Contact Form 7 - Version 5.0.4

Version Description

  • Specifies the capability_type argument explicitly in the register_post_type() call to fix the privilege escalation vulnerability issue.
  • Local File Attachment disallows the specifying of absolute file paths referring to files outside the wp-content directory.
  • Config Validator adds a test item to detect invalid file attachment settings.
  • Fixes a bug in the JavaScript fallback function for legacy browsers that do not support the HTML5 placeholder attribute.
  • Acceptance Checkbox unsets the form-tag's do-not-store feature.
Download this release

Release Info

Developer takayukister
Plugin Icon 128x128 Contact Form 7
Version 5.0.4
Comparing to
See all releases

Code changes from version 5.0.3 to 5.0.4

admin/admin.php CHANGED
@@ -613,7 +613,7 @@ function wpcf7_notice_bulk_validate_config() {
613
}
614
615
$result = WPCF7::get_option( 'bulk_validate' );
616
- $last_important_update = '4.9';
617
618
if ( ! empty( $result['version'] )
619
&& version_compare( $last_important_update, $result['version'], '<=' ) ) {
@@ -622,12 +622,20 @@ function wpcf7_notice_bulk_validate_config() {
622
623
$link = add_query_arg(
624
array( 'action' => 'validate' ),
625
- menu_page_url( 'wpcf7', false ) );
626
627
- $link = sprintf( '<a href="%s">%s</a>', $link, esc_html( __( 'Validate Contact Form 7 Configuration', 'contact-form-7' ) ) );
628
629
$message = __( "Misconfiguration leads to mail delivery failure or other troubles. Validate your contact forms now.", 'contact-form-7' );
630
631
- echo sprintf( '<div class="notice notice-warning"><p>%s &raquo; %s</p></div>',
632
- esc_html( $message ), $link );
633
}
613
}
614
615
$result = WPCF7::get_option( 'bulk_validate' );
616
+ $last_important_update = '5.0.4';
617
618
if ( ! empty( $result['version'] )
619
&& version_compare( $last_important_update, $result['version'], '<=' ) ) {
622
623
$link = add_query_arg(
624
array( 'action' => 'validate' ),
625
+ menu_page_url( 'wpcf7', false )
626
+ );
627
628
+ $link = sprintf(
629
+ '<a href="%1$s">%2$s</a>',
630
+ esc_url( $link ),
631
+ esc_html( __( 'Validate Contact Form 7 Configuration', 'contact-form-7' ) )
632
+ );
633
634
$message = __( "Misconfiguration leads to mail delivery failure or other troubles. Validate your contact forms now.", 'contact-form-7' );
635
636
+ echo sprintf(
637
+ '<div class="notice notice-warning"><p>%1$s &raquo; %2$s</p></div>',
638
+ esc_html( $message ),
639
+ $link
640
+ );
641
}
admin/edit-contact-form.php CHANGED
@@ -187,23 +187,10 @@ if ( $post ) :
187
__( 'https://wordpress.org/support/plugin/contact-form-7/', 'contact-form-7' ),
188
__( 'Support Forums', 'contact-form-7' )
189
); ?></li>
190
- <?php
191
- $pro_service_langs = array(
192
- 'en', // English
193
- 'de', // German
194
- 'fr', // French
195
- 'es', // Spanish
196
- );
197
-
198
- if ( in_array( substr( get_user_locale(), 0, 2 ), $pro_service_langs ) ) :
199
- ?>
200
<li><?php echo wpcf7_link(
201
__( 'https://contactform7.com/custom-development/', 'contact-form-7' ),
202
__( 'Professional Services', 'contact-form-7' )
203
); ?></li>
204
- <?php
205
- endif;
206
- ?>
207
</ol>
208
</div>
209
</div><!-- #informationdiv -->
187
__( 'https://wordpress.org/support/plugin/contact-form-7/', 'contact-form-7' ),
188
__( 'Support Forums', 'contact-form-7' )
189
); ?></li>
190
<li><?php echo wpcf7_link(
191
__( 'https://contactform7.com/custom-development/', 'contact-form-7' ),
192
__( 'Professional Services', 'contact-form-7' )
193
); ?></li>
194
</ol>
195
</div>
196
</div><!-- #informationdiv -->
includes/config-validator.php CHANGED
@@ -12,6 +12,7 @@ class WPCF7_ConfigValidator {
12
const error_unavailable_names = 107;
13
const error_invalid_mail_header = 108;
14
const error_deprecated_settings = 109;
15
16
public static function get_doc_link( $error_code = '' ) {
17
$url = __( 'https://contactform7.com/configuration-errors/',
@@ -501,6 +502,9 @@ class WPCF7_ConfigValidator {
501
$this->detect_maybe_empty( sprintf( '%s.body', $template ), $body );
502
503
if ( '' !== $components['attachments'] ) {
504
foreach ( explode( "\n", $components['attachments'] ) as $line ) {
505
$line = trim( $line );
506
