Support » Plugin: Contact Form 7 » Protection against form hijacking?

  • Resolved Matt Bernhardt

    (@morphosis7)


    I am wondering how CF7 can be configured to defend against form hijacking? I built a form with a set of radio buttons that define various recipients, using the pipe syntax to mask the email addresses. The definition was something like:

    [radio your-recipient "Foo|foo@example.org" "Bar|bar@example.org" "None|none@example.org"]

    I was glad to see the pipe syntax as a feature, but then when I loaded the form in my browser and edited the DOM to replace “Foo” with an arbitrary email address, the form happily sent its email message to the address I supplied, and not to foo@example.org.

    Am I missing something in my form definition that would protect against this? I’m concerned about a malicious actor using our webserver to send emails to targets we don’t specify.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Takayuki Miyoshi

    (@takayukister)

    If you want to ensure that the field has one of predefined values, implement your own custom validation for that.

    https://contactform7.com/2015/03/28/custom-validation/

    In case others find this thread, this is the custom validation function that I’m hoping to deploy later this week (it still needs to pass code review, but tests so far have shown that it works to prevent hijacking of select and radio fields)

    
    /**
     * Implements custom validation for radio fields.
     *
     * @param object $result A WPCF7_Validation object.
     * @param object $tag    A WPCF7_FormTag object.
     * @link https://contactform7.com/2015/03/28/custom-validation/
     * @link https://wordpress.org/support/topic/protection-against-form-hijacking/
     */
    function validate_options( $result, $tag ) {
    	// Check if the field value is not empty.
    	if ( ! empty( $_POST[ $tag->name ] ) ) {
    		// Look up the received value in the array of expected values.
    		$value = sanitize_text_field( wp_unslash( $_POST[ $tag->name ] ) );
    		if ( ! in_array( $value, $tag->values ) ) {
    			$result->invalidate( $tag, 'Unexpected value received' );
    		}
    	}
    	return $result;
    }
    add_filter( 'wpcf7_validate_radio', 'validate_options', 20, 2 );
    add_filter( 'wpcf7_validate_select', 'validate_options', 20, 2 );
    add_filter( 'wpcf7_validate_select*', 'validate_options', 20, 2 );
    
    • This reply was modified 1 year, 5 months ago by  Matt Bernhardt. Reason: edited for typo in function comment

    Takayuki, would you be open to my sending in a patch for this plugin to add this step? Or should this continue to be something that we implement via a custom plugin on our site?

    Plugin Author Takayuki Miyoshi

    (@takayukister)

    No, I don’t think I’ll include patches for this one. Some users like to set field values using front-side JavaScript.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Protection against form hijacking?’ is closed to new replies.