Skip to content
This repository has been archived by the owner on Feb 14, 2022. It is now read-only.

Commit

Permalink
Updated from 1.8.13 to 1.8.16.
Browse files Browse the repository at this point in the history
  • Loading branch information
@remcotolsma
remcotolsma committed Sep 16, 2014
1 parent c3c5899 commit dfaaaf5
Show file tree
Hide file tree
Showing 11 changed files with 3,358 additions and 3,197 deletions.
23 changes: 23 additions & 0 deletions change_log.txt
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,26 @@
-------------------------------------------------------------------------------------------------------------------
Version 1.8.16
- Fixed some strings that weren't localized and added localization context to others
- Fixed issue with datepicker to prevent user being returned to start of form when tabbing after selecting a date.
- Fixed a notice on the WordPress updates page
- Fixed a security issue with the file upload field for some server configurations
- Fixed an issue with the file upload file not matching uppercase extensions
- Updated POT file

-------------------------------------------------------------------------------------------------------------------
Version 1.8.15
- Fixed an issue with the multi-file upload field while uploading multiple files all selected at the same time in the file dialog. If one of the uploads fails due to an HTTP error then the next file in the list will appear as 100% complete but it will be removed from the form submission.
- AF: Fixed issue with checkboxes no retaining their values

-------------------------------------------------------------------------------------------------------------------
Version 1.8.14
- Fixed a potential security vulnerability for some servers which could allow code to be parsed via the file upload field.
- Fixed a security issue to prevent code injection
- Fixed an issue with the file upload field that allows malicious form submissions to bypass the validation for the maximum file size setting.

- AF: Fixed issue with simple conditional logic
- AF: Fixed issue with checkbox fields not supporting custom 'onclick' attributes to be added.

