Contact Form 7 - Version 5.0.4

Version Description

  • Specifies the capability_type argument explicitly in the register_post_type() call to fix the privilege escalation vulnerability issue.
  • Local File Attachment disallows the specifying of absolute file paths referring to files outside the wp-content directory.
  • Config Validator adds a test item to detect invalid file attachment settings.
  • Fixes a bug in the JavaScript fallback function for legacy browsers that do not support the HTML5 placeholder attribute.
  • Acceptance Checkbox unsets the form-tag's do-not-store feature.
Download this release

Release Info

Developer takayukister
Plugin Icon 128x128 Contact Form 7
Version 5.0.4
Comparing to
See all releases

Code changes from version 5.0.3 to 5.0.4

Files changed (9) hide show
  1. admin/admin.php +13 -5
  2. admin/edit-contact-form.php +0 -13
  3. includes/config-validator.php +30 -2
  4. includes/contact-form.php +2 -0
  5. includes/js/scripts.js +13 -11
  6. includes/mail.php +5 -0
  7. modules/acceptance.php +0 -1
  8. readme.txt +15 -1
  9. wp-contact-form-7.php +2 -2
admin/admin.php CHANGED
@@ -613,7 +613,7 @@ function wpcf7_notice_bulk_validate_config() {
613
  }
614
 
615
  $result = WPCF7::get_option( 'bulk_validate' );
616
- $last_important_update = '4.9';
617
 
618
  if ( ! empty( $result['version'] )
619
  && version_compare( $last_important_update, $result['version'], '<=' ) ) {
@@ -622,12 +622,20 @@ function wpcf7_notice_bulk_validate_config() {
622
 
623
  $link = add_query_arg(
624
  array( 'action' => 'validate' ),
625
- menu_page_url( 'wpcf7', false ) );
 
626
 
627
- $link = sprintf( '<a href="%s">%s</a>', $link, esc_html( __( 'Validate Contact Form 7 Configuration', 'contact-form-7' ) ) );
 
 
 
 
628
 
629
  $message = __( "Misconfiguration leads to mail delivery failure or other troubles. Validate your contact forms now.", 'contact-form-7' );
630
 
631
- echo sprintf( '<div class="notice notice-warning"><p>%s &raquo; %s</p></div>',
632
- esc_html( $message ), $link );
 
 
 
633
  }
613
  }
614
 
615
  $result = WPCF7::get_option( 'bulk_validate' );
616
+ $last_important_update = '5.0.4';
617
 
618
  if ( ! empty( $result['version'] )
619
  && version_compare( $last_important_update, $result['version'], '<=' ) ) {
622
 
623
  $link = add_query_arg(
624
  array( 'action' => 'validate' ),
625
+ menu_page_url( 'wpcf7', false )
626
+ );
627
 
628
+ $link = sprintf(
629
+ '<a href="%1$s">%2$s</a>',
630
+ esc_url( $link ),
631
+ esc_html( __( 'Validate Contact Form 7 Configuration', 'contact-form-7' ) )
632
+ );
633
 
634
  $message = __( "Misconfiguration leads to mail delivery failure or other troubles. Validate your contact forms now.", 'contact-form-7' );
635
 
636
+ echo sprintf(
637
+ '<div class="notice notice-warning"><p>%1$s &raquo; %2$s</p></div>',
638
+ esc_html( $message ),
639
+ $link
640
+ );
641
  }
admin/edit-contact-form.php CHANGED
@@ -187,23 +187,10 @@ if ( $post ) :
187
  __( 'https://wordpress.org/support/plugin/contact-form-7/', 'contact-form-7' ),
188
  __( 'Support Forums', 'contact-form-7' )
189
  ); ?></li>
190
- <?php
191
- $pro_service_langs = array(
192
- 'en', // English
193
- 'de', // German
194
- 'fr', // French
195
- 'es', // Spanish
196
- );
197
-
198
- if ( in_array( substr( get_user_locale(), 0, 2 ), $pro_service_langs ) ) :
199
- ?>
200
  <li><?php echo wpcf7_link(
201
  __( 'https://contactform7.com/custom-development/', 'contact-form-7' ),
202
  __( 'Professional Services', 'contact-form-7' )
203
  ); ?></li>
204
- <?php
205
- endif;
206
- ?>
207
  </ol>
208
  </div>
209
  </div><!-- #informationdiv -->
187
  __( 'https://wordpress.org/support/plugin/contact-form-7/', 'contact-form-7' ),
188
  __( 'Support Forums', 'contact-form-7' )
189
  ); ?></li>
 
