Custom Contact Forms - Version 6.6.2

Version Description

  • Upgrade WP-API to 1.2.1
Download this release

Release Info

Developer tlovett1
Plugin Icon 128x128 Custom Contact Forms
Version 6.6.2
Comparing to
See all releases

Code changes from version 6.6.1 to 6.6.2

Files changed (14) hide show
  1. composer.json +1 -1
  2. composer.lock +3 -3
  3. custom-contact-forms.php +1 -1
  4. readme.txt +4 -1
  5. vendor/autoload.php +1 -1
  6. vendor/composer/autoload_real.php +4 -4
  7. vendor/composer/installed.json +1 -1
  8. vendor/wp-api/wp-api/CHANGELOG.md +8 -0
  9. vendor/wp-api/wp-api/lib/class-wp-json-media.php +1 -1
  10. vendor/wp-api/wp-api/lib/class-wp-json-posts.php +11 -1
  11. vendor/wp-api/wp-api/lib/class-wp-json-server.php +2 -2
  12. vendor/wp-api/wp-api/plugin.php +2 -2
  13. vendor/wp-api/wp-api/tests/test-json-post-revisions.php +15 -1
  14. vendor/wp-api/wp-api/tests/test-json-posts.php +8 -0
composer.json CHANGED
@@ -1,7 +1,7 @@
1
  {
2
  "name": "tlovett1/custom-contact-forms",
3
  "require": {
4
- "wp-api/wp-api": "dev-master#4e2d780432d934a912721748bcc70d89025c625c"
5
  },
6
  "repositories": [
7
  {
1
  {
2
  "name": "tlovett1/custom-contact-forms",
3
  "require": {
4
+ "wp-api/wp-api": "dev-master#96343d710aeb7edb8f4f22dd165991c680eb13db"
5
  },
6
  "repositories": [
7
  {
composer.lock CHANGED
@@ -4,7 +4,7 @@
4
  "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
5
  "This file is @generated automatically"
6
  ],
7
- "hash": "976360f57efd5dd53b0f99e3cd2fca0d",
8
  "packages": [
9
  {
10
  "name": "wp-api/wp-api",
@@ -12,10 +12,10 @@
12
  "source": {
13
  "type": "git",
14
  "url": "https://github.com/wp-api/wp-api",
15
- "reference": "4e2d780432d934a912721748bcc70d89025c625c"
16
  },
17
  "type": "library",
18
- "time": "2015-03-21 17:03:04"
19
  }
20
  ],
21
  "packages-dev": [],
4
  "Read more about it at http://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
5
  "This file is @generated automatically"
6
  ],
7
+ "hash": "fa1375958f12619342dfac81a4d9d8cd",
8
  "packages": [
9
  {
10
  "name": "wp-api/wp-api",
12
  "source": {
13
  "type": "git",
14
  "url": "https://github.com/wp-api/wp-api",
15
+ "reference": "96343d710aeb7edb8f4f22dd165991c680eb13db"
16
  },
17
  "type": "library",
18
+ "time": "2015-04-09 18:44:37"
19
  }
20
  ],
21
  "packages-dev": [],
custom-contact-forms.php CHANGED
@@ -4,7 +4,7 @@
4
  * Plugin URI: http://www.taylorlovett.com
5
  * Description: Build beautiful custom forms the WordPress way. View live previews of your forms while you build them.
6
  * Author: Taylor Lovett
7
- * Version: 6.6.1
8
  * Author URI: http://www.taylorlovett.com
9
  */
10
 
4
  * Plugin URI: http://www.taylorlovett.com
5
  * Description: Build beautiful custom forms the WordPress way. View live previews of your forms while you build them.
6
  * Author: Taylor Lovett
7
+ * Version: 6.6.2
8
  * Author URI: http://www.taylorlovett.com
9
  */
10
 
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_i
4
  Tags: contact form, web form, custom contact form, custom forms, captcha form, contact fields, form mailers, forms
5
  Requires at least: 3.9
6
  Tested up to: 4.2
7
- Stable tag: 6.6.1
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -35,6 +35,9 @@ For questions, feature requests, and support concerning the Custom Contact Forms
35
 
36
  == Changelog ==
37
 
 
 
 
38
  = 6.6.1 =
39
  * Finally fix the bug where we can set our form title as empty
40
 
4
  Tags: contact form, web form, custom contact form, custom forms, captcha form, contact fields, form mailers, forms
5
  Requires at least: 3.9
6
  Tested up to: 4.2
7
+ Stable tag: 6.6.2
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
35
 
36
  == Changelog ==
37
 
38
+ = 6.6.2 =
39
+ * Upgrade WP-API to 1.2.1
40
+
41
  = 6.6.1 =
42
  * Finally fix the bug where we can set our form title as empty
43
 
vendor/autoload.php CHANGED
@@ -4,4 +4,4 @@
4
 
5
  require_once __DIR__ . '/composer' . '/autoload_real.php';
6
 
7
- return ComposerAutoloaderInit5cd081e950d9eb38890c4cbb592fde30::getLoader();
4
 
