it more logical to use mere rename() later on, rather then
implicit move_uploaded_file() ?

Davit Barbakadze


More information about the wp-hackers mailing list