Changeset 3321992

groundhogg/tags/4.2.2/README.txt

-                      r3320187
+                      r3321992
 Tested up to: 6.8
 Requires PHP: 7.1
 Stable tag: 4.2.1
+Stable tag: 4.2.2
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl.md
 …
 == Changelog ==
+= 4.2.2 (2025-07-03) =
+* FIXED User ID not syncing.
+* FIXED Arbitrary file upload vulnerability. Credit to Patchstack for practicing responsible disclosure.
 = 4.2.1 (2025-06-30) =

groundhogg/tags/4.2.2/admin/contacts/cards/user.php

-                      r3029787
+                      r3321992
  * @var $contact \Groundhogg\Contact
  */
+/* Auto link the account before we see the create account form. */
+$contact->auto_link_account();
 if ( $contact->get_userdata() ):

groundhogg/tags/4.2.2/admin/contacts/parts/contact-editor.php

-                      r3209982
+                      r3321992
  * @var $contact Contact
  */
-//var_dump( $contact );
-/* Auto link the account before we see the create account form. */
-$contact->auto_link_account();
 $tabs = [

groundhogg/tags/4.2.2/admin/tools/tools-page.php

-                      r3320187
+                      r3321992
 use Groundhogg\DB\Query\Table_Query;
 use Groundhogg\Extension_Upgrader;
+use Groundhogg\Files;
 use Groundhogg\License_Manager;
 use Groundhogg\Plugin;
 …
 class Tools_Page extends Tabbed_Admin_Page {
-    protected $uploads_path = [];
     /**
      * @var \Groundhogg\Bulk_Jobs\Import_Contacts
 …
+        }
+        $file = get_array_var( $_FILES, 'import_file' );
+        $validate = wp_check_filetype( $file['name'], [ 'csv' => 'text/csv' ] );
+        if ( $validate['ext'] !== 'csv' || $validate['type'] !== 'text/csv' ) {
+            return new WP_Error( 'invalid_csv', sprintf( 'Please upload a valid CSV. Expected mime type of <i>text/csv</i> but got <i>%s</i>', esc_html( $file['type'] ) ) );
+        }
+        $file['name'] = wp_unique_filename( files()->get_csv_imports_dir(), $file['name'] );
+        $result = $this->handle_file_upload( $file );
+        $file = $_FILES['import_file'];
+        $result = files()->safe_file_upload( $file, [
+            'csv' => 'text/csv',
+        ], 'imports' );
         if ( is_wp_error( $result ) ) {
-            if ( is_multisite() ) {
-                return new WP_Error( 'multisite_add_csv', 'Could not import because CSV is not an allowed file type on this subsite. Please add CSV to the list of allowed file types in the network settings.' );
+            }
             return $result;
+        }
 …
             'action' => 'map',
             'tab'    => 'import',
             'import' => urlencode( basename( $result['file'] ) ),
+            'import' => urlencode( basename( $result['path'] ) ),
         ] ) );
+    }
-    /**
-     * Upload a file to the Groundhogg file directory
+     *
-     * @param $file array
-     * @param $config
+     *
-     * @return array|bool|WP_Error
-     */
-    private function handle_file_upload( $file ) {
-        $upload_overrides = array( 'test_form' => false );
-        if ( ! function_exists( 'wp_handle_upload' ) ) {
-            require_once( ABSPATH . '/wp-admin/includes/file.php' );
+        }
-        $this->set_uploads_path();
-        add_filter( 'upload_dir', array( $this, 'files_upload_dir' ) );
-        $mfile = wp_handle_upload( $file, $upload_overrides );
-        remove_filter( 'upload_dir', array( $this, 'files_upload_dir' ) );
-        if ( isset( $mfile['error'] ) ) {
-            if ( empty( $mfile['error'] ) ) {
-                $mfile['error'] = _x( 'Could not upload file.', 'error', 'groundhogg' );
+            }
-            return new WP_Error( 'BAD_UPLOAD', $mfile['error'] );
+        }
-        return $mfile;
+    }
-    /**
-     * Change the default upload directory
+     *
-     * @param $param
+     *
-     * @return mixed
-     */
-    public function files_upload_dir( $param ) {
-        $param['path']   = $this->uploads_path['path'];
-        $param['url']    = $this->uploads_path['url'];
-        $param['subdir'] = $this->uploads_path['subdir'];
-        return $param;
+    }
-    /**
-     * Initialize the base upload path
-     */
-    private function set_uploads_path() {
-        $this->uploads_path['subdir'] = Plugin::$instance->utils->files->get_base_uploads_dir();
-        $this->uploads_path['path']   = Plugin::$instance->utils->files->get_csv_imports_dir();
-        $this->uploads_path['url']    = Plugin::$instance->utils->files->get_csv_imports_url();
+    }
 …
         $file_path       = wp_normalize_path( $groundhogg_path . DIRECTORY_SEPARATOR . $short_path );
+        if ( ! $file_path || ! file_exists( $file_path ) || ! is_file( $file_path ) ) {
+        // guard against ../../ traversal attack
+        if ( ! $file_path || ! file_exists( $file_path ) || ! is_file( $file_path ) || ! Files::is_file_within_directory( $file_path, $groundhogg_path ) ) {
             wp_die( 'The requested file was not found.', 'File not found.', [ 'status' => 404 ] );
+        }

groundhogg/tags/4.2.2/api/v4/files-api.php

-                      r2507120
+                      r3321992
         register_rest_route( self::NAME_SPACE, "/files/exports", [
+            [
                 'methods'             => WP_REST_Server::CREATABLE,
                 'callback'            => [ $this, 'create_exports' ],
                 'permission_callback' => [ $this, 'create_exports_permissions_callback' ]
             ],
+//          [
+//              'methods'             => WP_REST_Server::CREATABLE,
+//              'callback'            => [ $this, 'create_exports' ],
+//              'permission_callback' => [ $this, 'create_exports_permissions_callback' ]
+//          ],
+            [
                 'methods'             => WP_REST_Server::READABLE,
 …
         foreach ( $_FILES as $FILE ) {
+            $validate = wp_check_filetype( $FILE['name'], [ 'csv' => 'text/csv' ] );
+            if ( $validate['ext'] !== 'csv' || $validate['text/csv'] ) {
+                return self::ERROR_500( 'invalid_csv', sprintf( 'Please upload a valid CSV. Expected mime type of <i>text/csv</i> but got <i>%s</i>', esc_html( $FILE['type'] ) ) );
+            }
+            $file_name = str_replace( '.csv', '', $FILE['name'] );
+            $file_name .= '-' . current_time( 'mysql', true ) . '.csv';
+            $FILE['name'] = sanitize_file_name( $file_name );
+            $result = files()->upload( $FILE, 'imports' );
+            $result = files()->safe_file_upload( $FILE, [
+                'csv' => 'text/csv'
+            ], 'imports' );
             if ( is_wp_error( $result ) ) {

groundhogg/tags/4.2.2/assets/js/admin/filters/contacts.js

-                      r3264477
+                      r3321992
     Input,
     Div,
+    makeEl
+    makeEl,
+    InputRepeater
   } = MakeEl
 …
   ContactFilterRegistry.registerFilter(CurrentDateCompareFilterFactory('current_time', 'Current Time', 'time', ( time ) => formatTime(`2000-01-01T${time}`) ))
+  registerFilterGroup( 'submissions', 'Submissions' )
+  ContactFilterRegistry.registerFilter( createPastDateFilter( 'form_submissions', 'Form Submissions', 'submissions', {
+    edit: ({
+      form_id = '',
+      form_type = '',
+      meta_filters = [],
+      updateFilter = () => {}
+    }) => {
+      return Fragment([
+        Input({
+          placeholder: 'ID',
+          id: 'form_id',
+          name: 'form_id',
+          value: form_id,
+          onChange: e => updateFilter({
+            form_id: e.target.value
+          })
+        }),
+        Input({
+          placeholder: 'Type',
+          id: 'type',
+          name: 'type',
+          value: form_type,
+          onChange: e => updateFilter({
+            form_type: e.target.value
+          })
+        }),
+        `<label>${ __('Filter by submission meta', 'groundhogg') }</label>`,
+        InputRepeater({
+          id: 'submission-meta-filters',
+          rows: meta_filters,
+          cells: [
+            props => Input({...props, placeholder: 'Key'}),
+            ({
+              value,
+              ...props
+            }) => Select({
+              selected: value,
+              options : AllComparisons,
+              ...props,
+            }),
+            props => Input({...props, placeholder: 'Value'}),
+          ],
+          fillRow: () => [
+            '',
+            'equals',
+            ''
+          ],
+          onChange: rows => {
+            updateFilter({
+              meta_filters: rows
+            })
+          }
+        })
+      ])
+    }
+  } ) )
   if (!Groundhogg.filters) {
     Groundhogg.filters = {}

