safer handling of temporary files with open_basedir (thanks to Thijs Kinkhorst)

ChangeLog

@@ -80,6 +80,7 @@ danbarry
 + [lang] Belarusian update, thanks to Jaska Zedlik 
 + [lang] Norwegian update, thanks to Sven-Erik Andersen 
 + [lang] Italian update, thanks to Luca Rebellato
+- [core] safer handling of temporary files with open_basedir (thanks to Thijs Kinkhorst)
 
 2.11.9.0 (2008-08-28)
 - bug #2031221 [auth] Links to version number on login screen 

libraries/File.class.php

@@ -681,7 +681,7 @@ class PMA_File
                         $tmp_filename = $GLOBALS['cfg']['UploadDir'] . '/' . $_REQUEST['fields_uploadlocal_' . $key]['multi_edit'][$primary];
                         $tmp_file = fopen($tmp_filename, 'r');
                         $tmp_file_size = filesize($tmp_filename);
-                                                
+
                         // check if fileinfo library exists
                         if ($PMA_Config->get('FILEINFO_EXISTS'))
                         {
@@ -936,7 +936,7 @@ class PMA_File
             return false;
         }
 
-        $new_file_to_upload = $GLOBALS['cfg']['TempDir'] . '/' . basename($this->getName());
+        $new_file_to_upload = tempnam(realpath($GLOBALS['cfg']['TempDir']), basename($this->getName()));
 
         // surpress warnings from beeing displayed, but not from beeing logged
         // any file access outside of open_basedir will issue a warning