diff --git a/README.txt b/README.txt index 36b066329..decf69ae7 100644 --- a/README.txt +++ b/README.txt @@ -107,6 +107,9 @@ Gravity PDF can be run on most modern shared web hosting without any issues. It == Changelog == += 6.9.1 = +* Security: Disable the Signed URL feature in the [gravitypdf] shortcode when a URL parameter provides the entry ID (e.g. Page Confirmations) + = 6.9.0 = * Feature: Add new conditional logic options to PDFs eg. Payment Status, Date Created, Starred (props: Gravity Wiz) * Feature: Add support for Show HTML Fields, Show Empty Fields, Show Section Break Description, and Enable Conditional Logic PDF settings when displaying Gravity Wiz Nested Forms field diff --git a/src/Model/Model_Shortcodes.php b/src/Model/Model_Shortcodes.php index 6c0d48131..af951cf8c 100644 --- a/src/Model/Model_Shortcodes.php +++ b/src/Model/Model_Shortcodes.php @@ -91,7 +91,8 @@ public function process( $attributes ) { $attributes = apply_filters( 'gfpdf_gravityforms_shortcode_attributes', $attributes ); try { - $attributes['entry'] = $this->get_entry_id_if_empty( $attributes['entry'] ); + $original_entry_id = $attributes['entry']; + $attributes['entry'] = $this->get_entry_id_if_empty( $original_entry_id ); /* Do PDF validation */ $this->get_pdf_config( $attributes['entry'], $attributes['id'] ); @@ -103,7 +104,7 @@ public function process( $attributes ) { $attributes['url'] = $pdf->get_pdf_url( $attributes['id'], $attributes['entry'], $download, $print ); /* Sign the URL to allow direct access to the PDF until it expires */ - if ( ! empty( $attributes['signed'] ) ) { + if ( ! empty( $attributes['signed'] ) && ! empty( $original_entry_id ) ) { $attributes['url'] = $this->url_signer->sign( $attributes['url'], $attributes['expires'] ); } diff --git a/tests/phpunit/unit-tests/test-shortcodes.php b/tests/phpunit/unit-tests/test-shortcodes.php index 129abefcd..04c293b83 100644 --- a/tests/phpunit/unit-tests/test-shortcodes.php +++ b/tests/phpunit/unit-tests/test-shortcodes.php @@ -229,7 +229,7 @@ public function test_gravitypdf_shortcode() { ); $this->assertStringContainsString( '?gpdf=1&pid=556690c67856b&lid=1&action=download', $url ); - $this->assertStringNotContainsString( 'assertStringContainsString( 'Download PDF', $this->model->process( [ 'id' => '556690c67856b' ] ) ); + unset( $_GET['lid'] ); + $_GET['entry'] = $entry['id']; + $this->assertStringContainsString( 'Download PDF', $this->model->process( [ 'id' => '556690c67856b' ] ) ); + + /* Test we ignore the signed feature if the entry ID is taken from a URL parameter */ + $url2 = $this->model->process( + [ + 'id' => '556690c67856b', + 'signed' => '1', + ] + ); + + $this->assertStringContainsString( 'Download PDF', $url2 ); + $this->assertStringContainsString( 'href=', $url2 ); + $this->assertStringNotContainsString( '&signature=', $url2 ); + $this->assertStringNotContainsString( '&expires=', $url2 ); + + /* Test for errors */ $_GET['lid'] = '5000'; $this->assertStringContainsString( '
', $this->model->process( [ 'id' => '556690c67856b' ] ) );