groundhogg/tags/4.2.2/assets/js/admin/filters/contacts.min.js

-                      r3264477
+                      r3321992
 (function($){const{input,select,orList,andList,bold,inputRepeater}=Groundhogg.element;const{broadcastPicker,funnelPicker,tagPicker,emailPicker,linkPicker,metaValuePicker,metaPicker,userMetaPicker}=Groundhogg.pickers;const{assoc2array}=Groundhogg.functions;const{broadcasts:BroadcastsStore,emails:EmailsStore,tags:TagsStore,funnels:FunnelsStore,searches:SearchesStore}=Groundhogg.stores;const{sprintf,__,_x,_n}=wp.i18n;const{formatDate,formatDateTime,formatTime}=Groundhogg.formatting;const{Fragment,ItemPicker,Select,Input,Div,makeEl}=MakeEl;const{Filters,FilterRegistry,createFilter,createGroup,FilterDisplay,createDateFilter,createPastDateFilter,createStringFilter,createNumberFilter,createTimeFilter,unsubReasons}=Groundhogg.filters;const{ComparisonsTitleGenerators,AllComparisons,StringComparisons,NumericComparisons,pastDateRanges,futureDateRanges,allDateRanges}=Groundhogg.filters.comparisons;const ContactFilterRegistry=FilterRegistry({});const uid=function(){return Date.now().toString(36)+Math.random().toString(36).substring(2)};const createFilters=(el="",filters=[],onChange=f=>{console.log(f)})=>({el:el,onChange:onChange,filters:Array.isArray(filters)?filters:[],id:uid(),init(){this.mount()},mount(){let container=document.querySelector(el);container.innerHTML="";document.querySelector(el).appendChild(ContactFilters(this.id,this.filters,this.onChange))}});const ContactFilters=(id,filters,onChange)=>Filters({id:id,filterRegistry:ContactFilterRegistry,filters:filters,onChange:onChange});const ContactFilterDisplay=filters=>FilterDisplay({filters:filters,filterRegistry:ContactFilterRegistry});const registerFilterGroup=(group,name)=>{ContactFilterRegistry.registerGroup(createGroup(group,name))};const registerFilter=(type,group="general",name="",opts={})=>{if(typeof name==="object"){let tempOpts=name;name=tempOpts.name;opts=tempOpts}const{defaults:defaults={},preload:preload=()=>{},view:view=()=>"",edit:edit=()=>"",onMount:onMount=()=>""}=opts;ContactFilterRegistry.registerFilter(createFilter(type,name,group,{display:view,preload:preload,edit:({updateFilter,...filter})=>Fragment([edit(filter)],{onCreate:el=>{setTimeout(()=>{onMount(filter,updateFilter)},50)}})},defaults))};const standardActivityDateFilterOnMount=(filter,updateFilter)=>{$("#filter-date-range, #filter-before, #filter-after, #filter-days").on("change",function(e){const $el=$(this);updateFilter({[$el.prop("name")]:$el.val()});if($el.prop("name")==="date_range"){const $before=$("#filter-before");const $after=$("#filter-after");const $days=$("#filter-days");$before.addClass("hidden");$after.addClass("hidden");$days.addClass("hidden");switch($el.val()){case"between":$before.removeClass("hidden");$after.removeClass("hidden");break;case"day_of":case"after":$after.removeClass("hidden");break;case"before":$before.removeClass("hidden");break;case"x_days":$days.removeClass("hidden");break}}})};const standardActivityDateTitle=(prepend,{date_range,before,after,days:days=0,future:future=false})=>{let ranges=future?futureDateRanges:pastDateRanges;switch(date_range){default:return`${prepend} ${ranges[date_range]?ranges[date_range].replace("X",days).toLowerCase():""}`;case"between":return`${prepend} ${sprintf(_x("between %1$s and %2$s","where %1 and %2 are dates","groundhogg"),`<b>${formatDate(after)}</b>`,`<b>${formatDate(before)}</b>`)}`;case"before":return`${prepend} ${sprintf(_x("before %s","%s is a date","groundhogg"),`<b>${formatDate(before)}</b>`)}`;case"after":return`${prepend} ${sprintf(_x("after %s","%s is a date","groundhogg"),`<b>${formatDate(after)}</b>`)}`;case"day_of":return`${prepend} ${sprintf(_x("on %s","%s is a date","groundhogg"),`<b>${formatDate(after)}</b>`)}`}};const standardActivityDateOptions=({date_range:date_range="24_hours",after:after="",before:before="",days:days=0,future:future=false})=>{return[select({id:"filter-date-range",name:"date_range"},future?futureDateRanges:pastDateRanges,date_range),input({type:"date",value:after.split(" ")[0],id:"filter-after",className:`date ${["between","after","day_of"].includes(date_range)?"":"hidden"}`,name:"after"}),input({type:"date",value:before.split(" ")[0],id:"filter-before",className:`value ${["between","before"].includes(date_range)?"":"hidden"}`,name:"before"}),input({type:"number",value:days,id:"filter-days",min:0,className:`value ${["x_days","next_x_days"].includes(date_range)?"":"hidden"}`,name:"days"})].join("")};const standardActivityDateDefaults={date_range:"any",before:"",after:"",count:1,days:0};const filterCountDefaults={count:1,count_compare:"greater_than_or_equal_to"};const activityFilterComparisons={equals:_x("Exactly","comparison","groundhogg"),less_than:_x("Less than","comparison","groundhogg"),greater_than:_x("More than","comparison","groundhogg"),less_than_or_equal_to:_x("At most","comparison","groundhogg"),greater_than_or_equal_to:_x("At least","comparison","groundhogg")};const filterCount=({count,count_compare})=>{return`
+(function($){const{input,select,orList,andList,bold,inputRepeater}=Groundhogg.element;const{broadcastPicker,funnelPicker,tagPicker,emailPicker,linkPicker,metaValuePicker,metaPicker,userMetaPicker}=Groundhogg.pickers;const{assoc2array}=Groundhogg.functions;const{broadcasts:BroadcastsStore,emails:EmailsStore,tags:TagsStore,funnels:FunnelsStore,searches:SearchesStore}=Groundhogg.stores;const{sprintf,__,_x,_n}=wp.i18n;const{formatDate,formatDateTime,formatTime}=Groundhogg.formatting;const{Fragment,ItemPicker,Select,Input,Div,makeEl,InputRepeater}=MakeEl;const{Filters,FilterRegistry,createFilter,createGroup,FilterDisplay,createDateFilter,createPastDateFilter,createStringFilter,createNumberFilter,createTimeFilter,unsubReasons}=Groundhogg.filters;const{ComparisonsTitleGenerators,AllComparisons,StringComparisons,NumericComparisons,pastDateRanges,futureDateRanges,allDateRanges}=Groundhogg.filters.comparisons;const ContactFilterRegistry=FilterRegistry({});const uid=function(){return Date.now().toString(36)+Math.random().toString(36).substring(2)};const createFilters=(el="",filters=[],onChange=f=>{console.log(f)})=>({el:el,onChange:onChange,filters:Array.isArray(filters)?filters:[],id:uid(),init(){this.mount()},mount(){let container=document.querySelector(el);container.innerHTML="";document.querySelector(el).appendChild(ContactFilters(this.id,this.filters,this.onChange))}});const ContactFilters=(id,filters,onChange)=>Filters({id:id,filterRegistry:ContactFilterRegistry,filters:filters,onChange:onChange});const ContactFilterDisplay=filters=>FilterDisplay({filters:filters,filterRegistry:ContactFilterRegistry});const registerFilterGroup=(group,name)=>{ContactFilterRegistry.registerGroup(createGroup(group,name))};const registerFilter=(type,group="general",name="",opts={})=>{if(typeof name==="object"){let tempOpts=name;name=tempOpts.name;opts=tempOpts}const{defaults:defaults={},preload:preload=()=>{},view:view=()=>"",edit:edit=()=>"",onMount:onMount=()=>""}=opts;ContactFilterRegistry.registerFilter(createFilter(type,name,group,{display:view,preload:preload,edit:({updateFilter,...filter})=>Fragment([edit(filter)],{onCreate:el=>{setTimeout(()=>{onMount(filter,updateFilter)},50)}})},defaults))};const standardActivityDateFilterOnMount=(filter,updateFilter)=>{$("#filter-date-range, #filter-before, #filter-after, #filter-days").on("change",function(e){const $el=$(this);updateFilter({[$el.prop("name")]:$el.val()});if($el.prop("name")==="date_range"){const $before=$("#filter-before");const $after=$("#filter-after");const $days=$("#filter-days");$before.addClass("hidden");$after.addClass("hidden");$days.addClass("hidden");switch($el.val()){case"between":$before.removeClass("hidden");$after.removeClass("hidden");break;case"day_of":case"after":$after.removeClass("hidden");break;case"before":$before.removeClass("hidden");break;case"x_days":$days.removeClass("hidden");break}}})};const standardActivityDateTitle=(prepend,{date_range,before,after,days:days=0,future:future=false})=>{let ranges=future?futureDateRanges:pastDateRanges;switch(date_range){default:return`${prepend} ${ranges[date_range]?ranges[date_range].replace("X",days).toLowerCase():""}`;case"between":return`${prepend} ${sprintf(_x("between %1$s and %2$s","where %1 and %2 are dates","groundhogg"),`<b>${formatDate(after)}</b>`,`<b>${formatDate(before)}</b>`)}`;case"before":return`${prepend} ${sprintf(_x("before %s","%s is a date","groundhogg"),`<b>${formatDate(before)}</b>`)}`;case"after":return`${prepend} ${sprintf(_x("after %s","%s is a date","groundhogg"),`<b>${formatDate(after)}</b>`)}`;case"day_of":return`${prepend} ${sprintf(_x("on %s","%s is a date","groundhogg"),`<b>${formatDate(after)}</b>`)}`}};const standardActivityDateOptions=({date_range:date_range="24_hours",after:after="",before:before="",days:days=0,future:future=false})=>{return[select({id:"filter-date-range",name:"date_range"},future?futureDateRanges:pastDateRanges,date_range),input({type:"date",value:after.split(" ")[0],id:"filter-after",className:`date ${["between","after","day_of"].includes(date_range)?"":"hidden"}`,name:"after"}),input({type:"date",value:before.split(" ")[0],id:"filter-before",className:`value ${["between","before"].includes(date_range)?"":"hidden"}`,name:"before"}),input({type:"number",value:days,id:"filter-days",min:0,className:`value ${["x_days","next_x_days"].includes(date_range)?"":"hidden"}`,name:"days"})].join("")};const standardActivityDateDefaults={date_range:"any",before:"",after:"",count:1,days:0};const filterCountDefaults={count:1,count_compare:"greater_than_or_equal_to"};const activityFilterComparisons={equals:_x("Exactly","comparison","groundhogg"),less_than:_x("Less than","comparison","groundhogg"),greater_than:_x("More than","comparison","groundhogg"),less_than_or_equal_to:_x("At most","comparison","groundhogg"),greater_than_or_equal_to:_x("At least","comparison","groundhogg")};const filterCount=({count,count_compare})=>{return`
         <div class="space-between" style="gap: 10px">
             <div class="gh-input-group">
 …
                   </div>
               </div>
           `,filterCount(filter),standardActivityDateOptions(filter)].join("")},onMount(filter,updateFilter){onMount(filter,updateFilter);$("#filter-value,#filter-value-compare").on("change",e=>{updateFilter({[e.target.name]:e.target.value})});filterCountOnMount(updateFilter);standardActivityDateFilterOnMount(filter,updateFilter)},defaults:{...defaults,...standardActivityDateDefaults,...filterCountDefaults,value:0,value_compare:"greater_than_or_equal_to"},...rest})};registerActivityFilterWithValue("custom_activity","activity",__("Custom Activity","groundhogg"),{view:({activity})=>`<b>${activity}</b>`,edit:({activity,...filter})=>{return[input({id:"filter-activity-type",name:"activity",value:activity,placeholder:"custom_activity"}),`<label>${__("Filter by activity meta","groundhogg")}</label>`,`<div id="custom-activity-meta-filters"></div>`].join("")},onMount(filter,updateFilter){$("#filter-activity-type").on("input",e=>{updateFilter({activity:e.target.value})});let{meta_filters:meta_filters=[]}=filter;inputRepeater("#custom-activity-meta-filters",{rows:meta_filters,cells:[props=>input({placeholder:"Key",className:"input",...props}),({value,...props})=>select({selected:value,options:AllComparisons,...props}),props=>input({placeholder:"Value",className:"input",...props})],addRow:()=>["","equals",""],onChange:rows=>{updateFilter({meta_filters:rows})}}).mount()},defaults:{activity:"",meta_filters:[]}});registerFilterGroup("query","Query");registerFilter("saved_search","query",__("Saved Search"),{view:({compare:compare="in",search})=>{return sprintf(__("Is %s search %s"),compare==="in"?"in":"not in",bold(SearchesStore.get(search)?.name))},edit:({compare})=>{return[select({name:"filter_compare",id:"filter-compare",options:{in:__("In"),not_in:__("Not in")},selected:compare}),select({name:"filter_search",id:"filter-search"})].join("")},onMount:({search},updateFilter)=>{SearchesStore.maybeFetchItems().then(items=>{$("#filter-search").select2({data:[{id:"",text:""},...items.map(({id,name})=>({id:id,text:name,selected:id===search}))],placeholder:__("Type to search...")}).on("change",e=>{updateFilter({search:e.target.value})})});$("#filter-compare").on("change",e=>{updateFilter({compare:e.target.value})})},defaults:{compare:"in",search:null},preload:({search})=>{if(!SearchesStore.hasItems()){return SearchesStore.fetchItems([])}}});ContactFilterRegistry.registerFilter(createFilter("sub_query","Sub Query","query",{display:({include_filters:include_filters=[],exclude_filters:exclude_filters=[]})=>{let texts=[ContactFilterRegistry.displayFilters(include_filters),ContactFilterRegistry.displayFilters(exclude_filters)];if(include_filters.length&&exclude_filters.length){return texts.join(' <abbr title="exclude">and exclude</abbr> ')}if(exclude_filters.length){return sprintf('<abbr title="exclude">Exclude</abbr> %s',texts[1])}if(include_filters.length){return texts[0]}throw new Error("No filters defined.")