TYPO3 Core

If indexing of external URLs is activated then typo3temp will be filled continously with EXTERNAL_URL* files. Sometimes typo3temp dirs out in the wild are found with hundreds of thousands files which may cause a DoS behaviour on filesystems like ext2 or ext3.

A tmpfile is created by
$tmpFile = t3lib_div::tempnam('EXTERNAL_URL').'.html';
which should never be done this way.

1) You should always use a OS/System/Lib-Call for creating temporary files with unique filenames (like t3lib_div::tempnam() does) but you should never change the file's name because it may not be unique any more. PHP's tempnam implementation isn't very secure but that's not the topic here. PHP creates the temporary file which is a MUST to avoid race conditions.
2) tempnam() call was not checked for errors.
3) Only the "tempnam().html" file but not the primary unique file "tempnam()" was deleted. As mentioned above the unique file does already exist because PHP created it.

The appended patch is a possible solution for 2) and 3).

(issue imported from #M12375)