-------------------------------------------------------------------------------------------------------------------
Version 1.8.13
- Added additional check plus user feedback for failed multi-file uploads.
Expand Down
26 changes: 22 additions & 4 deletions common.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2460,7 +2460,7 @@ public static function get_section_fields($form, $section_field_id){
public static function get_countries(){
return apply_filters("gform_countries", array(
__('Afghanistan', 'gravityforms'),__('Albania', 'gravityforms'),__('Algeria', 'gravityforms'), __('American Samoa', 'gravityforms'), __('Andorra', 'gravityforms'),__('Angola', 'gravityforms'),__('Antigua and Barbuda', 'gravityforms'),__('Argentina', 'gravityforms'),__('Armenia', 'gravityforms'),__('Australia', 'gravityforms'),__('Austria', 'gravityforms'),__('Azerbaijan', 'gravityforms'),__('Bahamas', 'gravityforms'),__('Bahrain', 'gravityforms'),__('Bangladesh', 'gravityforms'),__('Barbados', 'gravityforms'),__('Belarus', 'gravityforms'),__('Belgium', 'gravityforms'),__('Belize', 'gravityforms'),__('Benin', 'gravityforms'),__('Bermuda', 'gravityforms'),__('Bhutan', 'gravityforms'),__('Bolivia', 'gravityforms'),__('Bosnia and Herzegovina', 'gravityforms'),__('Botswana', 'gravityforms'),__('Brazil', 'gravityforms'),__('Brunei', 'gravityforms'),__('Bulgaria', 'gravityforms'),__('Burkina Faso', 'gravityforms'),__('Burundi', 'gravityforms'),__('Cambodia', 'gravityforms'),__('Cameroon', 'gravityforms'),__('Canada', 'gravityforms'),__('Cape Verde', 'gravityforms'),__('Cayman Islands', 'gravityforms'),__('Central African Republic', 'gravityforms'),__('Chad', 'gravityforms'),__('Chile', 'gravityforms'),__('China', 'gravityforms'),__('Colombia', 'gravityforms'),__('Comoros', 'gravityforms'),__('Congo, Democratic Republic of the', 'gravityforms'),__('Congo, Republic of the', 'gravityforms'),__('Costa Rica', 'gravityforms'),__('Côte d\'Ivoire', 'gravityforms'),__('Croatia', 'gravityforms'),__('Cuba', 'gravityforms'),__('Cyprus', 'gravityforms'),__('Czech Republic', 'gravityforms'),__('Denmark', 'gravityforms'),__('Djibouti', 'gravityforms'),__('Dominica', 'gravityforms'),__('Dominican Republic', 'gravityforms'),__('East Timor', 'gravityforms'),__('Ecuador', 'gravityforms'),__('Egypt', 'gravityforms'),__('El Salvador', 'gravityforms'),__('Equatorial Guinea', 'gravityforms'),__('Eritrea', 'gravityforms'),__('Estonia', 'gravityforms'),__('Ethiopia', 'gravityforms'),__('Fiji', 'gravityforms'),__('Finland', 'gravityforms'),__('France', 'gravityforms'), __('French Polynesia', 'gravityforms'), __('Gabon', 'gravityforms'),
__('Gambia', 'gravityforms'),__('Georgia', 'gravityforms'),__('Germany', 'gravityforms'),__('Ghana', 'gravityforms'),__('Greece', 'gravityforms'),__('Greenland', 'gravityforms'),__('Grenada', 'gravityforms'),__('Guam', 'gravityforms'),__('Guatemala', 'gravityforms'),__('Guinea', 'gravityforms'),__('Guinea-Bissau', 'gravityforms'),__('Guyana', 'gravityforms'),__('Haiti', 'gravityforms'),__('Honduras', 'gravityforms'),__('Hong Kong', 'gravityforms'),__('Hungary', 'gravityforms'),__('Iceland', 'gravityforms'),__('India', 'gravityforms'),__('Indonesia', 'gravityforms'),__('Iran', 'gravityforms'),__('Iraq', 'gravityforms'),__('Ireland', 'gravityforms'),__('Israel', 'gravityforms'),__('Italy', 'gravityforms'),__('Jamaica', 'gravityforms'),__('Japan', 'gravityforms'),__('Jordan', 'gravityforms'),__('Kazakhstan', 'gravityforms'),__('Kenya', 'gravityforms'),__('Kiribati', 'gravityforms'),__('North Korea', 'gravityforms'),__('South Korea', 'gravityforms'),__('Kosovo', 'gravityforms'),__('Kuwait', 'gravityforms'),__('Kyrgyzstan', 'gravityforms'),__('Laos', 'gravityforms'),__('Latvia', 'gravityforms'),__('Lebanon', 'gravityforms'),__('Lesotho', 'gravityforms'),__('Liberia', 'gravityforms'),__('Libya', 'gravityforms'),__('Liechtenstein', 'gravityforms'),__('Lithuania', 'gravityforms'),__('Luxembourg', 'gravityforms'),__('Macedonia', 'gravityforms'),__('Madagascar', 'gravityforms'),__('Malawi', 'gravityforms'),__('Malaysia', 'gravityforms'),__('Maldives', 'gravityforms'),__('Mali', 'gravityforms'),__('Malta', 'gravityforms'),__('Marshall Islands', 'gravityforms'),__('Mauritania', 'gravityforms'),__('Mauritius', 'gravityforms'),__('Mexico', 'gravityforms'),__('Micronesia', 'gravityforms'),__('Moldova', 'gravityforms'),__('Monaco', 'gravityforms'),__('Mongolia', 'gravityforms'),__('Montenegro', 'gravityforms'),__('Morocco', 'gravityforms'),__('Mozambique', 'gravityforms'),__('Myanmar', 'gravityforms'),__('Namibia', 'gravityforms'),__('Nauru', 'gravityforms'),__('Nepal', 