check temp path before deleting files in __destruct to avoid Object Injection

[mcdruid]

Description

See #663

Manual testing steps

You can test this manually via cli in various ways, or by doing something crude like adding this to the end of the main index.php

if (isset($_GET['payload'])) {
  unserialize(urldecode($_GET['payload']));
}

This simulates a PHP Object Injection vulnerability.

You can then pass the payload as a query param, and check whether the target file has been deleted.

e.g. here's a urlencoded payload to remove a test file called now_you_see_me.txt in the docroot:

curl -si http://silverstripe.ddev.site/?payload=O%3A39%3A%22SilverStripe%5CAssets%5CInterventionBackend%22%3A1%3A%7Bs%3A49%3A%22%00SilverStripe%5CAssets%5CInterventionBackend%00tempPath%22%3Bs%3A18%3A%22now_you_see_me.txt%22%3B%7D

Issues

• Harden InterventionBackend against abuse via PHP Object Injection #663

Pull request checklist

• The target branch is correct
  • See picking the right version
• All commits are relevant to the purpose of the PR (e.g. no debug statements, unrelated refactoring, or arbitrary linting)
  • Small amounts of additional linting are usually okay, but if it makes it hard to concentrate on the relevant changes, ask for the unrelated changes to be reverted, and submitted as a separate PR.
• The commit messages follow our commit message guidelines
• The PR follows our contribution guidelines
• Code changes follow our coding conventions
• This change is covered with tests (or tests aren't necessary for this change)
• Any relevant User Help/Developer documentation is updated; for impactful changes, information is added to the changelog for the intended release
• CI is green

[emteknetnz]

Could you create a private const TEMP_FILE_PREFIX = 'interventionimage_'; and use that instead of the hardcoded string, and also update line 261 $path = tempnam($tempPath ?? '', 'interventionimage_'); to use the const

[emteknetnz]

Suggested change

}