},edit:({include_filters:include_filters=[],exclude_filters:exclude_filters=[],updateFilter})=>{return Fragment([Div({className:"include-search-filters"},[Filters({id:"sub-query-filters",filters:include_filters,filterRegistry:ContactFilterRegistry,onChange:include_filters=>updateFilter({include_filters:include_filters})})]),Div({className:"exclude-search-filters"},[Filters({id:"sub-query-exclude-filters",filters:exclude_filters,filterRegistry:ContactFilterRegistry,onChange:exclude_filters=>updateFilter({exclude_filters:exclude_filters})})])])},preload:({include_filters:include_filters=[],exclude_filters:exclude_filters=[]})=>{return Promise.all([ContactFilterRegistry.preloadFilters(include_filters),ContactFilterRegistry.preloadFilters(exclude_filters)])}},{}));ContactFilterRegistry.registerFilter(createFilter("secondary_related","Is Child Of","query",{edit:({object_type:object_type="",object_id:object_id="",updateFilter})=>Fragment([Input({id:"object-type",name:"object_type",value:object_type,placeholder:"Parent Type",onInput:e=>{updateFilter({object_type:e.target.value})}}),Input({type:"number",id:"object-id",name:"object_id",value:object_id,placeholder:"Parent ID",min:0,onInput:e=>{updateFilter({object_id:e.target.value})}})]),display:({object_type,object_id})=>{if(!object_type){throw new Error("Type be defined")}if(!object_id){return`Is a child of ${object_type}`}return`Is a child of ${object_type} with ID ${object_id}`}},{object_type:"contact"}));ContactFilterRegistry.registerFilter(createFilter("primary_related","Is Parent Of","query",{edit:({object_type:object_type="",object_id:object_id="",updateFilter})=>Fragment([Input({id:"object-type",name:"object_type",value:object_type,placeholder:"Child Type",onInput:e=>{updateFilter({object_type:e.target.value})}}),Input({type:"number",id:"object-id",name:"object_id",value:object_id,placeholder:"Child ID",min:0,onInput:e=>{updateFilter({object_id:e.target.value})}})]),display:({object_type,object_id})=>{if(!object_type){throw new Error("Type must be defined")}if(!object_id){return`Is a parent of ${object_type}`}return`Is a parent of ${object_type} with ID ${object_id}`}},{object_type:"contact"}));registerFilterGroup("date","Date");const CurrentDateCompareFilterFactory=(id,name,type,formatter)=>createFilter(id,name,"date",{edit:({compare:compare="",after:after="",before:before="",updateFilter})=>Fragment([Select({id:"select-compare",selected:compare,options:{after:"After",before:"Before",between:"Between"},onChange:e=>{updateFilter({compare:e.target.value})}}),compare==="before"?null:Input({type:type,id:"after-date",name:"after_date",value:after,placeholder:"After...",onChange:e=>{updateFilter({after:e.target.value})}}),compare==="after"?null:Input({type:type,id:"before-date",name:"before_date",value:before,placeholder:"Before...",min:0,onInput:e=>{updateFilter({before:e.target.value})}})]),display:({compare:compare="",after,before})=>{let prefix=`<b>${name}</b>`;switch(compare){case"between":return ComparisonsTitleGenerators.between(prefix,formatter(after),formatter(before));case"after":return ComparisonsTitleGenerators.after(prefix,formatter(after));case"before":return ComparisonsTitleGenerators.before(prefix,formatter(before));default:throw new Error("Invalid date comparison.")}}},{compare:"between",before:"",after:""});ContactFilterRegistry.registerFilter(CurrentDateCompareFilterFactory("current_datetime","Current Date & Time","datetime-local",formatDateTime));ContactFilterRegistry.registerFilter(CurrentDateCompareFilterFactory("current_date","Current Date","date",formatDate));ContactFilterRegistry.registerFilter(CurrentDateCompareFilterFactory("current_time","Current Time","time",time=>formatTime(`2000-01-01T${time}`)));if(!Groundhogg.filters){Groundhogg.filters={}}Groundhogg.filters.ContactFilters=ContactFilters;Groundhogg.filters.ContactFilterDisplay=ContactFilterDisplay;Groundhogg.filters.ContactFilterRegistry=ContactFilterRegistry;Groundhogg.filters.functions={createFilters:createFilters,registerFilter:registerFilter,registerFilterGroup:registerFilterGroup,ComparisonsTitleGenerators:ComparisonsTitleGenerators,AllComparisons:AllComparisons,NumericComparisons:NumericComparisons,StringComparisons:StringComparisons,standardActivityDateOptions:standardActivityDateOptions,standardActivityDateTitle:standardActivityDateTitle,standardActivityDateDefaults:standardActivityDateDefaults,standardActivityDateFilterOnMount:standardActivityDateFilterOnMount,BasicTextFilter:BasicTextFilter,registerActivityFilter:registerActivityFilter,registerActivityFilterWithValue:registerActivityFilterWithValue}})(jQuery);
+          `,filterCount(filter),standardActivityDateOptions(filter)].join("")},onMount(filter,updateFilter){onMount(filter,updateFilter);$("#filter-value,#filter-value-compare").on("change",e=>{updateFilter({[e.target.name]:e.target.value})});filterCountOnMount(updateFilter);standardActivityDateFilterOnMount(filter,updateFilter)},defaults:{...defaults,...standardActivityDateDefaults,...filterCountDefaults,value:0,value_compare:"greater_than_or_equal_to"},...rest})};registerActivityFilterWithValue("custom_activity","activity",__("Custom Activity","groundhogg"),{view:({activity})=>`<b>${activity}</b>`,edit:({activity,...filter})=>{return[input({id:"filter-activity-type",name:"activity",value:activity,placeholder:"custom_activity"}),`<label>${__("Filter by activity meta","groundhogg")}</label>`,`<div id="custom-activity-meta-filters"></div>`].join("")},onMount(filter,updateFilter){$("#filter-activity-type").on("input",e=>{updateFilter({activity:e.target.value})});let{meta_filters:meta_filters=[]}=filter;inputRepeater("#custom-activity-meta-filters",{rows:meta_filters,cells:[props=>input({placeholder:"Key",className:"input",...props}),({value,...props})=>select({selected:value,options:AllComparisons,...props}),props=>input({placeholder:"Value",className:"input",...props})],addRow:()=>["","equals",""],onChange:rows=>{updateFilter({meta_filters:rows})}}).mount()},defaults:{activity:"",meta_filters:[]}});registerFilterGroup("query","Query");registerFilter("saved_search","query",__("Saved Search"),{view:({compare:compare="in",search})=>{return sprintf(__("Is %s search %s"),compare==="in"?"in":"not in",bold(SearchesStore.get(search)?.name))},edit:({compare})=>{return[select({name:"filter_compare",id:"filter-compare",options:{in:__("In"),not_in:__("Not in")},selected:compare}),select({name:"filter_search",id:"filter-search"})].join("")},onMount:({search},updateFilter)=>{SearchesStore.maybeFetchItems().then(items=>{$("#filter-search").select2({data:[{id:"",text:""},...items.map(({id,name})=>({id:id,text:name,selected:id===search}))],placeholder:__("Type to search...")}).on("change",e=>{updateFilter({search:e.target.value})})});$("#filter-compare").on("change",e=>{updateFilter({compare:e.target.value})})},defaults:{compare:"in",search:null},preload:({search})=>{if(!SearchesStore.hasItems()){return SearchesStore.fetchItems([])}}});ContactFilterRegistry.registerFilter(createFilter("sub_query","Sub Query","query",{display:({include_filters:include_filters=[],exclude_filters:exclude_filters=[]})=>{let texts=[ContactFilterRegistry.displayFilters(include_filters),ContactFilterRegistry.displayFilters(exclude_filters)];if(include_filters.length&&exclude_filters.length){return texts.join(' <abbr title="exclude">and exclude</abbr> ')}if(exclude_filters.length){return sprintf('<abbr title="exclude">Exclude</abbr> %s',texts[1])}if(include_filters.length){return texts[0]}throw new Error("No filters defined.")},edit:({include_filters:include_filters=[],exclude_filters:exclude_filters=[],updateFilter})=>{return Fragment([Div({className:"include-search-filters"},[Filters({id:"sub-query-filters",filters:include_filters,filterRegistry:ContactFilterRegistry,onChange:include_filters=>updateFilter({include_filters:include_filters})})]),Div({className:"exclude-search-filters"},[Filters({id:"sub-query-exclude-filters",filters:exclude_filters,filterRegistry:ContactFilterRegistry,onChange:exclude_filters=>updateFilter({exclude_filters:exclude_filters})})])])},preload:({include_filters:include_filters=[],exclude_filters:exclude_filters=[]})=>{return Promise.all([ContactFilterRegistry.preloadFilters(include_filters),ContactFilterRegistry.preloadFilters(exclude_filters)])}},{}));ContactFilterRegistry.registerFilter(createFilter("secondary_related","Is Child Of","query",{edit:({object_type:object_type="",object_id:object_id="",updateFilter})=>Fragment([Input({id:"object-type",name:"object_type",value:object_type,placeholder:"Parent Type",onInput:e=>{updateFilter({object_type:e.target.value})}}),Input({type:"number",id:"object-id",name:"object_id",value:object_id,placeholder:"Parent ID",min:0,onInput:e=>{updateFilter({object_id:e.target.value})}})]),display:({object_type,object_id})=>{if(!object_type){throw new Error("Type be defined")}if(!object_id){return`Is a child of ${object_type}`}return`Is a child of ${object_type} with ID ${object_id}`}},{object_type:"contact"}));ContactFilterRegistry.registerFilter(createFilter("primary_related","Is Parent Of","query",{edit:({object_type:object_type="",object_id:object_id="",updateFilter})=>Fragment([Input({id:"object-type",name:"object_type",value:object_type,placeholder:"Child Type",onInput:e=>{updateFilter({object_type:e.target.value})}}),Input({type:"number",id:"object-id",name:"object_id",value:object_id,placeholder:"Child ID",min:0,onInput:e=>{updateFilter({object_id:e.target.value})}})]),display:({object_type,object_id})=>{if(!object_type){throw new Error("Type must be defined")}if(!object_id){return`Is a parent of ${object_type}`}return`Is a parent of ${object_type} with ID ${object_id}`}},{object_type:"contact"}));registerFilterGroup("date","Date");const CurrentDateCompareFilterFactory=(id,name,type,formatter)=>createFilter(id,name,"date",{edit:({compare:compare="",after:after="",before:before="",updateFilter})=>Fragment([Select({id:"select-compare",selected:compare,options:{after:"After",before:"Before",between:"Between"},onChange:e=>{updateFilter({compare:e.target.value})}}),compare==="before"?null:Input({type:type,id:"after-date",name:"after_date",value:after,placeholder:"After...",onChange:e=>{updateFilter({after:e.target.value})}}),compare==="after"?null:Input({type:type,id:"before-date",name:"before_date",value:before,placeholder:"Before...",min:0,onInput:e=>{updateFilter({before:e.target.value})}})]),display:({compare:compare="",after,before})=>{let prefix=`<b>${name}</b>`;switch(compare){case"between":return ComparisonsTitleGenerators.between(prefix,formatter(after),formatter(before));case"after":return ComparisonsTitleGenerators.after(prefix,formatter(after));case"before":return ComparisonsTitleGenerators.before(prefix,formatter(before));default:throw new Error("Invalid date comparison.")}}},{compare:"between",before:"",after:""});ContactFilterRegistry.registerFilter(CurrentDateCompareFilterFactory("current_datetime","Current Date & Time","datetime-local",formatDateTime));ContactFilterRegistry.registerFilter(CurrentDateCompareFilterFactory("current_date","Current Date","date",formatDate));ContactFilterRegistry.registerFilter(CurrentDateCompareFilterFactory("current_time","Current Time","time",time=>formatTime(`2000-01-01T${time}`)));registerFilterGroup("submissions","Submissions");ContactFilterRegistry.registerFilter(createPastDateFilter("form_submissions","Form Submissions","submissions",{edit:({form_id:form_id="",form_type:form_type="",meta_filters:meta_filters=[],updateFilter:updateFilter=()=>{}})=>{return Fragment([Input({placeholder:"ID",id:"form_id",name:"form_id",value:form_id,onChange:e=>updateFilter({form_id:e.target.value})}),Input({placeholder:"Type",id:"type",name:"type",value:form_type,onChange:e=>updateFilter({form_type:e.target.value})}),`<label>${__("Filter by submission meta","groundhogg")}</label>`,InputRepeater({id:"submission-meta-filters",rows:meta_filters,cells:[props=>Input({...props,placeholder:"Key"}),({value,...props})=>Select({selected:value,options:AllComparisons,...props}),props=>Input({...props,placeholder:"Value"})],fillRow:()=>["","equals",""],onChange:rows=>{updateFilter({meta_filters:rows})}})])}}));if(!Groundhogg.filters){Groundhogg.filters={}}Groundhogg.filters.ContactFilters=ContactFilters;Groundhogg.filters.ContactFilterDisplay=ContactFilterDisplay;Groundhogg.filters.ContactFilterRegistry=ContactFilterRegistry;Groundhogg.filters.functions={createFilters:createFilters,registerFilter:registerFilter,registerFilterGroup:registerFilterGroup,ComparisonsTitleGenerators:ComparisonsTitleGenerators,AllComparisons:AllComparisons,NumericComparisons:NumericComparisons,StringComparisons:StringComparisons,standardActivityDateOptions:standardActivityDateOptions,standardActivityDateTitle:standardActivityDateTitle,standardActivityDateDefaults:standardActivityDateDefaults,standardActivityDateFilterOnMount:standardActivityDateFilterOnMount,BasicTextFilter:BasicTextFilter,registerActivityFilter:registerActivityFilter,registerActivityFilterWithValue:registerActivityFilterWithValue}})(jQuery);