 
 
 
 
 
 
 
 
 
190
  <li><?php echo wpcf7_link(
191
  __( 'https://contactform7.com/custom-development/', 'contact-form-7' ),
192
  __( 'Professional Services', 'contact-form-7' )
193
  ); ?></li>
 
 
 
194
  </ol>
195
  </div>
196
  </div><!-- #informationdiv -->
includes/config-validator.php CHANGED
@@ -12,6 +12,7 @@ class WPCF7_ConfigValidator {
12
  const error_unavailable_names = 107;
13
  const error_invalid_mail_header = 108;
14
  const error_deprecated_settings = 109;
 
15
 
16
  public static function get_doc_link( $error_code = '' ) {
17
  $url = __( 'https://contactform7.com/configuration-errors/',
@@ -501,6 +502,9 @@ class WPCF7_ConfigValidator {
501
  $this->detect_maybe_empty( sprintf( '%s.body', $template ), $body );
502
 
503
  if ( '' !== $components['attachments'] ) {
 
 
 
504
  foreach ( explode( "\n", $components['attachments'] ) as $line ) {
505
  $line = trim( $line );
506
 
@@ -508,8 +512,15 @@ class WPCF7_ConfigValidator {
508
  continue;
509
  }
510
 
511
- $this->detect_file_not_found(
512
- sprintf( '%s.attachments', $template ), $line );
 
 
 
 
 
 
 
513
  }
514
  }
515
  }
@@ -559,6 +570,23 @@ class WPCF7_ConfigValidator {
559
  return false;
560
  }
561
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
562
  public function validate_messages() {
563
  $messages = (array) $this->contact_form->prop( 'messages' );
564
 
12
  const error_unavailable_names = 107;
13
  const error_invalid_mail_header = 108;
14
  const error_deprecated_settings = 109;
15
+ const error_file_not_in_content_dir = 110;
16
 
17
  public static function get_doc_link( $error_code = '' ) {
18
  $url = __( 'https://contactform7.com/configuration-errors/',
502
  $this->detect_maybe_empty( sprintf( '%s.body', $template ), $body );
503
 
504
  if ( '' !== $components['attachments'] ) {
505
+ $has_file_not_found = false;
506
+ $has_file_not_in_content_dir = false;
507
+
508
  foreach ( explode( "\n", $components['attachments'] ) as $line ) {
509
  $line = trim( $line );
510
 
512
  continue;
513
  }
514
 
515
+ $has_file_not_found = $this->detect_file_not_found(
516
+ sprintf( '%s.attachments', $template ), $line
517
+ );
518
+
519
+ if ( ! $has_file_not_found && ! $has_file_not_in_content_dir ) {
520
+ $has_file_not_in_content_dir = $this->detect_file_not_in_content_dir(
521
+ sprintf( '%s.attachments', $template ), $line
522
+ );
523
+ }
524
  }
525
  }
526
  }
570
  return false;
571
  }
572
 
573
+ public function detect_file_not_in_content_dir( $section, $content ) {
574
+ $path = path_join( WP_CONTENT_DIR, $content );
575
+
576
+ if ( 0 !== strpos( realpath( $path ), WP_CONTENT_DIR ) ) {
577
+ return $this->add_error( $section,
578
+ self::error_file_not_in_content_dir,
579
+ array(
580
+ 'message' =>
581
+ __( "It is not allowed to use files outside the wp-content directory.", 'contact-form-7' ),
582
+ 'link' => self::get_doc_link( 'file_not_in_content_dir' ),
583
+ )
584
+ );
585
+ }
586
+
587
+ return false;
588
+ }
589
+
590
  public function validate_messages() {
591
  $messages = (array) $this->contact_form->prop( 'messages' );
592
 
includes/contact-form.php CHANGED
@@ -33,6 +33,8 @@ class WPCF7_ContactForm {
33
  ),
34
  'rewrite' => false,
35
  'query_var' => false,
 
