Temporary files naming logic in PHPWord_Template can lead to a collision (GH-38)

Progi1984 · Progi1984 · commit 95f16cc3a5ab · 2013-12-15T14:58:44.000+01:00
diff --git a/Classes/PHPWord/Template.php b/Classes/PHPWord/Template.php
@@ -63,18 +63,20 @@ class PHPWord_Template {
      * @param string $strFilename
      */
     public function __construct($strFilename) {
-        $path = dirname($strFilename);
-        $this->_tempFileName = $path.DIRECTORY_SEPARATOR.time().'.docx';
+        $this->_tempFileName = tempnam(sys_get_temp_dir(), '');
+        if ($this->_tempFileName !== false) {
+          // Copy the source File to the temp File
+          if(!copy($strFilename, $this->_tempFileName)){
+            throw new PHPWord_Exception('Could not copy the template from '.$strFilename.' to '.$this->_tempFileName.'.');
+          }
 
-        // Copy the source File to the temp File
-        if(!copy($strFilename, $this->_tempFileName)){
-          throw new PHPWord_Exception('Could not copy the template from '.$strFilename.' to '.$this->_tempFileName.'.');
-        }
+          $this->_objZip = new ZipArchive();
+          $this->_objZip->open($this->_tempFileName);
 
-        $this->_objZip = new ZipArchive();
-        $this->_objZip->open($this->_tempFileName);
-        
-        $this->_documentXML = $this->_objZip->getFromName('word/document.xml');
+          $this->_documentXML = $this->_objZip->getFromName('word/document.xml');
+        } else {
+          throw new PHPWord_Exception('Could not create temporary file with unique name in the default temporary directory.');
+        }
     }
     
     /**
diff --git a/changelog.txt b/changelog.txt
@@ -23,8 +23,9 @@
 **************************************************************************************
 
 Fixed in branch for release 0.7 :
-- Bugfix:   (RomanSyroeshko)  GH-34             - PHPWord_Shared_String.IsUTF8 returns FALSE for Cyrillic UTF-8 input
 - Bugfix:   (RomanSyroeshko)  GH-32             - "Warning: Invalid error type specified in ...\PHPWord.php on line 226" is thrown when the specified template file is not found
+- Bugfix:   (RomanSyroeshko)  GH-34             - PHPWord_Shared_String.IsUTF8 returns FALSE for Cyrillic UTF-8 input
+- Bugfix:   (RomanSyroeshko)  GH-38             - Temporary files naming logic in PHPWord_Template can lead to a collision
 - Feature:  (Progi1984)       GH-1              - Implement RTF Writer
 - Feature:  (Progi1984)       GH-2              - Implement ODT Writer
 - Feature:  (kaystrobach)                       - Word2007 : Add rowspan and colspan to cells