5
  require_once __DIR__ . '/composer' . '/autoload_real.php';
6
 
7
+ return ComposerAutoloaderInitc872d62677b73f8a4b0a099c6f050c87::getLoader();
vendor/composer/autoload_real.php CHANGED
@@ -2,7 +2,7 @@
2
 
3
  // autoload_real.php @generated by Composer
4
 
5
- class ComposerAutoloaderInit5cd081e950d9eb38890c4cbb592fde30
6
  {
7
  private static $loader;
8
 
@@ -19,9 +19,9 @@ class ComposerAutoloaderInit5cd081e950d9eb38890c4cbb592fde30
19
  return self::$loader;
20
  }
21
 
22
- spl_autoload_register(array('ComposerAutoloaderInit5cd081e950d9eb38890c4cbb592fde30', 'loadClassLoader'), true, true);
23
  self::$loader = $loader = new \Composer\Autoload\ClassLoader();
24
- spl_autoload_unregister(array('ComposerAutoloaderInit5cd081e950d9eb38890c4cbb592fde30', 'loadClassLoader'));
25
 
26
  $map = require __DIR__ . '/autoload_namespaces.php';
27
  foreach ($map as $namespace => $path) {
@@ -44,7 +44,7 @@ class ComposerAutoloaderInit5cd081e950d9eb38890c4cbb592fde30
44
  }
45
  }
46
 
47
- function composerRequire5cd081e950d9eb38890c4cbb592fde30($file)
48
  {
49
  require $file;
50
  }
2
 
3
  // autoload_real.php @generated by Composer
4
 
5
+ class ComposerAutoloaderInitc872d62677b73f8a4b0a099c6f050c87
6
  {
7
  private static $loader;
8
 
19
  return self::$loader;
20
  }
21
 
22
+ spl_autoload_register(array('ComposerAutoloaderInitc872d62677b73f8a4b0a099c6f050c87', 'loadClassLoader'), true, true);
23
  self::$loader = $loader = new \Composer\Autoload\ClassLoader();
24
+ spl_autoload_unregister(array('ComposerAutoloaderInitc872d62677b73f8a4b0a099c6f050c87', 'loadClassLoader'));
25
 
26
  $map = require __DIR__ . '/autoload_namespaces.php';
27
  foreach ($map as $namespace => $path) {
44
  }
45
  }
46
 
47
+ function composerRequirec872d62677b73f8a4b0a099c6f050c87($file)
48
  {
49
  require $file;
50
  }
vendor/composer/installed.json CHANGED
@@ -6,7 +6,7 @@
6
  "source": {
7
  "type": "git",
8
  "url": "https://github.com/wp-api/wp-api",
9
- "reference": "4e2d780432d934a912721748bcc70d89025c625c"
10
  },
11
  "type": "library",
12
  "installation-source": "source"
6
  "source": {
7
  "type": "git",
8
  "url": "https://github.com/wp-api/wp-api",
9
+ "reference": "96343d710aeb7edb8f4f22dd165991c680eb13db"
10
  },
11
  "type": "library",
12
  "installation-source": "source"
vendor/wp-api/wp-api/CHANGELOG.md CHANGED
@@ -1,5 +1,13 @@
1
  # Changelog
2
 
 
 
 
 
 
 
 
 
3
  ## 1.2.0
4
 
5
  - Add handling for Cross-Origin Resource Sharing (CORS) OPTIONS requests.
1
  # Changelog
2
 
3
+ ## 1.2.1
4
+
5
+ - Fix information disclosure security vulnerability.
6
+
7
+ Unauthenticated users could access revisions of published and unpublished posts. Revisions are now only accessible to authenticated users with permission to edit the revision's post.
8
+
9
+ Reported by @chredd on 2015-04-09.
10
+
11
  ## 1.2.0
12
 
13
  - Add handling for Cross-Origin Resource Sharing (CORS) OPTIONS requests.
vendor/wp-api/wp-api/lib/class-wp-json-media.php CHANGED
@@ -434,7 +434,7 @@ class WP_JSON_Media extends WP_JSON_Posts {
434
  // Already verified in preinsert_check()
435
  $thumbnail = $this->get_post( $data['featured_image'], 'child' );
436
 
437
- set_post_thumbnail( $post['ID'], $thumbnail['ID'] );
438
  }
439
  }
440
 
434
  // Already verified in preinsert_check()
435
  $thumbnail = $this->get_post( $data['featured_image'], 'child' );
436
 
437
+ set_post_thumbnail( $post['ID'], $thumbnail->data['ID'] );
438
  }
439
  }
440
 
vendor/wp-api/wp-api/lib/class-wp-json-posts.php CHANGED
@@ -271,7 +271,17 @@ class WP_JSON_Posts {
271
  return new WP_Error( 'json_post_invalid_id', __( 'Invalid post ID.' ), array( 'status' => 404 ) );
272
  }
273
 
274
- if ( ! json_check_post_permission( $post, 'read' ) ) {
 
 
 
 
 
 
 
 
 
 
275
  return new WP_Error( 'json_user_cannot_read', __( 'Sorry, you cannot read this post.' ), array( 'status' => 401 ) );
276
  }
277
 
