Closed jjpeleato closed 3 years ago
The purpose of wpcf7_is_file_path_in_content_dir()
is to check if the given file path is under the content directories that WordPress takes control.
When the symbolic links exist, $path and WP_CONTENT_DIR are not the same.
If $path
and WP_CONTENT_DIR
are not the same, wpcf7_is_file_path_in_content_dir()
should return false, regardless of symlinks. That is the expected behavior.
I don't agree with your PR idea because WPCF7_UPLOADS_TMP_DIR
is not provided for security restriction loopholes.
Hi @takayukister,
I remove the word "bug" in the title. I understand your comment, but I am confused.
wpcf7_is_file_path_in_content_dir
always return false when it checks the $path
with symlinks.
In the following documentation:
https://contactform7.com/file-uploading-and-attachment/#How-your-uploaded-files-are-managed
It is possible to change the temp upload directory, but in the function compose
on includes/mail.php
(on line 139) always returns false even if the temp file exists.
Also if I change to another directory that is outside the wp-content
path wpcf7_is_file_path_in_content_dir
functions always return false.
How should this case work?
Thank you, @jjpeleato
Even if WPCF7_UPLOADS_TMP_DIR
is defined, the value should refer to a directory under WP_CONTENT_DIR
. I'm thinking about displaying a warning in the admin screens when WPCF7_UPLOADS_TMP_DIR
is set to outside WP_CONTENT_DIR
. Security is the top priority on this matter.
I found this old issue by googling the same problem with symlink. And there is a solution better then adding a new constant. You can override tmp directory by the hook. But the question - why don't you make your own tmp directory in /wp-content outside /uploads?
function override_wpcf7_upload_tmp_dir($type)
{
$type = [
'url' => $type['url'],
'dir' => WP_CONTENT_DIR . '/tmp',
];
return $type;
}
add_filter('wpcf7_upload_dir', 'override_wpcf7_upload_tmp_dir');
Hello @takayukister
Current Behavior
I have detected an incompatibility of the "wpcf7_is_file_path_in_content_dir" function on "includes/validation-functions.php" file when the server works with symbolic links.
When the symbolic links exist,
$path
andWP_CONTENT_DIR
are not the same.Look at the differences:
"/home/.../sites/.../current/shared/public/wp-content/uploads/wpcf7_uploads/1885601162/ReadMe.pdf" "/home/.../sites/.../current/releases/87/public/wp-content"
Expected Behavior
I think if checking if the file exists with the
$path
variable, the function is more simplified, or if you use theWPCF7_UPLOADS_TMP_DIR
, the function must check this constant.Possible Solution
Thank you, @jjpeleato