@@ -508,8 +512,15 @@ class WPCF7_ConfigValidator {
508
continue;
509
}
510
511
- $this->detect_file_not_found(
512
- sprintf( '%s.attachments', $template ), $line );
513
}
514
}
515
}
@@ -559,6 +570,23 @@ class WPCF7_ConfigValidator {
559
return false;
560
}
561
562
public function validate_messages() {
563
$messages = (array) $this->contact_form->prop( 'messages' );
564
12
const error_unavailable_names = 107;
13
const error_invalid_mail_header = 108;
14
const error_deprecated_settings = 109;
15
+ const error_file_not_in_content_dir = 110;
16
17
public static function get_doc_link( $error_code = '' ) {
18
$url = __( 'https://contactform7.com/configuration-errors/',
502
$this->detect_maybe_empty( sprintf( '%s.body', $template ), $body );
503
504
if ( '' !== $components['attachments'] ) {
505
+ $has_file_not_found = false;
506
+ $has_file_not_in_content_dir = false;
507
+
508
foreach ( explode( "\n", $components['attachments'] ) as $line ) {
509
$line = trim( $line );
510
512
continue;
513
}
514
515
+ $has_file_not_found = $this->detect_file_not_found(
516
+ sprintf( '%s.attachments', $template ), $line
517
+ );
518
+
519
+ if ( ! $has_file_not_found && ! $has_file_not_in_content_dir ) {
520
+ $has_file_not_in_content_dir = $this->detect_file_not_in_content_dir(
521
+ sprintf( '%s.attachments', $template ), $line
522
+ );
523
+ }
524
}
525
}
526
}
570
return false;
571
}
572
573
+ public function detect_file_not_in_content_dir( $section, $content ) {
574
+ $path = path_join( WP_CONTENT_DIR, $content );
575
+
576
+ if ( 0 !== strpos( realpath( $path ), WP_CONTENT_DIR ) ) {
577
+ return $this->add_error( $section,
578
+ self::error_file_not_in_content_dir,
579
+ array(
580
+ 'message' =>
581
+ __( "It is not allowed to use files outside the wp-content directory.", 'contact-form-7' ),
582
+ 'link' => self::get_doc_link( 'file_not_in_content_dir' ),
583
+ )
584
+ );
585
+ }
586
+
587
+ return false;
588
+ }
589
+
590
public function validate_messages() {
591
$messages = (array) $this->contact_form->prop( 'messages' );
592
includes/contact-form.php CHANGED
@@ -33,6 +33,8 @@ class WPCF7_ContactForm {
33
),
34
'rewrite' => false,
35
'query_var' => false,
36
) );
37
}
38
33
),
34
'rewrite' => false,
35
'query_var' => false,
36
+ 'public' => false,
37
+ 'capability_type' => 'page',
38
) );
39
}
40
includes/js/scripts.js CHANGED
@@ -46,12 +46,16 @@
46
var $form = $( form );
47
48
$form.submit( function( event ) {
49
- if ( typeof window.FormData !== 'function' ) {
50
- return;
51
}
52
53
- wpcf7.submit( $form );
54
- event.preventDefault();
55
} );
56
57
$( '.wpcf7-submit', $form ).after( '<span class="ajax-loader"></span>' );
@@ -193,10 +197,6 @@
193
194
$( '.ajax-loader', $form ).addClass( 'is-active' );
195
196
- $( '[placeholder].placeheld', $form ).each( function( i, n ) {
197
- $( n ).val( '' );
198
- } );
199
-
200
wpcf7.clearResponse( $form );
201
202
var formData = new FormData( $form.get( 0 ) );
@@ -312,9 +312,11 @@
312
wpcf7.toggleSubmit( $form );
313
}
314
315
- $form.find( '[placeholder].placeheld' ).each( function( i, n ) {
316
- $( n ).val( $( n ).attr( 'placeholder' ) );
317
- } );
318
319
$message.html( '' ).append( data.message ).slideDown( 'fast' );
320
$message.attr( 'role', 'alert' );
46
var $form = $( form );
47
48
$form.submit( function( event ) {
49
+ if ( ! wpcf7.supportHtml5.placeholder ) {
50
+ $( '[placeholder].placeheld', $form ).each( function( i, n ) {
51
+ $( n ).val( '' ).removeClass( 'placeheld' );
52
+ } );
53
}
54
55
+ if ( typeof window.FormData === 'function' ) {
56
+ wpcf7.submit( $form );
57
+ event.preventDefault();
58
+ }
59
} );
60
61
$( '.wpcf7-submit', $form ).after( '<span class="ajax-loader"></span>' );
197
198
$( '.ajax-loader', $form ).addClass( 'is-active' );
199
200
wpcf7.clearResponse( $form );
201
202
var formData = new FormData( $form.get( 0 ) );
312
wpcf7.toggleSubmit( $form );
313
}
314
315
+ if ( ! wpcf7.supportHtml5.placeholder ) {
316
+ $form.find( '[placeholder].placeheld' ).each( function( i, n ) {
317
+ $( n ).val( $( n ).attr( 'placeholder' ) );
318
+ } );
319
+ }
320
321
$message.html( '' ).append( data.message ).slideDown( 'fast' );
322
$message.attr( 'role', 'alert' );
includes/mail.php CHANGED
