GravityPDF · jakejackson1 · Mar 21, 2024 · Mar 21, 2024
diff --git a/README.txt b/README.txt
@@ -107,6 +107,9 @@ Gravity PDF can be run on most modern shared web hosting without any issues. It
 
 == Changelog ==
 
+= 6.9.1 =
+* Security: Disable the Signed URL feature in the [gravitypdf] shortcode when a URL parameter provides the entry ID (e.g. Page Confirmations)
+
 = 6.9.0 =
 * Feature: Add new conditional logic options to PDFs eg. Payment Status, Date Created, Starred (props: Gravity Wiz)
 * Feature: Add support for Show HTML Fields, Show Empty Fields, Show Section Break Description, and Enable Conditional Logic PDF settings when displaying Gravity Wiz Nested Forms field

diff --git a/src/Model/Model_Shortcodes.php b/src/Model/Model_Shortcodes.php
@@ -91,7 +91,8 @@ public function process( $attributes ) {
 		$attributes = apply_filters( 'gfpdf_gravityforms_shortcode_attributes', $attributes );
 
 		try {
-			$attributes['entry'] = $this->get_entry_id_if_empty( $attributes['entry'] );
+			$original_entry_id   = $attributes['entry'];
+			$attributes['entry'] = $this->get_entry_id_if_empty( $original_entry_id );
 
 			/* Do PDF validation */
 			$this->get_pdf_config( $attributes['entry'], $attributes['id'] );
@@ -103,7 +104,7 @@ public function process( $attributes ) {
 			$attributes['url'] = $pdf->get_pdf_url( $attributes['id'], $attributes['entry'], $download, $print );
 
 			/* Sign the URL to allow direct access to the PDF until it expires */
-			if ( ! empty( $attributes['signed'] ) ) {
+			if ( ! empty( $attributes['signed'] ) && ! empty( $original_entry_id ) ) {
 				$attributes['url'] = $this->url_signer->sign( $attributes['url'], $attributes['expires'] );
 			}
 

diff --git a/tests/phpunit/unit-tests/test-shortcodes.php b/tests/phpunit/unit-tests/test-shortcodes.php
@@ -229,7 +229,7 @@ public function test_gravitypdf_shortcode() {
 		);
 
 		$this->assertStringContainsString( '?gpdf=1&pid=556690c67856b&lid=1&action=download', $url );
-		$this->assertStringNotContainsString( '<a href=', $url );
+		$this->assertStringNotContainsString( 'href=', $url );
 		$this->assertStringNotContainsString( 'Download PDF', $url );
 
 		/* Test for signed URL */
@@ -286,6 +286,24 @@ public function test_gravitypdf_shortcode() {
 		$_GET['lid'] = $entry['id'];
 		$this->assertStringContainsString( 'Download PDF', $this->model->process( [ 'id' => '556690c67856b' ] ) );
 
+		unset( $_GET['lid'] );
+		$_GET['entry'] = $entry['id'];
+		$this->assertStringContainsString( 'Download PDF', $this->model->process( [ 'id' => '556690c67856b' ] ) );
+
+		/* Test we ignore the signed feature if the entry ID is taken from a URL parameter */
+		$url2 = $this->model->process(
+			[
+				'id'     => '556690c67856b',
+				'signed' => '1',
+			]
+		);
+
+		$this->assertStringContainsString( 'Download PDF', $url2 );
+		$this->assertStringContainsString( 'href=', $url2 );
+		$this->assertStringNotContainsString( '&#038;signature=', $url2 );
+		$this->assertStringNotContainsString( '&#038;expires=', $url2 );
+
+		/* Test for errors */
 		$_GET['lid'] = '5000';
 		$this->assertStringContainsString( '<pre class="gravitypdf-error">', $this->model->process( [ 'id' => '556690c67856b' ] ) );