'gravityforms'),__('Netherlands', 'gravityforms'),__('New Zealand', 'gravityforms'),
__('Gambia', 'gravityforms'),_x('Georgia', 'Country', 'gravityforms'),__('Germany', 'gravityforms'),__('Ghana', 'gravityforms'),__('Greece', 'gravityforms'),__('Greenland', 'gravityforms'),__('Grenada', 'gravityforms'),__('Guam', 'gravityforms'),__('Guatemala', 'gravityforms'),__('Guinea', 'gravityforms'),__('Guinea-Bissau', 'gravityforms'),__('Guyana', 'gravityforms'),__('Haiti', 'gravityforms'),__('Honduras', 'gravityforms'),__('Hong Kong', 'gravityforms'),__('Hungary', 'gravityforms'),__('Iceland', 'gravityforms'),__('India', 'gravityforms'),__('Indonesia', 'gravityforms'),__('Iran', 'gravityforms'),__('Iraq', 'gravityforms'),__('Ireland', 'gravityforms'),__('Israel', 'gravityforms'),__('Italy', 'gravityforms'),__('Jamaica', 'gravityforms'),__('Japan', 'gravityforms'),__('Jordan', 'gravityforms'),__('Kazakhstan', 'gravityforms'),__('Kenya', 'gravityforms'),__('Kiribati', 'gravityforms'),__('North Korea', 'gravityforms'),__('South Korea', 'gravityforms'),__('Kosovo', 'gravityforms'),__('Kuwait', 'gravityforms'),__('Kyrgyzstan', 'gravityforms'),__('Laos', 'gravityforms'),__('Latvia', 'gravityforms'),__('Lebanon', 'gravityforms'),__('Lesotho', 'gravityforms'),__('Liberia', 'gravityforms'),__('Libya', 'gravityforms'),__('Liechtenstein', 'gravityforms'),__('Lithuania', 'gravityforms'),__('Luxembourg', 'gravityforms'),__('Macedonia', 'gravityforms'),__('Madagascar', 'gravityforms'),__('Malawi', 'gravityforms'),__('Malaysia', 'gravityforms'),__('Maldives', 'gravityforms'),__('Mali', 'gravityforms'),__('Malta', 'gravityforms'),__('Marshall Islands', 'gravityforms'),__('Mauritania', 'gravityforms'),__('Mauritius', 'gravityforms'),__('Mexico', 'gravityforms'),__('Micronesia', 'gravityforms'),__('Moldova', 'gravityforms'),__('Monaco', 'gravityforms'),__('Mongolia', 'gravityforms'),__('Montenegro', 'gravityforms'),__('Morocco', 'gravityforms'),__('Mozambique', 'gravityforms'),__('Myanmar', 'gravityforms'),__('Namibia', 'gravityforms'),__('Nauru', 'gravityforms'),__('Nepal', 'gravityforms'),__('Netherlands', 'gravityforms'),__('New Zealand', 'gravityforms'),
__('Nicaragua', 'gravityforms'),__('Niger', 'gravityforms'),__('Nigeria', 'gravityforms'),__('Norway', 'gravityforms'), __('Northern Mariana Islands', 'gravityforms'), __('Oman', 'gravityforms'),__('Pakistan', 'gravityforms'),__('Palau', 'gravityforms'),__('Palestine', 'gravityforms'),__('Panama', 'gravityforms'),__('Papua New Guinea', 'gravityforms'),__('Paraguay', 'gravityforms'),__('Peru', 'gravityforms'),__('Philippines', 'gravityforms'),__('Poland', 'gravityforms'),__('Portugal', 'gravityforms'),__('Puerto Rico', 'gravityforms'),__('Qatar', 'gravityforms'),__('Romania', 'gravityforms'),__('Russia', 'gravityforms'),__('Rwanda', 'gravityforms'),__('Saint Kitts and Nevis', 'gravityforms'),__('Saint Lucia', 'gravityforms'),__('Saint Vincent and the Grenadines', 'gravityforms'),__('Samoa', 'gravityforms'),__('San Marino', 'gravityforms'),__('Sao Tome and Principe', 'gravityforms'),__('Saudi Arabia', 'gravityforms'),__('Senegal', 'gravityforms'),__('Serbia and Montenegro', 'gravityforms'),__('Seychelles', 'gravityforms'),__('Sierra Leone', 'gravityforms'),__('Singapore', 'gravityforms'),__('Slovakia', 'gravityforms'),__('Slovenia', 'gravityforms'),__('Solomon Islands', 'gravityforms'),__('Somalia', 'gravityforms'),__('South Africa', 'gravityforms'),__('Spain', 'gravityforms'),__('Sri Lanka', 'gravityforms'),__('Sudan', 'gravityforms'),__('Sudan, South', 'gravityforms'),__('Suriname', 'gravityforms'),__('Swaziland', 'gravityforms'),__('Sweden', 'gravityforms'),__('Switzerland', 'gravityforms'),__('Syria', 'gravityforms'),__('Taiwan', 'gravityforms'),__('Tajikistan', 'gravityforms'),__('Tanzania', 'gravityforms'),__('Thailand', 'gravityforms'),__('Togo', 'gravityforms'),__('Tonga', 'gravityforms'),__('Trinidad and Tobago', 'gravityforms'),__('Tunisia', 'gravityforms'),__('Turkey', 'gravityforms'),__('Turkmenistan', 'gravityforms'),__('Tuvalu', 'gravityforms'),__('Uganda', 'gravityforms'),__('Ukraine', 'gravityforms'),__('United Arab Emirates', 'gravityforms'),__('United Kingdom', 'gravityforms'),
__('United States', 'gravityforms'),__('Uruguay', 'gravityforms'),__('Uzbekistan', 'gravityforms'),__('Vanuatu', 'gravityforms'),__('Vatican City', 'gravityforms'),__('Venezuela', 'gravityforms'),__('Vietnam', 'gravityforms'), __('Virgin Islands, British', 'gravityforms'), __('Virgin Islands, U.S.', 'gravityforms'),__('Yemen', 'gravityforms'),__('Zambia', 'gravityforms'),__('Zimbabwe', 'gravityforms')));