@@ -174,6 +174,11 @@ class WPCF7_Mail {
174
175
$path = path_join( WP_CONTENT_DIR, $line );
176
177
if ( is_readable( $path ) && is_file( $path ) ) {
178
$attachments[] = $path;
179
}
174
175
$path = path_join( WP_CONTENT_DIR, $line );
176
177
+ if ( 0 !== strpos( realpath( $path ), WP_CONTENT_DIR ) ) {
178
+ // $path is out of WP_CONTENT_DIR
179
+ continue;
180
+ }
181
+
182
if ( is_readable( $path ) && is_file( $path ) ) {
183
$attachments[] = $path;
184
}
modules/acceptance.php CHANGED
@@ -12,7 +12,6 @@ function wpcf7_add_form_tag_acceptance() {
12
'wpcf7_acceptance_form_tag_handler',
13
array(
14
'name-attr' => true,
15
- 'do-not-store' => true,
16
)
17
);
18
}
12
'wpcf7_acceptance_form_tag_handler',
13
array(
14
'name-attr' => true,
15
)
16
);
17
}
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: https://contactform7.com/donate/
4
Tags: contact, form, contact form, feedback, email, ajax, captcha, akismet, multilingual
5
Requires at least: 4.8
6
Tested up to: 4.9
7
- Stable tag: 5.0.3
8
License: GPLv2 or later
9
License URI: https://www.gnu.org/licenses/gpl-2.0.html
10
@@ -74,6 +74,14 @@ Do you have questions or issues with Contact Form 7? Use these support channels
74
75
For more information, see [Releases](https://contactform7.com/category/releases/).
76
77
= 5.0.3 =
78
79
* CSS: Applies the "not-allowed" cursor style to submit buttons in the "disabled" state.
@@ -113,3 +121,9 @@ For more information, see [Releases](https://contactform7.com/category/releases/
113
* New special mail tags: [_site_title], [_site_description], [_site_url], [_site_admin_email], [_invalid_fields], [_user_login], [_user_email], [_user_url], [_user_first_name], [_user_last_name], [_user_nickname], and [_user_display_name]
114
* New filter hooks: wpcf7_upload_file_name, wpcf7_autop_or_not, wpcf7_posted_data_{$type}, and wpcf7_mail_tag_replaced_{$type}
115
* New form-tag features: zero-controls-container and not-for-mail
4
Tags: contact, form, contact form, feedback, email, ajax, captcha, akismet, multilingual
5
Requires at least: 4.8
6
Tested up to: 4.9
7
+ Stable tag: 5.0.4
8
License: GPLv2 or later
9
License URI: https://www.gnu.org/licenses/gpl-2.0.html
10
74
75
For more information, see [Releases](https://contactform7.com/category/releases/).
76
77
+ = 5.0.4 =
78
+
79
+ * Specifies the capability_type argument explicitly in the register_post_type() call to fix the privilege escalation vulnerability issue.
80
+ * Local File Attachment – disallows the specifying of absolute file paths referring to files outside the wp-content directory.
81
+ * Config Validator – adds a test item to detect invalid file attachment settings.
82
+ * Fixes a bug in the JavaScript fallback function for legacy browsers that do not support the HTML5 placeholder attribute.
83
+ * Acceptance Checkbox – unsets the form-tag's do-not-store feature.
84
+
85
= 5.0.3 =
86
87
* CSS: Applies the "not-allowed" cursor style to submit buttons in the "disabled" state.
121
* New special mail tags: [_site_title], [_site_description], [_site_url], [_site_admin_email], [_invalid_fields], [_user_login], [_user_email], [_user_url], [_user_first_name], [_user_last_name], [_user_nickname], and [_user_display_name]
122
* New filter hooks: wpcf7_upload_file_name, wpcf7_autop_or_not, wpcf7_posted_data_{$type}, and wpcf7_mail_tag_replaced_{$type}
123
* New form-tag features: zero-controls-container and not-for-mail
124
+
125
+ == Upgrade Notice ==
126
+
127
+ = 5.0.4 =
128
+
129
+ This is a security and maintenance release and we strongly encourage you to update to it immediately. For more information, refer to the [release announcement post](https://contactform7.com/category/releases/).
wp-contact-form-7.php CHANGED
@@ -7,10 +7,10 @@ Author: Takayuki Miyoshi
7
Author URI: https://ideasilo.wordpress.com/
8
Text Domain: contact-form-7
9
Domain Path: /languages/
10
- Version: 5.0.3
11
*/
12
13
- define( 'WPCF7_VERSION', '5.0.3' );
14
15
define( 'WPCF7_REQUIRED_WP_VERSION', '4.8' );
16
7
Author URI: https://ideasilo.wordpress.com/
8
Text Domain: contact-form-7
9
Domain Path: /languages/
10
+ Version: 5.0.4
11
*/
12
13
+ define( 'WPCF7_VERSION', '5.0.4' );
14
15
define( 'WPCF7_REQUIRED_WP_VERSION', '4.8' );
16