groundhogg/tags/4.2.2/db/contacts.php

-                      r3320187
+                      r3321992
         // where based, not ID based
         if ( is_array( $row_id_or_where ) || ! empty( $where ) ) {
+        if ( is_array( $row_id_or_where ) || ( ! empty( $where ) && is_array( $where ) ) ) {
             // don't allow bulk updating some columns
 …
+        }
+        $column = ! empty( $where ) && is_string( $where ) ? $where : $this->primary_key;
         if ( isset( $data['email'] ) ) {
 …
             // check to see if this email address is already in use
             $query = new Table_Query( $this );
             $query->where()->notEquals( 'ID', $row_id_or_where )->equals( 'email', $data['email'] );
+            $query->where()->notEquals( $column, $row_id_or_where )->equals( 'email', $data['email'] );
             if ( $query->count() > 0 ) {
                 unset( $data['email'] );
 …
             // check to see if this user_id is being used by another contact
             $query = new Table_Query( $this );
+            $query->where()->notEquals( 'ID', $row_id_or_where )->equals( 'user_id', $data['user_id'] );
+            $query->where()->notEquals( $column, $row_id_or_where )->equals( 'user_id', $data['user_id'] );
             // it is being used by another contact :/
             if ( $query->count() > 0 ) {
 …
                     break;
                 case 'optin_status':
+                    $cols[ $key ] = Preferences::sanitize( $val );
+                    break;
                 case 'owner_id':
                 case 'user_id':

groundhogg/tags/4.2.2/groundhogg.php

-                      r3320187
+                      r3321992
  * Plugin URI:  https://www.groundhogg.io/?utm_source=wp-plugins&utm_campaign=plugin-uri&utm_medium=wp-dash
  * Description: CRM and marketing automation for WordPress
  * Version: 4.2.1
+ * Version: 4.2.2
  * Author: Groundhogg Inc.
  * Author URI: https://www.groundhogg.io/?utm_source=wp-plugins&utm_campaign=author-uri&utm_medium=wp-dash
 …
+}
 define( 'GROUNDHOGG_VERSION', '4.2.1' );
+define( 'GROUNDHOGG_VERSION', '4.2.2' );
 define( 'GROUNDHOGG_PREVIOUS_STABLE_VERSION', '4.2' );

