Avoid the use of $_REQUEST in install.php

diff --git a/wcfsetup/install.php b/wcfsetup/install.php
index 4bbda85e9b7b9a6f5b67456083d3cda848d8f8ad..5aac593184610d57f1f81d7ea01c61d5b678bd46 100644 (file)
--- a/wcfsetup/install.php
+++ b/wcfsetup/install.php
@@ -1182,18 +1182,18 @@ class GZipFile extends File {
        }
 }
 
-// let's go
-// get temp file prefix
-if (isset($_REQUEST['tmpFilePrefix'])) {
-       $prefix = preg_replace('/[^a-f0-9_]+/', '', $_REQUEST['tmpFilePrefix']);
-}
-else {
-       $prefix = \bin2hex(\random_bytes(4));
-}
-define('TMP_FILE_PREFIX', $prefix);
+// Bootstrap Setup.
+
+$prefix = $_GET['tmpFilePrefix'] ?? $_POST['tmpFilePrefix'] ?? \bin2hex(\random_bytes(4));
+\define(
+       'TMP_FILE_PREFIX',
+       \preg_replace('/[^a-f0-9_]+/', '', $prefix)
+);
 
-// try to find the temp folder
-define('TMP_DIR', BasicFileUtil::getInstallTempFolder());
+\define(
+       'TMP_DIR',
+       BasicFileUtil::getInstallTempFolder()
+);
 
 // check whether setup files are already unzipped
 if (!file_exists(TMP_DIR . 'install/files/lib/system/WCFSetup.class.php')) {