Expand Down Expand Up @@ -2535,7 +2535,7 @@ public static function get_country_code($country_name) {
__('FRANCE', 'gravityforms') => "FR" ,
__('GABON', 'gravityforms') => "GA" ,
__('GAMBIA', 'gravityforms') => "GM" ,
__('GEORGIA', 'gravityforms') => "GE" ,
_x('GEORGIA', 'Country', 'gravityforms') => "GE" ,
__('GERMANY', 'gravityforms') => "DE" ,
__('GHANA', 'gravityforms') => "GH" ,
__('GREECE', 'gravityforms') => "GR" ,
Expand Down Expand Up @@ -2684,7 +2684,7 @@ public static function get_us_states(){
return apply_filters("gform_us_states", array(
__("Alabama","gravityforms"),__("Alaska","gravityforms"),__("Arizona","gravityforms"),__("Arkansas","gravityforms"),
__("California","gravityforms"),__("Colorado","gravityforms"),__("Connecticut","gravityforms"),__("Delaware","gravityforms"),
__("District of Columbia", "gravityforms"), __("Florida","gravityforms"),__("Georgia","gravityforms"),
__("District of Columbia", "gravityforms"), __("Florida","gravityforms"),_x("Georgia","US State","gravityforms"),
__("Hawaii","gravityforms"),__("Idaho","gravityforms"),__("Illinois","gravityforms"),__("Indiana","gravityforms"),
__("Iowa","gravityforms"),__("Kansas","gravityforms"),__("Kentucky","gravityforms"),__("Louisiana","gravityforms"),
__("Maine","gravityforms"),__("Maryland","gravityforms"),__("Massachusetts","gravityforms"),__("Michigan","gravityforms"),
Expand Down Expand Up @@ -2712,7 +2712,7 @@ public static function get_us_state_code($state_name){
strtoupper(__("Delaware","gravityforms")) => "DE",
strtoupper(__("District of Columbia", "gravityforms")) => "DC",
strtoupper(__("Florida","gravityforms")) => "FL",
strtoupper(__("Georgia","gravityforms")) => "GA",
strtoupper(_x("Georgia","US State","gravityforms")) => "GA",
strtoupper(__("Hawaii","gravityforms")) => "HI",
strtoupper(__("Idaho","gravityforms")) => "ID",
strtoupper(__("Illinois","gravityforms")) => "IL",
Expand Down Expand Up @@ -4148,6 +4148,24 @@ public static function get_disallowed_file_extensions(){
return array("php", "asp", "exe", "com", "htaccess", "phtml", "php3", "php4", "php5", "php6");
}