groundhogg/tags/4.2.2/includes/classes/traits/file-box.php

-                      r3145628
+                      r3321992
 namespace Groundhogg\Classes\Traits;
+use WP_Error;
 use function Groundhogg\convert_to_local_time;
 use function Groundhogg\encrypt;
 …
     /**
+     * Return the list of allowed mimes for this object
+     *
+     * @return array
+     */
+    public function get_allowed_mime_types() {
+        $allowed_mimes = get_allowed_mime_types();
+        return apply_filters( "groundhogg/{$this->get_object_type()}/allowed_mimes", $allowed_mimes );
+    }
+    /**
      * Upload a file
+     *
 …
     public function upload_file( &$file ) {
+        if ( ! isset_not_empty( $file, 'name' ) ) {
+            return new \WP_Error( 'invalid_file_name', __( 'Invalid file name.', 'groundhogg' ) );
+        }
+        $file['name'] = sanitize_file_name( $file['name'] );
+        $upload_overrides = array( 'test_form' => false );
+        if ( ! function_exists( 'wp_handle_upload' ) ) {
+        $folder = $this->get_uploads_folder_subdir() . DIRECTORY_SEPARATOR . $this->get_upload_folder_basename();
+        $result = files()->safe_file_upload( $file, $this->get_allowed_mime_types(), $folder );
+        return $result;
+    }
+    /**
+     * Copy a file given an uploaded URL
+     *
+     * @param string $url_or_path path or url of asset to upload
+     * @param bool $delete_tmp whether to delete the temp file after
+     *
+     * @return array|string[]|\WP_Error
+     */
+    public function copy_file( $url_or_path, $delete_tmp = true ) {
+        if ( ! function_exists( 'download_url' ) ) {
             require_once( ABSPATH . '/wp-admin/includes/file.php' );
+        }
-        $this->get_uploads_folder();
-        add_filter( 'upload_dir', [ $this, 'map_upload' ] );
-        $mfile = wp_handle_upload( $file, $upload_overrides );
-        remove_filter( 'upload_dir', [ $this, 'map_upload' ] );
-        if ( isset_not_empty( $mfile, 'error' ) ) {
-            return new \WP_Error( 'bad_upload', __( 'Unable to upload file.', 'groundhogg' ) );
+        }
-        return $mfile;
+    }
-    /**
-     * Copy a file given an uploaded URL
+     *
-     * @param string $url        url of the file to copy
-     * @param bool   $delete_tmp whether to delete the tgemp file after
+     *
-     * @return bool
-     */
-    public function copy_file( $url_or_path, $delete_tmp = true ) {
-        if ( ! function_exists( 'download_url' ) ) {
-            require_once ABSPATH . '/wp-admin/includes/file.php';
+        }
-        // File cannot be copied
         if ( ! is_copyable_file( $url_or_path ) ) {
+            return false;
+        }
+        // path given
+        if ( file_exists( $url_or_path ) ) {
+            $tmp_file = $url_or_path;
+            // if using path, force false
+            $delete_tmp = false;
+        } else {
+            // We should only be doing this for files which are already uploaded to the server,
+            // We should reject urls for sites that aren't this one
+            if ( get_hostname( $url_or_path ) !== get_hostname() ) {
+                return false;
+            }
+            add_filter( 'https_local_ssl_verify', '__return_false' );
+            add_filter( 'https_ssl_verify', '__return_false' );
+            $tmp_file = download_url( $url_or_path, 300, false );
+            if ( is_wp_error( $tmp_file ) ) {
+                return false;
+            }
+        }
+        if ( ! is_dir( $this->get_uploads_folder() ['path'] ) ) {
+            mkdir( $this->get_uploads_folder() ['path'] );
+        }
+        try {
+            copy( $tmp_file, $this->get_uploads_folder()['path'] . '/' . basename( $url_or_path ) );
+        } catch ( \Exception $e ) {
+        }
+        if ( $delete_tmp ) {
+            @unlink( $tmp_file );
+        }
+        return true;
+            return new WP_Error( 'not_copyable', 'This file can\'t be uploaded.' );
+        }
+        $file = [
+            'name'     => wp_basename( $url_or_path ),
+            // Original filename on the user's system
+            'tmp_name' => file_exists( $url_or_path ) ? $url_or_path : download_url( $url_or_path ),
+            // Temporary filename on the server
+        ];
+        $folder = $this->get_uploads_folder_subdir() . DIRECTORY_SEPARATOR . $this->get_upload_folder_basename();
+        $result = files()->safe_file_sideload( $file, $this->get_allowed_mime_types(), $folder );
+        if ( is_wp_error( $result ) ) {
+            @unlink( $file['tmp_name'] );
+        }
+        return $result;
+    }
 …
+    }
     public function get_uploads_folder_subdir(){
+    public function get_uploads_folder_subdir() {
         return $this->get_object_type() . 's';
+    }
 …
         // Might have to create the directory
         if ( ! is_dir( $uploads_dir['path'] ) ){
+        if ( ! is_dir( $uploads_dir['path'] ) ) {
             wp_mkdir_p( $uploads_dir['path'] );
+        }

groundhogg/tags/4.2.2/includes/contact-query.php

-                      r3320187
+                      r3321992
             $activityQuery->where()->compare( "$alias.meta_value", $value, $compare );
+        }
+    }
+    /**
+     * Filter by the custom activity
+     *
+     * @param       $filter
+     * @param Where $where
+     *
+     * @return void
+     */
+    public static function filter_form_submissions( $filter, Where $where ) {
+        $filter = wp_parse_args( $filter, [
+            'step_id'      => '',
+            'form_type'    => '',
+            'name'         => '',
+            'meta_filters' => []
+        ] );
+        $submissionQuery = new Table_Query( 'submissions' );
+        $submissionQuery->setSelect( 'contact_id' );
+        if ( ! empty( $filter['step_id'] ) ) {
+            $submissionQuery->where->equals( 'step_id', $filter['step_id'] );
+        }
+        if ( ! empty( $filter['form_type'] ) ) {
+            $submissionQuery->where->equals( 'type', $filter['form_type'] );
+        }
+        Filters::mysqlDateTime( 'date_created', $filter, $submissionQuery->where() );
+        foreach ( $filter['meta_filters'] as $metaFilter ) {
+            [ 0 => $key, 1 => $compare, 2 => $value ] = $metaFilter;
+            if ( ! $key || ! $compare ) {
+                continue;
+            }
+            $alias = $submissionQuery->joinMeta( $key );
+            $submissionQuery->where()->compare( "$alias.meta_value", $value, $compare );
+        }
+        $where->in( 'ID', $submissionQuery );
+    }

groundhogg/tags/4.2.2/includes/functions.php

-                      r3320187
+                      r3321992
                 // passed path as the value
                 if ( file_exists( $value ) ) {
                     $files[ $column ] = $value;
+                    $copy[] = $value;
                 } // Get from $_FILES
                 else if ( isset_not_empty( $_FILES, $column ) ) {
 …
  */
 function is_copyable_file( $file ) {
+    return file_exists( $file ) || get_hostname( $file ) === get_hostname();
+    // the file exists on the server
+    if ( file_exists( $file ) ) {
+        // no streams allowed here, only absolute paths
+        return ! str_contains( $file, '://' );
+    }
+    // if a url was provided using https:// check that the file is hosted locally first
+    return get_hostname( $file ) === get_hostname();
+}
 …
 /**
  * Add a filter that removes itself after being called once
+ * Alias for add_filter_use_once
+ *
  * @param string   $filter
 …
  */
 function add_self_removing_filter( string $filter, callable $callback, int $priority = 10, int $args = 1 ) {
+    _deprecated_function( __FUNCTION__, '4.2', __NAMESPACE__ . '\add_filter_use_once' );
+    return add_filter_use_once( $filter, $callback, $priority, $args );
+}
+/**
+ * Add a filter that removes itself after being called once
+ *
+ * @param string   $filter
+ * @param callable $callback
+ * @param int      $priority
+ * @param int      $args
+ *
+ * @return bool
+ */
+function add_filter_use_once( string $filter, callable $callback, int $priority = 10, int $args = 1 ) {
     $callbackWrapper = function ( ...$args ) use ( &$callbackWrapper, $filter, $callback, $priority ) {

groundhogg/tags/4.2.2/includes/rewrites.php

-                      r3145628
+                      r3321992
                 exit();
                 break;
             case 'files':
 …
                 $file_path       = wp_normalize_path( $groundhogg_path . DIRECTORY_SEPARATOR . $short_path );
+                if ( ! $file_path || ! file_exists( $file_path ) || ! is_file( $file_path ) ) {
+                // guard against ../../ traversal attack
+                if ( ! $file_path || ! file_exists( $file_path ) || ! is_file( $file_path ) || ! Files::is_file_within_directory( $file_path, $groundhogg_path ) ) {
                     wp_die( 'The requested file was not found.', 'File not found.', [ 'status' => 404 ] );
+                }

