From 598d1783def540dc78d9c06b1959db446a05b7f7 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Wed, 22 Sep 2021 13:59:54 +0200
Subject: [PATCH] Avoid the use of $_REQUEST in install.php

---
 wcfsetup/install.php | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/wcfsetup/install.php b/wcfsetup/install.php
index 4bbda85e9b..5aac593184 100644
--- a/wcfsetup/install.php
+++ b/wcfsetup/install.php
@@ -1182,18 +1182,18 @@ class GZipFile extends File {
 	}
 }
 
-// let's go
-// get temp file prefix
-if (isset($_REQUEST['tmpFilePrefix'])) {
-	$prefix = preg_replace('/[^a-f0-9_]+/', '', $_REQUEST['tmpFilePrefix']);
-}
-else {
-	$prefix = \bin2hex(\random_bytes(4));
-}
-define('TMP_FILE_PREFIX', $prefix);
+// Bootstrap Setup.
+
+$prefix = $_GET['tmpFilePrefix'] ?? $_POST['tmpFilePrefix'] ?? \bin2hex(\random_bytes(4));
+\define(
+	'TMP_FILE_PREFIX',
+	\preg_replace('/[^a-f0-9_]+/', '', $prefix)
+);
 
-// try to find the temp folder
-define('TMP_DIR', BasicFileUtil::getInstallTempFolder());
+\define(
+	'TMP_DIR',
+	BasicFileUtil::getInstallTempFolder()
+);
 
 // check whether setup files are already unzipped
 if (!file_exists(TMP_DIR . 'install/files/lib/system/WCFSetup.class.php')) {
-- 
2.20.1