public static function match_file_extension( $file_name, $extensions ) {
if ( empty ( $extensions ) || ! is_array( $extensions ) ) {
return false;
}

$ext = strtolower( pathinfo( $file_name, PATHINFO_EXTENSION ) );
if ( in_array( $ext, $extensions ) ) {
return true;
}

return false;
}

public static function file_name_has_disallowed_extension( $file_name ) {

return self::match_file_extension( $file_name, self::get_disallowed_file_extensions() ) || strpos( strtolower( $file_name ), '.php.' ) !== false;
}

public static function to_money($number, $currency_code=""){
if(!class_exists("RGCurrency"))
require_once("currency.php");
Expand Down
17 changes: 9 additions & 8 deletions form_display.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1470,22 +1470,20 @@ public static function validate(&$form, $field_values, $page_number=0, &$failed_

case "fileupload" :
case "post_image" :

$input_name = "input_" . $field["id"];
$allowedExtensions = GFCommon::clean_extensions(explode(",", strtolower($field["allowedExtensions"])));

if(rgar($field, "multipleFiles")){
$file_names = isset(GFFormsModel::$uploaded_files[$form["id"]][$input_name]) ? GFFormsModel::$uploaded_files[$form["id"]][$input_name] : array();
} else {
$max_upload_size_in_bytes = isset($field["maxFileSize"]) && $field["maxFileSize"] > 0 ? $field["maxFileSize"] * 1048576: wp_max_upload_size();
$max_upload_size_in_mb = $max_upload_size_in_bytes / 1048576;
if(!empty($_FILES[$input_name]["name"]) && $_FILES[$input_name]["error"] > 0){
$uploaded_file_name = isset(GFFormsModel::$uploaded_files[$form["id"]][$input_name]) ? GFFormsModel::$uploaded_files[$form["id"]][$input_name] : "";
if(empty($uploaded_file_name)){
$field["failed_validation"] = true;
switch($_FILES[$input_name]["error"]){
case UPLOAD_ERR_INI_SIZE :
case UPLOAD_ERR_FORM_SIZE :
$max_upload_size_in_bytes = isset($field["maxFileSize"]) && $field["maxFileSize"] > 0 ? $field["maxFileSize"] * 1048576: wp_max_upload_size();
$max_upload_size_in_mb = $max_upload_size_in_bytes / 1048576;
$fileupload_validation_message = sprintf(__("File exceeds size limit. Maximum file size: %dMB", "gravityforms"), $max_upload_size_in_mb);
break;
default :
Expand All @@ -1495,21 +1493,24 @@ public static function validate(&$form, $field_values, $page_number=0, &$failed_
break;
}

}
} elseif ( $_FILES[ $input_name ]['size'] > 0 && $_FILES[ $input_name ]['size'] > $max_upload_size_in_bytes ) {
$field["failed_validation"] = true;
$field["validation_message"] = sprintf( __( 'File exceeds size limit. Maximum file size: %dMB', 'gravityforms' ), $max_upload_size_in_mb );
}
$single_file_name = $_FILES[$input_name]["name"];
$file_names = array(array("uploaded_filename" => $single_file_name));

}

foreach($file_names as $file_name){
$info = pathinfo(rgar($file_name, "uploaded_filename"));
$extension = strtolower(rgget("extension",$info));
$allowed_extensions = isset($field["allowedExtensions"]) && !empty($field["allowedExtensions"]) ? GFCommon::clean_extensions(explode(",", strtolower($field["allowedExtensions"]))) : array();

if(empty($field["allowedExtensions"]) && in_array($extension, GFCommon::get_disallowed_file_extensions())){
if( empty( $field["allowedExtensions"] ) && GFCommon::file_name_has_disallowed_extension( rgar( $file_name, 'uploaded_filename' ) ) ){
$field["failed_validation"] = true;
$field["validation_message"] = empty($field["errorMessage"]) ? __("The uploaded file type is not allowed.", "gravityforms") : $field["errorMessage"];
}
else if(!empty($field["allowedExtensions"]) && !empty($info["basename"]) && !in_array($extension, $allowedExtensions)){
else if(!empty($field["allowedExtensions"]) && !empty($info["basename"]) && ! GFCommon::match_file_extension( rgar( $file_name, 'uploaded_filename' ), $allowed_extensions )){
$field["failed_validation"] = true;
$field["validation_message"] = empty($field["errorMessage"]) ? sprintf(__("The uploaded file type is not allowed. Must be one of the following: %s", "gravityforms"), strtolower($field["allowedExtensions"]) ) : $field["errorMessage"];
}
Expand Down
14 changes: 7 additions & 7 deletions forms_model.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3234,13 +3234,13 @@ private static function sort_by_default_field_query($form_id, $sort_field, $sort
$entry_meta_sql_join = "";
if ( false === empty( $entry_meta ) && array_key_exists( $sort_field, $entry_meta ) ) {
$entry_meta_sql_join = $wpdb->prepare("INNER JOIN
(
SELECT
lead_id, meta_value as $sort_field
from $lead_meta_table_name
WHERE meta_key = '$sort_field'
) lead_meta_data ON lead_meta_data.lead_id = l.id
");
(
SELECT
lead_id, meta_value as $sort_field
from $lead_meta_table_name
WHERE meta_key = %s
) lead_meta_data ON lead_meta_data.lead_id = l.id
", $sort_field);
$is_numeric_sort = $entry_meta[$sort_field]['is_numeric'];
}
$grid_columns = RGFormsModel::get_grid_columns($form_id);
Expand Down
Loading

0 comments on commit dfaaaf5

Please sign in to comment.