groundhogg/tags/4.2.2/includes/utils/files.php

-                      r3264477
+                      r3321992
      * @param string $subdir
      * @param string $file_path
      * @param bool $create_folders
+     * @param bool   $create_folders
+     *
      * @return string
 …
+    }
+    /**
+     * @var array
+     */
+    protected $uploads_path = [];
+    /**
+     * Change the default upload directory
+     *
+     * @param $param
+     *
+     * @return mixed
+     */
+    public function files_upload_dir( $param ) {
+        $param['path']   = $this->uploads_path['path'];
+        $param['url']    = $this->uploads_path['url'];
+        $param['subdir'] = $this->uploads_path['subdir'];
+        return $param;
+    }
+    /**
+     * Initialize the base upload path
+     *
+     * @param string $where
+     */
+    private function set_uploads_path( $where='imports' ) {
+        $this->uploads_path['subdir'] = Plugin::$instance->utils->files->get_base_uploads_dir();
+        $this->uploads_path['path']   = Plugin::$instance->utils->files->get_uploads_dir( $where, '', true );
+        $this->uploads_path['url']    = Plugin::$instance->utils->files->get_uploads_dir( $where, '', true );
+    function is_allowed_stream( $file ) {
+        $allowed_streams = [
+            'https:',
+            'http:',
+        ];
+    }
+    /**
+     * Sideload a file
+     *
+     * @param $file               array from constructed to resemble something from $_FILES
+     * @param $allowed_mime_types array list of allowed mime types for this upload
+     * @param $folder             string the folder to upload to within the /wp-content/uploads/groundhogg directory
+     *
+     * @return array|string[]|WP_Error
+     *
+     * @see wp_check_filetype_and_ext()
+     * @see get_allowed_mime_types()
+     */
+    function safe_file_sideload( &$file, $allowed_mime_types, $folder ) {
+        $uploads_dir = wp_get_upload_dir();
+        // given local path to a file, only allow sideloading within the uploads directory
+        // protects against ../../ traversal attack
+        if ( file_exists( $file['tmp_name'] ) && ! self::is_file_within_directory( $file['tmp_name'], $uploads_dir['basedir'] ) ) {
+            return new WP_Error( 'nope', 'File upload not allowed.' );
+        }
+        return $this->safe_file_upload( $file, $allowed_mime_types, $folder, true );
+    }
+    /**
+     * Upload a file safely
+     *
+     * @param $file               array from $_FILES
+     * @param $allowed_mime_types array list of allowed mime types for this upload
+     * @param $folder             string the folder to upload to within the /wp-content/uploads/groundhogg directory
+     *
+     * @return array|string[]|WP_Error
+     *
+     * @see wp_check_filetype_and_ext()
+     * @see get_allowed_mime_types()
+     */
+    function safe_file_upload( &$file, $allowed_mime_types, $folder, $sideload = false ) {
+        if ( ! function_exists( '_wp_handle_upload' ) ) {
+            require_once( ABSPATH . '/wp-admin/includes/file.php' );
+        }
+        // do some basic checks on the file content to test for malicious content
+        if ( self::is_malicious( $file['tmp_name'], $file['name'] ) ) {
+            return new WP_Error( 'file_upload_malicious', 'Potentially malicious upload detected.' );
+        }
+        $upload_overrides = [
+            'test_form' => false,
+            'test_size' => true,
+            'test_type' => true,
+            'mimes'     => $allowed_mime_types,
+        ];
+        $path = $this->get_uploads_dir( $folder );
+        $url  = $this->get_uploads_url( $folder );
+        $change_upload_dir = fn( $uploads ) => array_merge( $uploads, [
+            'path'    => $path,
+            'url'     => $url,
+            'subdir'  => basename( $path ),
+            'basedir' => dirname( $path ),
+            'baseurl' => dirname( $url ),
+        ] );
+        add_filter( 'upload_dir', $change_upload_dir );
+        $result = _wp_handle_upload(
+            $file,
+            $upload_overrides,
+            null,
+            $sideload ? 'wp_handle_sideload' : 'wp_handle_upload'
+        );
+        remove_filter( 'upload_dir', $change_upload_dir );
+        if ( isset( $result['error'] ) ) {
+            return new WP_Error( 'file_upload_failed', $result['error'] );
+        }
+        return $result;
+    }
 …
      * @return array|bool|WP_Error
      */
+    function upload( &$file, $where='imports' ) {
+        $upload_overrides = array( 'test_form' => false );
+        if ( ! function_exists( 'wp_handle_upload' ) ) {
+            require_once( ABSPATH . '/wp-admin/includes/file.php' );
+        }
+        $this->set_uploads_path( $where );
+        add_filter( 'upload_dir', array( $this, 'files_upload_dir' ) );
+        $mfile = wp_handle_upload( $file, $upload_overrides );
+        remove_filter( 'upload_dir', array( $this, 'files_upload_dir' ) );
+        if ( isset( $mfile['error'] ) ) {
+            if ( empty( $mfile['error'] ) ) {
+                $mfile['error'] = _x( 'Could not upload file.', 'error', 'groundhogg' );
+    function upload( &$file, $where = 'imports' ) {
+        return $this->safe_file_upload( $file, get_allowed_mime_types(), $where );
+    }
+    /**
+     * Check if a file path is strictly inside a base directory.
+     *
+     * @param string $file_path Absolute path to the file.
+     * @param string $base_dir  Absolute base directory to restrict access to.
+     *
+     * @return bool True if the file is inside the base directory, false otherwise.
+     */
+    static public function is_file_within_directory( string $file_path, string $base_dir ): bool {
+        $file_path_real = realpath( $file_path );
+        $base_dir_real  = realpath( $base_dir );
+        if ( ! $file_path_real || ! $base_dir_real ) {
+            return false;
+        }
+        $file_path_real = wp_normalize_path( $file_path_real );
+        $base_dir_real  = wp_normalize_path( rtrim( $base_dir_real, '/' ) );
+        return str_starts_with( $file_path_real, $base_dir_real . '/' );
+    }
+    /**
+     * Basic check for potentially malicious file content.
+     *
+     * @param string $filepath Path to the file on disk.
+     *
+     * @return bool True if the file appears malicious, false otherwise.
+     */
+    static public function is_malicious( string $filepath, string $filename ): bool {
+        // Fail safe: unreadable or missing file
+        if ( ! file_exists( $filepath ) || ! is_readable( $filepath ) ) {
+            return true;
+        }
+        // Block known dangerous filenames
+        $basename          = strtolower( basename( $filename ) );
+        $blocked_filenames = [
+            '.htaccess',
+            '.user.ini',
+            'php.ini',
+            'web.config',
+            '.env',
+        ];
+        if ( in_array( $basename, $blocked_filenames, true ) ) {
+            return true;
+        }
+        // Read the first part of the file
+        $bytes = file_get_contents( $filepath, false, null, 0, 2048 );
+        if ( $bytes === false ) {
+            return true;
+        }
+        $bytes = strtolower( $bytes );
+        // Look for dangerous patterns
+        $danger_signatures = [
+            '<?php',               // Executable PHP
+            '__halt_compiler()',  // PHAR stub
+            'phar://',            // PHAR stream reference
+            'base64_decode',      // Obfuscation
+            'eval(',              // Dynamic execution
+            'shell_exec',         // Command execution
+            'passthru',           // Another dangerous system function
+        ];
+        foreach ( $danger_signatures as $needle ) {
+            if ( strpos( $bytes, $needle ) !== false ) {
+                return true;
+            }
+            return new WP_Error( 'BAD_UPLOAD', $mfile['error'] );
+        }
+        return $mfile;
+        }
+        return false;
+    }

groundhogg/trunk/README.txt

-                      r3320187
+                      r3321992
 Tested up to: 6.8
 Requires PHP: 7.1
 Stable tag: 4.2.1
+Stable tag: 4.2.2
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl.md
 …
 == Changelog ==
+= 4.2.2 (2025-07-03) =
+* FIXED User ID not syncing.
+* FIXED Arbitrary file upload vulnerability. Credit to Patchstack for practicing responsible disclosure.
 = 4.2.1 (2025-06-30) =

groundhogg/trunk/admin/contacts/cards/user.php

-                      r3029787
+                      r3321992
  * @var $contact \Groundhogg\Contact
  */
+/* Auto link the account before we see the create account form. */
+$contact->auto_link_account();
 if ( $contact->get_userdata() ):

groundhogg/trunk/admin/contacts/parts/contact-editor.php

-                      r3209982
+                      r3321992
  * @var $contact Contact
  */
-//var_dump( $contact );
-/* Auto link the account before we see the create account form. */
-$contact->auto_link_account();
 $tabs = [

groundhogg/trunk/admin/tools/tools-page.php

-                      r3320187
+                      r3321992
 use Groundhogg\DB\Query\Table_Query;
 use Groundhogg\Extension_Upgrader;
+use Groundhogg\Files;
 use Groundhogg\License_Manager;
 use Groundhogg\Plugin;
 …
 class Tools_Page extends Tabbed_Admin_Page {
-    protected $uploads_path = [];
     /**
      * @var \Groundhogg\Bulk_Jobs\Import_Contacts
 …
+        }
+        $file = get_array_var( $_FILES, 'import_file' );
+        $validate = wp_check_filetype( $file['name'], [ 'csv' => 'text/csv' ] );
+        if ( $validate['ext'] !== 'csv' || $validate['type'] !== 'text/csv' ) {
+            return new WP_Error( 'invalid_csv', sprintf( 'Please upload a valid CSV. Expected mime type of <i>text/csv</i> but got <i>%s</i>', esc_html( $file['type'] ) ) );
+        }
+        $file['name'] = wp_unique_filename( files()->get_csv_imports_dir(), $file['name'] );
+        $result = $this->handle_file_upload( $file );
+        $file = $_FILES['import_file'];
+        $result = files()->safe_file_upload( $file, [
+            'csv' => 'text/csv',
+        ], 'imports' );
         if ( is_wp_error( $result ) ) {
-            if ( is_multisite() ) {
-                return new WP_Error( 'multisite_add_csv', 'Could not import because CSV is not an allowed file type on this subsite. Please add CSV to the list of allowed file types in the network settings.' );
+            }
             return $result;
+        }
 …
             'action' => 'map',
             'tab'    => 'import',
             'import' => urlencode( basename( $result['file'] ) ),
+            'import' => urlencode( basename( $result['path'] ) ),
         ] ) );
+    }
-    /**
-     * Upload a file to the Groundhogg file directory
+     *
-     * @param $file array
-     * @param $config
+     *
-     * @return array|bool|WP_Error
-     */
-    private function handle_file_upload( $file ) {
-        $upload_overrides = array( 'test_form' => false );
-        if ( ! function_exists( 'wp_handle_upload' ) ) {
-            require_once( ABSPATH . '/wp-admin/includes/file.php' );
+        }
-        $this->set_uploads_path();
-        add_filter( 'upload_dir', array( $this, 'files_upload_dir' ) );
-        $mfile = wp_handle_upload( $file, $upload_overrides );
-        remove_filter( 'upload_dir', array( $this, 'files_upload_dir' ) );
-        if ( isset( $mfile['error'] ) ) {
-            if ( empty( $mfile['error'] ) ) {
-                $mfile['error'] = _x( 'Could not upload file.', 'error', 'groundhogg' );
+            }
-            return new WP_Error( 'BAD_UPLOAD', $mfile['error'] );
+        }
-        return $mfile;
+    }
-    /**
-     * Change the default upload directory
+     *
-     * @param $param
+     *
-     * @return mixed
-     */
-    public function files_upload_dir( $param ) {
-        $param['path']   = $this->uploads_path['path'];
-        $param['url']    = $this->uploads_path['url'];
-        $param['subdir'] = $this->uploads_path['subdir'];
-        return $param;
+    }
-    /**
-     * Initialize the base upload path
-     */
-    private function set_uploads_path() {
-        $this->uploads_path['subdir'] = Plugin::$instance->utils->files->get_base_uploads_dir();
-        $this->uploads_path['path']   = Plugin::$instance->utils->files->get_csv_imports_dir();
-        $this->uploads_path['url']    = Plugin::$instance->utils->files->get_csv_imports_url();
+    }
 …
         $file_path       = wp_normalize_path( $groundhogg_path . DIRECTORY_SEPARATOR . $short_path );
+        if ( ! $file_path || ! file_exists( $file_path ) || ! is_file( $file_path ) ) {
+        // guard against ../../ traversal attack
+        if ( ! $file_path || ! file_exists( $file_path ) || ! is_file( $file_path ) || ! Files::is_file_within_directory( $file_path, $groundhogg_path ) ) {
             wp_die( 'The requested file was not found.', 'File not found.', [ 'status' => 404 ] );
+        }

groundhogg/trunk/api/v4/files-api.php

-                      r2507120
+                      r3321992
         register_rest_route( self::NAME_SPACE, "/files/exports", [
+            [
                 'methods'             => WP_REST_Server::CREATABLE,
                 'callback'            => [ $this, 'create_exports' ],
                 'permission_callback' => [ $this, 'create_exports_permissions_callback' ]
             ],
+//          [
+//              'methods'             => WP_REST_Server::CREATABLE,
+//              'callback'            => [ $this, 'create_exports' ],
+//              'permission_callback' => [ $this, 'create_exports_permissions_callback' ]
+//          ],
+            [
                 'methods'             => WP_REST_Server::READABLE,
 …
         foreach ( $_FILES as $FILE ) {
+            $validate = wp_check_filetype( $FILE['name'], [ 'csv' => 'text/csv' ] );
+            if ( $validate['ext'] !== 'csv' || $validate['text/csv'] ) {
+                return self::ERROR_500( 'invalid_csv', sprintf( 'Please upload a valid CSV. Expected mime type of <i>text/csv</i> but got <i>%s</i>', esc_html( $FILE['type'] ) ) );
+            }
+            $file_name = str_replace( '.csv', '', $FILE['name'] );
+            $file_name .= '-' . current_time( 'mysql', true ) . '.csv';
+            $FILE['name'] = sanitize_file_name( $file_name );
+            $result = files()->upload( $FILE, 'imports' );
+            $result = files()->safe_file_upload( $FILE, [
+                'csv' => 'text/csv'
+            ], 'imports' );
             if ( is_wp_error( $result ) ) {

groundhogg/trunk/assets/js/admin/filters/contacts.js

-                      r3264477
+                      r3321992
     Input,
     Div,
+    makeEl
+    makeEl,
+    InputRepeater
   } = MakeEl
 …
   ContactFilterRegistry.registerFilter(CurrentDateCompareFilterFactory('current_time', 'Current Time', 'time', ( time ) => formatTime(`2000-01-01T${time}`) ))
+  registerFilterGroup( 'submissions', 'Submissions' )
+  ContactFilterRegistry.registerFilter( createPastDateFilter( 'form_submissions', 'Form Submissions', 'submissions', {
+    edit: ({
+      form_id = '',
+      form_type = '',
+      meta_filters = [],
+      updateFilter = () => {}
+    }) => {
+      return Fragment([
+        Input({
+          placeholder: 'ID',
+          id: 'form_id',
+          name: 'form_id',
+          value: form_id,
+          onChange: e => updateFilter({
+            form_id: e.target.value
+          })
+        }),
+        Input({
+          placeholder: 'Type',
+          id: 'type',
+          name: 'type',
+          value: form_type,
+          onChange: e => updateFilter({
+            form_type: e.target.value
+          })
+        }),
+        `<label>${ __('Filter by submission meta', 'groundhogg') }</label>`,
+        InputRepeater({
+          id: 'submission-meta-filters',
+          rows: meta_filters,
+          cells: [
+            props => Input({...props, placeholder: 'Key'}),
+            ({
+              value,
+              ...props
+            }) => Select({
+              selected: value,
+              options : AllComparisons,
+              ...props,
+            }),
+            props => Input({...props, placeholder: 'Value'}),
+          ],
+          fillRow: () => [
+            '',
+            'equals',
+            ''
+          ],
+          onChange: rows => {
+            updateFilter({
+              meta_filters: rows
+            })
+          }
+        })
+      ])
+    }
+  } ) )
   if (!Groundhogg.filters) {
     Groundhogg.filters = {}