271
  return new WP_Error( 'json_post_invalid_id', __( 'Invalid post ID.' ), array( 'status' => 404 ) );
272
  }
273
 
274
+ $checked_permission = 'read';
275
+ if ( 'inherit' === $post['post_status'] && $post['post_parent'] > 0 ) {
276
+ $checked_post = get_post( $post['post_parent'], ARRAY_A );
277
+ if ( 'revision' === $post['post_type'] ) {
278
+ $checked_permission = 'edit';
279
+ }
280
+ } else {
281
+ $checked_post = $post;
282
+ }
283
+
284
+ if ( ! json_check_post_permission( $checked_post, $checked_permission ) ) {
285
  return new WP_Error( 'json_user_cannot_read', __( 'Sorry, you cannot read this post.' ), array( 'status' => 401 ) );
286
  }
287
 
vendor/wp-api/wp-api/lib/class-wp-json-server.php CHANGED
@@ -700,7 +700,7 @@ class WP_JSON_Server implements WP_JSON_ResponseHandler {
700
  * @deprecated
701
  * @param string $email Email address
702
  * @return string url for the user's avatar
703
- */
704
  public function get_avatar_url( $email ) {
705
  _deprecated_function( __CLASS__ . '::' . __METHOD__, 'WPAPI-1.1', 'json_get_avatar_url' );
706
 
@@ -741,4 +741,4 @@ class WP_JSON_Server implements WP_JSON_ResponseHandler {
741
 
742
  return $headers;
743
  }
744
- }
700
  * @deprecated
701
  * @param string $email Email address
702
  * @return string url for the user's avatar
703
+ */
704
  public function get_avatar_url( $email ) {
705
  _deprecated_function( __CLASS__ . '::' . __METHOD__, 'WPAPI-1.1', 'json_get_avatar_url' );
706
 
741
 
742
  return $headers;
743
  }
744
+ }
vendor/wp-api/wp-api/plugin.php CHANGED
@@ -2,7 +2,7 @@
2
  /**
3
  * Plugin Name: WP REST API
4
  * Description: JSON-based REST API for WordPress, developed as part of GSoC 2013.
5
- * Version: 1.2.0
6
  * Author: WP REST API Team
7
  * Author URI: http://wp-api.org/
8
  * Plugin URI: https://github.com/WP-API/WP-API
@@ -13,7 +13,7 @@
13
  *
14
  * @var string
15
  */
16
- define( 'JSON_API_VERSION', '1.2.0' );
17
 
18
  /**
19
  * Include our files for the API.
2
  /**
3
  * Plugin Name: WP REST API
4
  * Description: JSON-based REST API for WordPress, developed as part of GSoC 2013.
5
+ * Version: 1.2.1
6
  * Author: WP REST API Team
7
  * Author URI: http://wp-api.org/
8
  * Plugin URI: https://github.com/WP-API/WP-API
13
  *
14
  * @var string
15
  */
16
+ define( 'JSON_API_VERSION', '1.2.1' );
17
 
18
  /**
19
  * Include our files for the API.
vendor/wp-api/wp-api/tests/test-json-post-revisions.php CHANGED
@@ -78,4 +78,18 @@ class WP_Test_JSON_Post_Revisions extends WP_UnitTestCase {
78
 
79
  }
80
 
81
- }
 
 
 
 
 
 
 
 
 
 
 
 
 
 
78
 
79
  }
80
 
81
+ public function test_access_single_revision() {
82
+
83
+ wp_set_current_user( 0 );
84
+ $response = $this->endpoint->get_post( $this->revision_id );
85
+ $this->assertErrorResponse( 'json_user_cannot_read', $response, 401 );
86
+
87
+ wp_set_current_user( $this->author );
88
+ $response = $this->endpoint->get_post( $this->revision_id );
89
+ $this->assertNotInstanceOf( 'WP_Error', $response );
90
+ $response = json_ensure_response( $response );
91
+ $this->assertEquals( 200, $response->get_status() );
92
+
93
+ }
94
+
95
+ }
vendor/wp-api/wp-api/tests/test-json-posts.php CHANGED
@@ -647,6 +647,14 @@ class WP_Test_JSON_Posts extends WP_Test_JSON_TestCase {
647
  $this->check_get_post_response( $response, $edited_post );
648
  }
649
 
 
 
 
 
 
 
 
 
650
  function test_edit_post_without_permission() {
651
  $data = $this->set_data( array( 'ID' => $this->post_id ) ) ;
652
 
647
  $this->check_get_post_response( $response, $edited_post );
648
  }
649
 
650
+ function test_edit_post_set_empty_title() {
651
+ $data = $this->set_data( array( 'ID' => $this->post_id, 'title' => '' ) ) ;
652
+ $this->endpoint->edit_post( $this->post_id, $data );
653
+
654
+ // Check that we have an empty title
655
+ $this->assertEquals( '', get_the_title( $this->post_id ) );
656
+ }
657
+
658
  function test_edit_post_without_permission() {
659
  $data = $this->set_data( array( 'ID' => $this->post_id ) ) ;
660