wpcf7_is_file_path_in_content_dir bug

  • EdwardBock

    (@edwardbock)


    2 years, 3 months ago

    Hi there,

    we had issues with our hosting setup and your contact form 7 plugin. Forms were sending emails as expected but attachments were not attached. After a little debugging we found that the function wpcf7_is_file_path_in_content_dir in includes/validation-function.php was checking stringpos with realpath. But as the uploads directory is just a symlink to a mounted drive outside of the docroot, the realpath of uplaods had no match with WP_CONTENT_DIR or ABSPATH.UPLOADS.

    The setup is something like this:

    – /mount-point-for-uploads
    – /some-system-path/docroot/wp-content/uploads -> /mount-point-for-uploads

    If you call realpath on the path /some-system-path/docroot/wp-content/uploads you will result in /mount-point-for-uploads which will result in a false return value from wpcf7_is_file_path_in_content_dir.

    So why is it important that path is in content dir at the first place?

    Thanks in advance
    Edward

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author Takayuki Miyoshi

    (@takayukister)

    2 years, 3 months ago

    It is important for security and privacy reasons to avoid risks of attaching sensitive files outside the content directories that are under WP’s control.

    Thread Starter EdwardBock

    (@edwardbock)

    2 years, 3 months ago

    Could you provide a filter so I can use this hook to validate the uploads directory path for our setup?

    Thread Starter EdwardBock

    (@edwardbock)

    2 years, 2 months ago

    Friendly reminder 🙂

    sherwin_flight

    (@sherwin_flight)

    2 years ago

    I’d like to see this feature as well.

    The reason given of “to avoid risks of attaching sensitive files outside the content directories” makes it seem like the people using the plugin have no idea what they’re doing.

    I’m trying to attach a file that outside of the content directory, but it’s in a folder that was created for this specific purpose. There are no sensitive files there, but I still cannot attach the files because the plugin seems to think this shouldn’t be an option.

    sherwin_flight

    (@sherwin_flight)

    2 years ago

    I’ve had to use a workaround to get this to work properly.

    In my CF7 email I just have a special “text tag”, for example “(Application Id: 123456)”.

    Then I use a wp_mail filter to intercept any outgoing emails with those tags in it, attach the files I want, strip the tag from the message body and sent it off.

    It’s such a clunky way to do something that should be easy to do with this plugin. This conditional check in CF7 is the only thing that prevents this from working:

    if ( ! wpcf7_is_file_path_in_content_dir( $path ) ) {

    micpl

    (@micpl)

    1 year, 12 months ago

    Can you please provide filter for this. Not able to move uploaded files from outside of website root folder introduces more security concerns!

    By keeping it inside of documentroot directory file is publicly accessible allowing for remote execution.

    For proper security around publicly uploaded files I believe those should be stored in a location that does not allow remote execution or access. Files should be served thru proxy (if uploaded files need to be accessed publicly)

    micpl

    (@micpl)

    1 year, 12 months ago

    This seems to work

    function override_wpcf7_upload_tmp_dir($type) {

    $type = [
    ‘url’ => $type[‘url’],
    ‘dir’ => WPCF7_UPLOADS_TMP_DIR
    ];

    return $type;
    }

    add_filter( ‘wpcf7_upload_dir’, ‘gc_wpcf7_upload_tmp_dir’, 10);
    to do functions.php
    define(‘WPCF7_UPLOADS_TMP_DIR’,’);

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘wpcf7_is_file_path_in_content_dir bug’ is closed to new replies.