groundhogg/trunk/assets/js/admin/filters/contacts.min.js

-                      r3264477
+                      r3321992
 (function($){const{input,select,orList,andList,bold,inputRepeater}=Groundhogg.element;const{broadcastPicker,funnelPicker,tagPicker,emailPicker,linkPicker,metaValuePicker,metaPicker,userMetaPicker}=Groundhogg.pickers;const{assoc2array}=Groundhogg.functions;const{broadcasts:BroadcastsStore,emails:EmailsStore,tags:TagsStore,funnels:FunnelsStore,searches:SearchesStore}=Groundhogg.stores;const{sprintf,__,_x,_n}=wp.i18n;const{formatDate,formatDateTime,formatTime}=Groundhogg.formatting;const{Fragment,ItemPicker,Select,Input,Div,makeEl}=MakeEl;const{Filters,FilterRegistry,createFilter,createGroup,FilterDisplay,createDateFilter,createPastDateFilter,createStringFilter,createNumberFilter,createTimeFilter,unsubReasons}=Groundhogg.filters;const{ComparisonsTitleGenerators,AllComparisons,StringComparisons,NumericComparisons,pastDateRanges,futureDateRanges,allDateRanges}=Groundhogg.filters.comparisons;const ContactFilterRegistry=FilterRegistry({});const uid=function(){return Date.now().toString(36)+Math.random().toString(36).substring(2)};const createFilters=(el="",filters=[],onChange=f=>{console.log(f)})=>({el:el,onChange:onChange,filters:Array.isArray(filters)?filters:[],id:uid(),init(){this.mount()},mount(){let container=document.querySelector(el);container.innerHTML="";document.querySelector(el).appendChild(ContactFilters(this.id,this.filters,this.onChange))}});const ContactFilters=(id,filters,onChange)=>Filters({id:id,filterRegistry:ContactFilterRegistry,filters:filters,onChange:onChange});const ContactFilterDisplay=filters=>FilterDisplay({filters:filters,filterRegistry:ContactFilterRegistry});const registerFilterGroup=(group,name)=>{ContactFilterRegistry.registerGroup(createGroup(group,name))};const registerFilter=(type,group="general",name="",opts={})=>{if(typeof name==="object"){let tempOpts=name;name=tempOpts.name;opts=tempOpts}const{defaults:defaults={},preload:preload=()=>{},view:view=()=>"",edit:edit=()=>"",onMount:onMount=()=>""}=opts;ContactFilterRegistry.registerFilter(createFilter(type,name,group,{display:view,preload:preload,edit:({updateFilter,...filter})=>Fragment([edit(filter)],{onCreate:el=>{setTimeout(()=>{onMount(filter,updateFilter)},50)}})},defaults))};const standardActivityDateFilterOnMount=(filter,updateFilter)=>{$("#filter-date-range, #filter-before, #filter-after, #filter-days").on("change",function(e){const $el=$(this);updateFilter({[$el.prop("name")]:$el.val()});if($el.prop("name")==="date_range"){const $before=$("#filter-before");const $after=$("#filter-after");const $days=$("#filter-days");$before.addClass("hidden");$after.addClass("hidden");$days.addClass("hidden");switch($el.val()){case"between":$before.removeClass("hidden");$after.removeClass("hidden");break;case"day_of":case"after":$after.removeClass("hidden");break;case"before":$before.removeClass("hidden");break;case"x_days":$days.removeClass("hidden");break}}})};const standardActivityDateTitle=(prepend,{date_range,before,after,days:days=0,future:future=false})=>{let ranges=future?futureDateRanges:pastDateRanges;switch(date_range){default:return`${prepend} ${ranges[date_range]?ranges[date_range].replace("X",days).toLowerCase():""}`;case"between":return`${prepend} ${sprintf(_x("between %1$s and %2$s","where %1 and %2 are dates","groundhogg"),`<b>${formatDate(after)}</b>`,`<b>${formatDate(before)}</b>`)}`;case"before":return`${prepend} ${sprintf(_x("before %s","%s is a date","groundhogg"),`<b>${formatDate(before)}</b>`)}`;case"after":return`${prepend} ${sprintf(_x("after %s","%s is a date","groundhogg"),`<b>${formatDate(after)}</b>`)}`;case"day_of":return`${prepend} ${sprintf(_x("on %s","%s is a date","groundhogg"),`<b>${formatDate(after)}</b>`)}`}};const standardActivityDateOptions=({date_range:date_range="24_hours",after:after="",before:before="",days:days=0,future:future=false})=>{return[select({id:"filter-date-range",name:"date_range"},future?futureDateRanges:pastDateRanges,date_range),input({type:"date",value:after.split(" ")[0],id:"filter-after",className:`date ${["between","after","day_of"].includes(date_range)?"":"hidden"}`,name:"after"}),input({type:"date",value:before.split(" ")[0],id:"filter-before",className:`value ${["between","before"].includes(date_range)?"":"hidden"}`,name:"before"}),input({type:"number",value:days,id:"filter-days",min:0,className:`value ${["x_days","next_x_days"].includes(date_range)?"":"hidden"}`,name:"days"})].join("")};const standardActivityDateDefaults={date_range:"any",before:"",after:"",count:1,days:0};const filterCountDefaults={count:1,count_compare:"greater_than_or_equal_to"};const activityFilterComparisons={equals:_x("Exactly","comparison","groundhogg"),less_than:_x("Less than","comparison","groundhogg"),greater_than:_x("More than","comparison","groundhogg"),less_than_or_equal_to:_x("At most","comparison","groundhogg"),greater_than_or_equal_to:_x("At least","comparison","groundhogg")};const filterCount=({count,count_compare})=>{return`
+(function($){const{input,select,orList,andList,bold,inputRepeater}=Groundhogg.element;const{broadcastPicker,funnelPicker,tagPicker,emailPicker,linkPicker,metaValuePicker,metaPicker,userMetaPicker}=Groundhogg.pickers;const{assoc2array}=Groundhogg.functions;const{broadcasts:BroadcastsStore,emails:EmailsStore,tags:TagsStore,funnels:FunnelsStore,searches:SearchesStore}=Groundhogg.stores;const{sprintf,__,_x,_n}=wp.i18n;const{formatDate,formatDateTime,formatTime}=Groundhogg.formatting;const{Fragment,ItemPicker,Select,Input,Div,makeEl,InputRepeater}=MakeEl;const{Filters,FilterRegistry,createFilter,createGroup,FilterDisplay,createDateFilter,createPastDateFilter,createStringFilter,createNumberFilter,createTimeFilter,unsubReasons}=Groundhogg.filters;const{ComparisonsTitleGenerators,AllComparisons,StringComparisons,NumericComparisons,pastDateRanges,futureDateRanges,allDateRanges}=Groundhogg.filters.comparisons;const ContactFilterRegistry=FilterRegistry({});const uid=function(){return Date.now().toString(36)+Math.random().toString(36).substring(2)};const createFilters=(el="",filters=[],onChange=f=>{console.log(f)})=>({el:el,onChange:onChange,filters:Array.isArray(filters)?filters:[],id:uid(),init(){this.mount()},mount(){let container=document.querySelector(el);container.innerHTML="";document.querySelector(el).appendChild(ContactFilters(this.id,this.filters,this.onChange))}});const ContactFilters=(id,filters,onChange)=>Filters({id:id,filterRegistry:ContactFilterRegistry,filters:filters,onChange:onChange});const ContactFilterDisplay=filters=>FilterDisplay({filters:filters,filterRegistry:ContactFilterRegistry});const registerFilterGroup=(group,name)=>{ContactFilterRegistry.registerGroup(createGroup(group,name))};const registerFilter=(type,group="general",name="",opts={})=>{if(typeof name==="object"){let tempOpts=name;name=tempOpts.name;opts=tempOpts}const{defaults:defaults={},preload:preload=()=>{},view:view=()=>"",edit:edit=()=>"",onMount:onMount=()=>""}=opts;ContactFilterRegistry.registerFilter(createFilter(type,name,group,{display:view,preload:preload,edit:({updateFilter,...filter})=>Fragment([edit(filter)],{onCreate:el=>{setTimeout(()=>{onMount(filter,updateFilter)},50)}})},defaults))};const standardActivityDateFilterOnMount=(filter,updateFilter)=>{$("#filter-date-range, #filter-before, #filter-after, #filter-days").on("change",function(e){const $el=$(this);updateFilter({[$el.prop("name")]:$el.val()});if($el.prop("name")==="date_range"){const $before=$("#filter-before");const $after=$("#filter-after");const $days=$("#filter-days");$before.addClass("hidden");$after.addClass("hidden");$days.addClass("hidden");switch($el.val()){case"between":$before.removeClass("hidden");$after.removeClass("hidden");break;case"day_of":case"after":$after.removeClass("hidden");break;case"before":$before.removeClass("hidden");break;case"x_days":$days.removeClass("hidden");break}}})};const standardActivityDateTitle=(prepend,{date_range,before,after,days:days=0,future:future=false})=>{let ranges=future?futureDateRanges:pastDateRanges;switch(date_range){default:return`${prepend} ${ranges[date_range]?ranges[date_range].replace("X",days).toLowerCase():""}`;case"between":return`${prepend} ${sprintf(_x("between %1$s and %2$s","where %1 and %2 are dates","groundhogg"),`<b>${formatDate(after)}</b>`,`<b>${formatDate(before)}</b>`)}`;case"before":return`${prepend} ${sprintf(_x("before %s","%s is a date","groundhogg"),`<b>${formatDate(before)}</b>`)}`;case"after":return`${prepend} ${sprintf(_x("after %s","%s is a date","groundhogg"),`<b>${formatDate(after)}</b>`)}`;case"day_of":return`${prepend} ${sprintf(_x("on %s","%s is a date","groundhogg"),`<b>${formatDate(after)}</b>`)}`}};const standardActivityDateOptions=({date_range:date_range="24_hours",after:after="",before:before="",days:days=0,future:future=false})=>{return[select({id:"filter-date-range",name:"date_range"},future?futureDateRanges:pastDateRanges,date_range),input({type:"date",value:after.split(" ")[0],id:"filter-after",className:`date ${["between","after","day_of"].includes(date_range)?"":"hidden"}`,name:"after"}),input({type:"date",value:before.split(" ")[0],id:"filter-before",className:`value ${["between","before"].includes(date_range)?"":"hidden"}`,name:"before"}),input({type:"number",value:days,id:"filter-days",min:0,className:`value ${["x_days","next_x_days"].includes(date_range)?"":"hidden"}`,name:"days"})].join("")};const standardActivityDateDefaults={date_range:"any",before:"",after:"",count:1,days:0};const filterCountDefaults={count:1,count_compare:"greater_than_or_equal_to"};const activityFilterComparisons={equals:_x("Exactly","comparison","groundhogg"),less_than:_x("Less than","comparison","groundhogg"),greater_than:_x("More than","comparison","groundhogg"),less_than_or_equal_to:_x("At most","comparison","groundhogg"),greater_than_or_equal_to:_x("At least","comparison","groundhogg")};const filterCount=({count,count_compare})=>{return`
         <div class="space-between" style="gap: 10px">
             <div class="gh-input-group">
 …
                   </div>
               </div>
           `,filterCount(filter),standardActivityDateOptions(filter)].join("")},onMount(filter,updateFilter){onMount(filter,updateFilter);$("#filter-value,#filter-value-compare").on("change",e=>{updateFilter({[e.target.name]:e.target.value})});filterCountOnMount(updateFilter);standardActivityDateFilterOnMount(filter,updateFilter)},defaults:{...defaults,...standardActivityDateDefaults,...filterCountDefaults,value:0,value_compare:"greater_than_or_equal_to"},...rest})};registerActivityFilterWithValue("custom_activity","activity",__("Custom Activity","groundhogg"),{view:({activity})=>`<b>${activity}</b>`,edit:({activity,...filter})=>{return[input({id:"filter-activity-type",name:"activity",value:activity,placeholder:"custom_activity"}),`<label>${__("Filter by activity meta","groundhogg")}</label>`,`<div id="custom-activity-meta-filters"></div>`].join("")},onMount(filter,updateFilter){$("#filter-activity-type").on("input",e=>{updateFilter({activity:e.target.value})});let{meta_filters:meta_filters=[]}=filter;inputRepeater("#custom-activity-meta-filters",{rows:meta_filters,cells:[props=>input({placeholder:"Key",className:"input",...props}),({value,...props})=>select({selected:value,options:AllComparisons,...props}),props=>input({placeholder:"Value",className:"input",...props})],addRow:()=>["","equals",""],onChange:rows=>{updateFilter({meta_filters:rows})}}).mount()},defaults:{activity:"",meta_filters:[]}});registerFilterGroup("query","Query");registerFilter("saved_search","query",__("Saved Search"),{view:({compare:compare="in",search})=>{return sprintf(__("Is %s search %s"),compare==="in"?"in":"not in",bold(SearchesStore.get(search)?.name))},edit:({compare})=>{return[select({name:"filter_compare",id:"filter-compare",options:{in:__("In"),not_in:__("Not in")},selected:compare}),select({name:"filter_search",id:"filter-search"})].join("")},onMount:({search},updateFilter)=>{SearchesStore.maybeFetchItems().then(items=>{$("#filter-search").select2({data:[{id:"",text:""},...items.map(({id,name})=>({id:id,text:name,selected:id===search}))],placeholder:__("Type to search...")}).on("change",e=>{updateFilter({search:e.target.value})})});$("#filter-compare").on("change",e=>{updateFilter({compare:e.target.value})})},defaults:{compare:"in",search:null},preload:({search})=>{if(!SearchesStore.hasItems()){return SearchesStore.fetchItems([])}}});ContactFilterRegistry.registerFilter(createFilter("sub_query","Sub Query","query",{display:({include_filters:include_filters=[],exclude_filters:exclude_filters=[]})=>{let texts=[ContactFilterRegistry.displayFilters(include_filters),ContactFilterRegistry.displayFilters(exclude_filters)];if(include_filters.length&&exclude_filters.length){return texts.join(' <abbr title="exclude">and exclude</abbr> ')}if(exclude_filters.length){return sprintf('<abbr title="exclude">Exclude</abbr> %s',texts[1])}if(include_filters.length){return texts[0]}throw new Error("No filters defined.")},edit:({include_filters:include_filters=[],exclude_filters:exclude_filters=[],updateFilter})=>{return Fragment([Div({className:"include-search-filters"},[Filters({id:"sub-query-filters",filters:include_filters,filterRegistry:ContactFilterRegistry,onChange:include_filters=>updateFilter({include_filters:include_filters})})]),Div({className:"exclude-search-filters"},[Filters({id:"sub-query-exclude-filters",filters:exclude_filters,filterRegistry:ContactFilterRegistry,onChange:exclude_filters=>updateFilter({exclude_filters:exclude_filters})})])])},preload:({include_filters:include_filters=[],exclude_filters:exclude_filters=[]})=>{return Promise.all([ContactFilterRegistry.preloadFilters(include_filters),ContactFilterRegistry.preloadFilters(exclude_filters)])}},{}));ContactFilterRegistry.registerFilter(createFilter("secondary_related","Is Child Of","query",{edit:({object_type:object_type="",object_id:object_id="",updateFilter})=>Fragment([Input({id:"object-type",name:"object_type",value:object_type,placeholder:"Parent Type",onInput:e=>{updateFilter({object_type:e.target.value})}}),Input({type:"number",id:"object-id",name:"object_id",value:object_id,placeholder:"Parent ID",min:0,onInput:e=>{updateFilter({object_id:e.target.value})}})]),display:({object_type,object_id})=>{if(!object_type){throw new Error("Type be defined")}if(!object_id){return`Is a child of ${object_type}`}return`Is a child of ${object_type} with ID ${object_id}`}},{object_type:"contact"}));ContactFilterRegistry.registerFilter(createFilter("primary_related","Is Parent Of","query",{edit:({object_type:object_type="",object_id:object_id="",updateFilter})=>Fragment([Input({id:"object-type",name:"object_type",value:object_type,placeholder:"Child Type",onInput:e=>{updateFilter({object_type:e.target.value})}}),Input({type:"number",id:"object-id",name:"object_id",value:object_id,placeholder:"Child ID",min:0,onInput:e=>{updateFilter({object_id:e.target.value})}})]),display:({object_type,object_id})=>{if(!object_type){throw new Error("Type must be defined")}if(!object_id){return`Is a parent of ${object_type}`}return`Is a parent of ${object_type} with ID ${object_id}`}},{object_type:"contact"}));registerFilterGroup("date","Date");const CurrentDateCompareFilterFactory=(id,name,type,formatter)=>createFilter(id,name,"date",{edit:({compare:compare="",after:after="",before:before="",updateFilter})=>Fragment([Select({id:"select-compare",selected:compare,options:{after:"After",before:"Before",between:"Between"},onChange:e=>{updateFilter({compare:e.target.value})}}),compare==="before"?null:Input({type:type,id:"after-date",name:"after_date",value:after,placeholder:"After...",onChange:e=>{updateFilter({after:e.target.value})}}),compare==="after"?null:Input({type:type,id:"before-date",name:"before_date",value:before,placeholder:"Before...",min:0,onInput:e=>{updateFilter({before:e.target.value})}})]),display:({compare:compare="",after,before})=>{let prefix=`<b>${name}</b>`;switch(compare){case"between":return ComparisonsTitleGenerators.between(prefix,formatter(after),formatter(before));case"after":return ComparisonsTitleGenerators.after(prefix,formatter(after));case"before":return ComparisonsTitleGenerators.before(prefix,formatter(before));default:throw new Error("Invalid date comparison.")}}},{compare:"between",before:"",after:""});ContactFilterRegistry.registerFilter(CurrentDateCompareFilterFactory("current_datetime","Current Date & Time","datetime-local",formatDateTime));ContactFilterRegistry.registerFilter(CurrentDateCompareFilterFactory("current_date","Current Date","date",formatDate));ContactFilterRegistry.registerFilter(CurrentDateCompareFilterFactory("current_time","Current Time","time",time=>formatTime(`2000-01-01T${time}`)));if(!Groundhogg.filters){Groundhogg.filters={}}Groundhogg.filters.ContactFilters=ContactFilters;Groundhogg.filters.ContactFilterDisplay=ContactFilterDisplay;Groundhogg.filters.ContactFilterRegistry=ContactFilterRegistry;Groundhogg.filters.functions={createFilters:createFilters,registerFilter:registerFilter,registerFilterGroup:registerFilterGroup,ComparisonsTitleGenerators:ComparisonsTitleGenerators,AllComparisons:AllComparisons,NumericComparisons:NumericComparisons,StringComparisons:StringComparisons,standardActivityDateOptions:standardActivityDateOptions,standardActivityDateTitle:standardActivityDateTitle,standardActivityDateDefaults:standardActivityDateDefaults,standardActivityDateFilterOnMount:standardActivityDateFilterOnMount,BasicTextFilter:BasicTextFilter,registerActivityFilter:registerActivityFilter,registerActivityFilterWithValue:registerActivityFilterWithValue}})(jQuery);
+          `,filterCount(filter),standardActivityDateOptions(filter)].join("")},onMount(filter,updateFilter){onMount(filter,updateFilter);$("#filter-value,#filter-value-compare").on("change",e=>{updateFilter({[e.target.name]:e.target.value})});filterCountOnMount(updateFilter);standardActivityDateFilterOnMount(filter,updateFilter)},defaults:{...defaults,...standardActivityDateDefaults,...filterCountDefaults,value:0,value_compare:"greater_than_or_equal_to"},...rest})};registerActivityFilterWithValue("custom_activity","activity",__("Custom Activity","groundhogg"),{view:({activity})=>`<b>${activity}</b>`,edit:({activity,...filter})=>{return[input({id:"filter-activity-type",name:"activity",value:activity,placeholder:"custom_activity"}),`<label>${__("Filter by activity meta","groundhogg")}</label>`,`<div id="custom-activity-meta-filters"></div>`].join("")},onMount(filter,updateFilter){$("#filter-activity-type").on("input",e=>{updateFilter({activity:e.target.value})});let{meta_filters:meta_filters=[]}=filter;inputRepeater("#custom-activity-meta-filters",{rows:meta_filters,cells:[props=>input({placeholder:"Key",className:"input",...props}),({value,...props})=>select({selected:value,options:AllComparisons,...props}),props=>input({placeholder:"Value",className:"input",...props})],addRow:()=>["","equals",""],onChange:rows=>{updateFilter({meta_filters:rows})}}).mount()},defaults:{activity:"",meta_filters:[]}});registerFilterGroup("query","Query");registerFilter("saved_search","query",__("Saved Search"),{view:({compare:compare="in",search})=>{return sprintf(__("Is %s search %s"),compare==="in"?"in":"not in",bold(SearchesStore.get(search)?.name))},edit:({compare})=>{return[select({name:"filter_compare",id:"filter-compare",options:{in:__("In"),not_in:__("Not in")},selected:compare}),select({name:"filter_search",id:"filter-search"})].join("")},onMount:({search},updateFilter)=>{SearchesStore.maybeFetchItems().then(items=>{$("#filter-search").select2({data:[{id:"",text:""},...items.map(({id,name})=>({id:id,text:name,selected:id===search}))],placeholder:__("Type to search...")}).on("change",e=>{updateFilter({search:e.target.value})})});$("#filter-compare").on("change",e=>{updateFilter({compare:e.target.value})})},defaults:{compare:"in",search:null},preload:({search})=>{if(!SearchesStore.hasItems()){return SearchesStore.fetchItems([])}}});ContactFilterRegistry.registerFilter(createFilter("sub_query","Sub Query","query",{display:({include_filters:include_filters=[],exclude_filters:exclude_filters=[]})=>{let texts=[ContactFilterRegistry.displayFilters(include_filters),ContactFilterRegistry.displayFilters(exclude_filters)];if(include_filters.length&&exclude_filters.length){return texts.join(' <abbr title="exclude">and exclude</abbr> ')}if(exclude_filters.length){return sprintf('<abbr title="exclude">Exclude</abbr> %s',texts[1])}if(include_filters.length){return texts[0]}throw new Error("No filters defined.")},edit:({include_filters:include_filters=[],exclude_filters:exclude_filters=[],updateFilter})=>{return Fragment([Div({className:"include-search-filters"},[Filters({id:"sub-query-filters",filters:include_filters,filterRegistry:ContactFilterRegistry,onChange:include_filters=>updateFilter({include_filters:include_filters})})]),Div({className:"exclude-search-filters"},[Filters({id:"sub-query-exclude-filters",filters:exclude_filters,filterRegistry:ContactFilterRegistry,onChange:exclude_filters=>updateFilter({exclude_filters:exclude_filters})})])])},preload:({include_filters:include_filters=[],exclude_filters:exclude_filters=[]})=>{return Promise.all([ContactFilterRegistry.preloadFilters(include_filters),ContactFilterRegistry.preloadFilters(exclude_filters)])}},{}));ContactFilterRegistry.registerFilter(createFilter("secondary_related","Is Child Of","query",{edit:({object_type:object_type="",object_id:object_id="",updateFilter})=>Fragment([Input({id:"object-type",name:"object_type",value:object_type,placeholder:"Parent Type",onInput:e=>{updateFilter({object_type:e.target.value})}}),Input({type:"number",id:"object-id",name:"object_id",value:object_id,placeholder:"Parent ID",min:0,onInput:e=>{updateFilter({object_id:e.target.value})}})]),display:({object_type,object_id})=>{if(!object_type){throw new Error("Type be defined")}if(!object_id){return`Is a child of ${object_type}`}return`Is a child of ${object_type} with ID ${object_id}`}},{object_type:"contact"}));ContactFilterRegistry.registerFilter(createFilter("primary_related","Is Parent Of","query",{edit:({object_type:object_type="",object_id:object_id="",updateFilter})=>Fragment([Input({id:"object-type",name:"object_type",value:object_type,placeholder:"Child Type",onInput:e=>{updateFilter({object_type:e.target.value})}}),Input({type:"number",id:"object-id",name:"object_id",value:object_id,placeholder:"Child ID",min:0,onInput:e=>{updateFilter({object_id:e.target.value})}})]),display:({object_type,object_id})=>{if(!object_type){throw new Error("Type must be defined")}if(!object_id){return`Is a parent of ${object_type}`}return`Is a parent of ${object_type} with ID ${object_id}`}},{object_type:"contact"}));registerFilterGroup("date","Date");const CurrentDateCompareFilterFactory=(id,name,type,formatter)=>createFilter(id,name,"date",{edit:({compare:compare="",after:after="",before:before="",updateFilter})=>Fragment([Select({id:"select-compare",selected:compare,options:{after:"After",before:"Before",between:"Between"},onChange:e=>{updateFilter({compare:e.target.value})}}),compare==="before"?null:Input({type:type,id:"after-date",name:"after_date",value:after,placeholder:"After...",onChange:e=>{updateFilter({after:e.target.value})}}),compare==="after"?null:Input({type:type,id:"before-date",name:"before_date",value:before,placeholder:"Before...",min:0,onInput:e=>{updateFilter({before:e.target.value})}})]),display:({compare:compare="",after,before})=>{let prefix=`<b>${name}</b>`;switch(compare){case"between":return ComparisonsTitleGenerators.between(prefix,formatter(after),formatter(before));case"after":return ComparisonsTitleGenerators.after(prefix,formatter(after));case"before":return ComparisonsTitleGenerators.before(prefix,formatter(before));default:throw new Error("Invalid date comparison.")}}},{compare:"between",before:"",after:""});ContactFilterRegistry.registerFilter(CurrentDateCompareFilterFactory("current_datetime","Current Date & Time","datetime-local",formatDateTime));ContactFilterRegistry.registerFilter(CurrentDateCompareFilterFactory("current_date","Current Date","date",formatDate));ContactFilterRegistry.registerFilter(CurrentDateCompareFilterFactory("current_time","Current Time","time",time=>formatTime(`2000-01-01T${time}`)));registerFilterGroup("submissions","Submissions");ContactFilterRegistry.registerFilter(createPastDateFilter("form_submissions","Form Submissions","submissions",{edit:({form_id:form_id="",form_type:form_type="",meta_filters:meta_filters=[],updateFilter:updateFilter=()=>{}})=>{return Fragment([Input({placeholder:"ID",id:"form_id",name:"form_id",value:form_id,onChange:e=>updateFilter({form_id:e.target.value})}),Input({placeholder:"Type",id:"type",name:"type",value:form_type,onChange:e=>updateFilter({form_type:e.target.value})}),`<label>${__("Filter by submission meta","groundhogg")}</label>`,InputRepeater({id:"submission-meta-filters",rows:meta_filters,cells:[props=>Input({...props,placeholder:"Key"}),({value,...props})=>Select({selected:value,options:AllComparisons,...props}),props=>Input({...props,placeholder:"Value"})],fillRow:()=>["","equals",""],onChange:rows=>{updateFilter({meta_filters:rows})}})])}}));if(!Groundhogg.filters){Groundhogg.filters={}}Groundhogg.filters.ContactFilters=ContactFilters;Groundhogg.filters.ContactFilterDisplay=ContactFilterDisplay;Groundhogg.filters.ContactFilterRegistry=ContactFilterRegistry;Groundhogg.filters.functions={createFilters:createFilters,registerFilter:registerFilter,registerFilterGroup:registerFilterGroup,ComparisonsTitleGenerators:ComparisonsTitleGenerators,AllComparisons:AllComparisons,NumericComparisons:NumericComparisons,StringComparisons:StringComparisons,standardActivityDateOptions:standardActivityDateOptions,standardActivityDateTitle:standardActivityDateTitle,standardActivityDateDefaults:standardActivityDateDefaults,standardActivityDateFilterOnMount:standardActivityDateFilterOnMount,BasicTextFilter:BasicTextFilter,registerActivityFilter:registerActivityFilter,registerActivityFilterWithValue:registerActivityFilterWithValue}})(jQuery);

