Issue with ‘wp-content’ dir check with a symlink

Resolved Jouni Kananen
(@jokanane)

4 years, 5 months ago
Hi,

I’m using the roots.io stack, which is a solid set-up with many years of development.

They set WP_CONTENT_DIR in https://github.com/roots/bedrock/blob/master/config/application.php as..:
```
$root_dir = dirname(__DIR__);
$webroot_dir = $root_dir . '/web';
Config::define('WP_CONTENT_DIR', $webroot_dir . Config::get('CONTENT_DIR'));
```
…which results in something like /srv/www/example.com/releases/20201216105336/web/app.

They retain the last five deployments, which are timestamped. There’s one deployment (typically the latest), which is symlinked as ‘current’.

They keep one copy of ‘uploads’ directory, which is symlinked as ‘shared’ such that any ‘current’ has access to the uploaded files.

Therefore, a file that we’d want to attach in a Contact Form 7 mail resides at, for instance, /srv/www/example.com/releases/20201216105336/web/app/uploads/file.pdf.

That is, however, a symlink to /srv/www/example.com/shared/uploads/file.pdf.

Now, when Contact Form 7 checks that the paths match at..:

1. https://github.com/takayukister/contact-form-7/blob/1789f36fd8d389acceec9694f1f8637ebd2011e1/includes/config-validator.php#L644
2. https://github.com/takayukister/contact-form-7/blob/1789f36fd8d389acceec9694f1f8637ebd2011e1/includes/functions.php#L469

…CF7 ends up comparing a symlink and an actual path, and when CF7 uses realpath() in doing so, the paths differ as the symlink is resolved, and CF7 finally outputs an error “It is not allowed to use files outside the wp-content directory.”

I have worked around this problem by defining UPLOADS in the site’s config, but I’m having a little uneasy feelings as any side-effects to other plugins remain unknown at this stage:
```
Config::define('UPLOADS', '../../../../shared/uploads');
```
I have also tried removing the realpath() calls in the strpos check at https://github.com/takayukister/contact-form-7/blob/1789f36fd8d389acceec9694f1f8637ebd2011e1/includes/functions.php#L469 which also resolves the problem (without having to define UPLOADS).

Do you think that would work for everyone? If so, do you mind making the change, or would you accept a PR if I submit one?

Thanks for your time & thoughts!
- This topic was modified 4 years, 5 months ago by Jouni Kananen.

Viewing 2 replies - 1 through 2 (of 2 total)

Plugin Author Takayuki Miyoshi
(@takayukister)

4 years, 5 months ago

I have worked around this problem by defining UPLOADS in the site’s config, but I’m having a little uneasy feelings as any side-effects to other plugins remain unknown at this stage:

UPLOADS is a constant that WordPress officially supports. If there are WordPress plugins that don’t work well with UPLOADS, what you should fix is the plugins, not Contact Form 7.
Thread Starter Jouni Kananen
(@jokanane)

4 years, 5 months ago
Ok, fair enough.

In the CF7 docs, I saw references to declaring WPCF7_UPLOADS_TMP_DIR but not UPLOADS, which probably added to my uneasiness.

As the source code suggests declaring UPLOADS will work, it would be clearer if this was also documented, for instance on this page (that the actual error message on the dashboard links to): https://contactform7.com/configuration-errors/file-not-in-content-dir/

Apologies if I’ve missed something in the docs.
- This reply was modified 4 years, 5 months ago by Jouni Kananen.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Issue with ‘wp-content’ dir check with a symlink’ is closed to new replies.