 
36
  ) );
37
  }
38
 
33
  ),
34
  'rewrite' => false,
35
  'query_var' => false,
36
+ 'public' => false,
37
+ 'capability_type' => 'page',
38
  ) );
39
  }
40
 
includes/js/scripts.js CHANGED
@@ -46,12 +46,16 @@
46
  var $form = $( form );
47
 
48
  $form.submit( function( event ) {
49
- if ( typeof window.FormData !== 'function' ) {
50
- return;
 
 
51
  }
52
 
53
- wpcf7.submit( $form );
54
- event.preventDefault();
 
 
55
  } );
56
 
57
  $( '.wpcf7-submit', $form ).after( '<span class="ajax-loader"></span>' );
@@ -193,10 +197,6 @@
193
 
194
  $( '.ajax-loader', $form ).addClass( 'is-active' );
195
 
196
- $( '[placeholder].placeheld', $form ).each( function( i, n ) {
197
- $( n ).val( '' );
198
- } );
199
-
200
  wpcf7.clearResponse( $form );
201
 
202
  var formData = new FormData( $form.get( 0 ) );
@@ -312,9 +312,11 @@
312
  wpcf7.toggleSubmit( $form );
313
  }
314
 
315
- $form.find( '[placeholder].placeheld' ).each( function( i, n ) {
316
- $( n ).val( $( n ).attr( 'placeholder' ) );
317
- } );
 
 
318
 
319
  $message.html( '' ).append( data.message ).slideDown( 'fast' );
320
  $message.attr( 'role', 'alert' );
46
  var $form = $( form );
47
 
48
  $form.submit( function( event ) {
49
+ if ( ! wpcf7.supportHtml5.placeholder ) {
50
+ $( '[placeholder].placeheld', $form ).each( function( i, n ) {
51
+ $( n ).val( '' ).removeClass( 'placeheld' );
52
+ } );
53
  }
54
 
55
+ if ( typeof window.FormData === 'function' ) {
56
+ wpcf7.submit( $form );
57
+ event.preventDefault();
58
+ }
59
  } );
60
 
61
  $( '.wpcf7-submit', $form ).after( '<span class="ajax-loader"></span>' );
197
 
198
  $( '.ajax-loader', $form ).addClass( 'is-active' );
199
 
 
 
 
 
200
  wpcf7.clearResponse( $form );
201
 
202
  var formData = new FormData( $form.get( 0 ) );
312
  wpcf7.toggleSubmit( $form );
313
  }
314
 
315
+ if ( ! wpcf7.supportHtml5.placeholder ) {
316
+ $form.find( '[placeholder].placeheld' ).each( function( i, n ) {
317
+ $( n ).val( $( n ).attr( 'placeholder' ) );
318
+ } );
319
+ }
320
 
321
  $message.html( '' ).append( data.message ).slideDown( 'fast' );
322
  $message.attr( 'role', 'alert' );
includes/mail.php CHANGED
@@ -174,6 +174,11 @@ class WPCF7_Mail {
174
 
175
  $path = path_join( WP_CONTENT_DIR, $line );
176
 
 
 
 
 
 
177
  if ( is_readable( $path ) && is_file( $path ) ) {
178
  $attachments[] = $path;
179
  }
174
 
175
  $path = path_join( WP_CONTENT_DIR, $line );
176
 
177
+ if ( 0 !== strpos( realpath( $path ), WP_CONTENT_DIR ) ) {
178
+ // $path is out of WP_CONTENT_DIR
179
+ continue;
180
+ }
181
+
182
  if ( is_readable( $path ) && is_file( $path ) ) {
183
  $attachments[] = $path;
184
  }
modules/acceptance.php CHANGED
@@ -12,7 +12,6 @@ function wpcf7_add_form_tag_acceptance() {
12
  'wpcf7_acceptance_form_tag_handler',
13
  array(
14
  'name-attr' => true,
15
- 'do-not-store' => true,
16
  )
17
  );
18
  }
12
  'wpcf7_acceptance_form_tag_handler',
13
  array(
14
  'name-attr' => true,
 
