Bug #21387

typo3tempgot filled with thousands of EXTERNAL_URL* files

Added by Mittwald CM over 12 years ago. Updated over 3 years ago.

Should have
Target version:
Start date:
Due date:
% Done:


Estimated time:
TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


If indexing of external URLs is activated then typo3temp will be filled continously with EXTERNAL_URL* files. Sometimes typo3temp dirs out in the wild are found with hundreds of thousands files which may cause a DoS behaviour on filesystems like ext2 or ext3.

A tmpfile is created by
$tmpFile = t3lib_div::tempnam('EXTERNAL_URL').'.html';
which should never be done this way.

1) You should always use a OS/System/Lib-Call for creating temporary files with unique filenames (like t3lib_div::tempnam() does) but you should never change the file's name because it may not be unique any more. PHP's tempnam implementation isn't very secure but that's not the topic here. PHP creates the temporary file which is a MUST to avoid race conditions.
2) tempnam() call was not checked for errors.
3) Only the "tempnam().html" file but not the primary unique file "tempnam()" was deleted. As mentioned above the unique file does already exist because PHP created it.

The appended patch is a possible solution for 2) and 3).

(issue imported from #M12375)


typo3-4.2.8-class.indexer.php.no-external_url-in-typo3temp.patch (1.31 KB) typo3-4.2.8-class.indexer.php.no-external_url-in-typo3temp.patch Administrator Admin, 2009-10-28 11:23
12375.diff (1.03 KB) 12375.diff Administrator Admin, 2010-03-17 16:24

Related issues

Related to TYPO3 Core - Bug #21388: typo3temp got filled with thousands of javascript_* filesRejected2009-10-28


Also available in: Atom PDF