15
  )
16
  );
17
  }
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: https://contactform7.com/donate/
4
  Tags: contact, form, contact form, feedback, email, ajax, captcha, akismet, multilingual
5
  Requires at least: 4.8
6
  Tested up to: 4.9
7
- Stable tag: 5.0.3
8
  License: GPLv2 or later
9
  License URI: https://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -74,6 +74,14 @@ Do you have questions or issues with Contact Form 7? Use these support channels
74
 
75
  For more information, see [Releases](https://contactform7.com/category/releases/).
76
 
 
 
 
 
 
 
 
 
77
  = 5.0.3 =
78
 
79
  * CSS: Applies the "not-allowed" cursor style to submit buttons in the "disabled" state.
@@ -113,3 +121,9 @@ For more information, see [Releases](https://contactform7.com/category/releases/
113
  * New special mail tags: [_site_title], [_site_description], [_site_url], [_site_admin_email], [_invalid_fields], [_user_login], [_user_email], [_user_url], [_user_first_name], [_user_last_name], [_user_nickname], and [_user_display_name]
114
  * New filter hooks: wpcf7_upload_file_name, wpcf7_autop_or_not, wpcf7_posted_data_{$type}, and wpcf7_mail_tag_replaced_{$type}
115
  * New form-tag features: zero-controls-container and not-for-mail
 
 
 
 
 
 
4
  Tags: contact, form, contact form, feedback, email, ajax, captcha, akismet, multilingual
5
  Requires at least: 4.8
6
  Tested up to: 4.9
7
+ Stable tag: 5.0.4
8
  License: GPLv2 or later
9
  License URI: https://www.gnu.org/licenses/gpl-2.0.html
10
 
74
 
75
  For more information, see [Releases](https://contactform7.com/category/releases/).
76
 
77
+ = 5.0.4 =
78
+
79
+ * Specifies the capability_type argument explicitly in the register_post_type() call to fix the privilege escalation vulnerability issue.
80
+ * Local File Attachment – disallows the specifying of absolute file paths referring to files outside the wp-content directory.
81
+ * Config Validator – adds a test item to detect invalid file attachment settings.
82
+ * Fixes a bug in the JavaScript fallback function for legacy browsers that do not support the HTML5 placeholder attribute.
83
+ * Acceptance Checkbox – unsets the form-tag's do-not-store feature.
84
+
85
  = 5.0.3 =
86
 
87
  * CSS: Applies the "not-allowed" cursor style to submit buttons in the "disabled" state.
121
  * New special mail tags: [_site_title], [_site_description], [_site_url], [_site_admin_email], [_invalid_fields], [_user_login], [_user_email], [_user_url], [_user_first_name], [_user_last_name], [_user_nickname], and [_user_display_name]
122
  * New filter hooks: wpcf7_upload_file_name, wpcf7_autop_or_not, wpcf7_posted_data_{$type}, and wpcf7_mail_tag_replaced_{$type}
123
  * New form-tag features: zero-controls-container and not-for-mail
124
+
125
+ == Upgrade Notice ==
126
+
127
+ = 5.0.4 =
128
+
129
+ This is a security and maintenance release and we strongly encourage you to update to it immediately. For more information, refer to the [release announcement post](https://contactform7.com/category/releases/).
wp-contact-form-7.php CHANGED
@@ -7,10 +7,10 @@ Author: Takayuki Miyoshi
7
  Author URI: https://ideasilo.wordpress.com/
8
  Text Domain: contact-form-7
9
  Domain Path: /languages/
10
- Version: 5.0.3
11
  */
12
 
13
- define( 'WPCF7_VERSION', '5.0.3' );
14
 
15
  define( 'WPCF7_REQUIRED_WP_VERSION', '4.8' );
16
 
7
  Author URI: https://ideasilo.wordpress.com/
8
  Text Domain: contact-form-7
9
  Domain Path: /languages/
10
+ Version: 5.0.4
11
  */
12
 
13
+ define( 'WPCF7_VERSION', '5.0.4' );
14
 
15
  define( 'WPCF7_REQUIRED_WP_VERSION', '4.8' );
16