groundhogg/trunk/db/contacts.php

-                      r3320187
+                      r3321992
         // where based, not ID based
         if ( is_array( $row_id_or_where ) || ! empty( $where ) ) {
+        if ( is_array( $row_id_or_where ) || ( ! empty( $where ) && is_array( $where ) ) ) {
             // don't allow bulk updating some columns
 …
+        }
+        $column = ! empty( $where ) && is_string( $where ) ? $where : $this->primary_key;
         if ( isset( $data['email'] ) ) {
 …
             // check to see if this email address is already in use
             $query = new Table_Query( $this );
             $query->where()->notEquals( 'ID', $row_id_or_where )->equals( 'email', $data['email'] );
+            $query->where()->notEquals( $column, $row_id_or_where )->equals( 'email', $data['email'] );
             if ( $query->count() > 0 ) {
                 unset( $data['email'] );
 …
             // check to see if this user_id is being used by another contact
             $query = new Table_Query( $this );
+            $query->where()->notEquals( 'ID', $row_id_or_where )->equals( 'user_id', $data['user_id'] );
+            $query->where()->notEquals( $column, $row_id_or_where )->equals( 'user_id', $data['user_id'] );
             // it is being used by another contact :/
             if ( $query->count() > 0 ) {
 …
                     break;
                 case 'optin_status':
+                    $cols[ $key ] = Preferences::sanitize( $val );
+                    break;
                 case 'owner_id':
                 case 'user_id':

groundhogg/trunk/groundhogg.php

-                      r3320187
+                      r3321992
  * Plugin URI:  https://www.groundhogg.io/?utm_source=wp-plugins&utm_campaign=plugin-uri&utm_medium=wp-dash
  * Description: CRM and marketing automation for WordPress
  * Version: 4.2.1
+ * Version: 4.2.2
  * Author: Groundhogg Inc.
  * Author URI: https://www.groundhogg.io/?utm_source=wp-plugins&utm_campaign=author-uri&utm_medium=wp-dash
 …
+}
 define( 'GROUNDHOGG_VERSION', '4.2.1' );
+define( 'GROUNDHOGG_VERSION', '4.2.2' );
 define( 'GROUNDHOGG_PREVIOUS_STABLE_VERSION', '4.2' );

groundhogg/trunk/includes/classes/traits/file-box.php

-                      r3145628
+                      r3321992
 namespace Groundhogg\Classes\Traits;
+use WP_Error;
 use function Groundhogg\convert_to_local_time;
 use function Groundhogg\encrypt;
 …
     /**
+     * Return the list of allowed mimes for this object
+     *
+     * @return array
+     */
+    public function get_allowed_mime_types() {
+        $allowed_mimes = get_allowed_mime_types();
+        return apply_filters( "groundhogg/{$this->get_object_type()}/allowed_mimes", $allowed_mimes );
+    }
+    /**
      * Upload a file
+     *
 …
     public function upload_file( &$file ) {
+        if ( ! isset_not_empty( $file, 'name' ) ) {
+            return new \WP_Error( 'invalid_file_name', __( 'Invalid file name.', 'groundhogg' ) );
+        }
+        $file['name'] = sanitize_file_name( $file['name'] );
+        $upload_overrides = array( 'test_form' => false );
+        if ( ! function_exists( 'wp_handle_upload' ) ) {
+        $folder = $this->get_uploads_folder_subdir() . DIRECTORY_SEPARATOR . $this->get_upload_folder_basename();
+        $result = files()->safe_file_upload( $file, $this->get_allowed_mime_types(), $folder );
+        return $result;
+    }
+    /**
+     * Copy a file given an uploaded URL
+     *
+     * @param string $url_or_path path or url of asset to upload
+     * @param bool $delete_tmp whether to delete the temp file after
+     *
+     * @return array|string[]|\WP_Error
+     */
+    public function copy_file( $url_or_path, $delete_tmp = true ) {
+        if ( ! function_exists( 'download_url' ) ) {
             require_once( ABSPATH . '/wp-admin/includes/file.php' );
+        }
-        $this->get_uploads_folder();
-        add_filter( 'upload_dir', [ $this, 'map_upload' ] );
-        $mfile = wp_handle_upload( $file, $upload_overrides );
-        remove_filter( 'upload_dir', [ $this, 'map_upload' ] );
-        if ( isset_not_empty( $mfile, 'error' ) ) {
-            return new \WP_Error( 'bad_upload', __( 'Unable to upload file.', 'groundhogg' ) );
+        }
-        return $mfile;
+    }
-    /**
-     * Copy a file given an uploaded URL
+     *
-     * @param string $url        url of the file to copy
-     * @param bool   $delete_tmp whether to delete the tgemp file after
+     *
-     * @return bool
-     */
-    public function copy_file( $url_or_path, $delete_tmp = true ) {
-        if ( ! function_exists( 'download_url' ) ) {
-            require_once ABSPATH . '/wp-admin/includes/file.php';
+        }
-        // File cannot be copied
         if ( ! is_copyable_file( $url_or_path ) ) {
+            return false;
+        }
+        // path given
+        if ( file_exists( $url_or_path ) ) {
+            $tmp_file = $url_or_path;
+            // if using path, force false
+            $delete_tmp = false;
+        } else {
+            // We should only be doing this for files which are already uploaded to the server,
+            // We should reject urls for sites that aren't this one
+            if ( get_hostname( $url_or_path ) !== get_hostname() ) {
+                return false;
+            }
+            add_filter( 'https_local_ssl_verify', '__return_false' );
+            add_filter( 'https_ssl_verify', '__return_false' );
+            $tmp_file = download_url( $url_or_path, 300, false );
+            if ( is_wp_error( $tmp_file ) ) {
+                return false;
+            }
+        }
+        if ( ! is_dir( $this->get_uploads_folder() ['path'] ) ) {
+            mkdir( $this->get_uploads_folder() ['path'] );
+        }
+        try {
+            copy( $tmp_file, $this->get_uploads_folder()['path'] . '/' . basename( $url_or_path ) );
+        } catch ( \Exception $e ) {
+        }
+        if ( $delete_tmp ) {
+            @unlink( $tmp_file );
+        }
+        return true;
+            return new WP_Error( 'not_copyable', 'This file can\'t be uploaded.' );
+        }
+        $file = [
+            'name'     => wp_basename( $url_or_path ),
+            // Original filename on the user's system
+            'tmp_name' => file_exists( $url_or_path ) ? $url_or_path : download_url( $url_or_path ),
+            // Temporary filename on the server
+        ];
+        $folder = $this->get_uploads_folder_subdir() . DIRECTORY_SEPARATOR . $this->get_upload_folder_basename();
+        $result = files()->safe_file_sideload( $file, $this->get_allowed_mime_types(), $folder );
+        if ( is_wp_error( $result ) ) {
+            @unlink( $file['tmp_name'] );
+        }
+        return $result;
+    }
 …
+    }
     public function get_uploads_folder_subdir(){
+    public function get_uploads_folder_subdir() {
         return $this->get_object_type() . 's';
+    }
 …
         // Might have to create the directory
         if ( ! is_dir( $uploads_dir['path'] ) ){
+        if ( ! is_dir( $uploads_dir['path'] ) ) {
             wp_mkdir_p( $uploads_dir['path'] );
+        }

groundhogg/trunk/includes/contact-query.php

-                      r3320187
+                      r3321992
             $activityQuery->where()->compare( "$alias.meta_value", $value, $compare );
+        }
+    }
+    /**
+     * Filter by the custom activity
+     *
+     * @param       $filter
+     * @param Where $where
+     *
+     * @return void
+     */
+    public static function filter_form_submissions( $filter, Where $where ) {
+        $filter = wp_parse_args( $filter, [
+            'step_id'      => '',
+            'form_type'    => '',
+            'name'         => '',
+            'meta_filters' => []
+        ] );
+        $submissionQuery = new Table_Query( 'submissions' );
+        $submissionQuery->setSelect( 'contact_id' );
+        if ( ! empty( $filter['step_id'] ) ) {
+            $submissionQuery->where->equals( 'step_id', $filter['step_id'] );
+        }
+        if ( ! empty( $filter['form_type'] ) ) {
+            $submissionQuery->where->equals( 'type', $filter['form_type'] );
+        }
+        Filters::mysqlDateTime( 'date_created', $filter, $submissionQuery->where() );
+        foreach ( $filter['meta_filters'] as $metaFilter ) {
+            [ 0 => $key, 1 => $compare, 2 => $value ] = $metaFilter;
+            if ( ! $key || ! $compare ) {
+                continue;
+            }
+            $alias = $submissionQuery->joinMeta( $key );
+            $submissionQuery->where()->compare( "$alias.meta_value", $value, $compare );
+        }
+        $where->in( 'ID', $submissionQuery );
+    }

groundhogg/trunk/includes/functions.php

-                      r3320187
+                      r3321992
                 // passed path as the value
                 if ( file_exists( $value ) ) {
                     $files[ $column ] = $value;
+                    $copy[] = $value;
                 } // Get from $_FILES
                 else if ( isset_not_empty( $_FILES, $column ) ) {
 …
  */
 function is_copyable_file( $file ) {
+    return file_exists( $file ) || get_hostname( $file ) === get_hostname();
+    // the file exists on the server
+    if ( file_exists( $file ) ) {
+        // no streams allowed here, only absolute paths
+        return ! str_contains( $file, '://' );
+    }
+    // if a url was provided using https:// check that the file is hosted locally first
+    return get_hostname( $file ) === get_hostname();
+}
 …
 /**
  * Add a filter that removes itself after being called once
+ * Alias for add_filter_use_once
+ *
  * @param string   $filter
 …
  */
 function add_self_removing_filter( string $filter, callable $callback, int $priority = 10, int $args = 1 ) {
+    _deprecated_function( __FUNCTION__, '4.2', __NAMESPACE__ . '\add_filter_use_once' );
+    return add_filter_use_once( $filter, $callback, $priority, $args );
+}
+/**
+ * Add a filter that removes itself after being called once
+ *
+ * @param string   $filter
+ * @param callable $callback
+ * @param int      $priority
+ * @param int      $args
+ *
+ * @return bool
+ */
+function add_filter_use_once( string $filter, callable $callback, int $priority = 10, int $args = 1 ) {
     $callbackWrapper = function ( ...$args ) use ( &$callbackWrapper, $filter, $callback, $priority ) {

groundhogg/trunk/includes/rewrites.php

-                      r3145628
+                      r3321992
                 exit();
                 break;
             case 'files':
 …
                 $file_path       = wp_normalize_path( $groundhogg_path . DIRECTORY_SEPARATOR . $short_path );
+                if ( ! $file_path || ! file_exists( $file_path ) || ! is_file( $file_path ) ) {
+                // guard against ../../ traversal attack
+                if ( ! $file_path || ! file_exists( $file_path ) || ! is_file( $file_path ) || ! Files::is_file_within_directory( $file_path, $groundhogg_path ) ) {
                     wp_die( 'The requested file was not found.', 'File not found.', [ 'status' => 404 ] );
+                }

groundhogg/trunk/includes/utils/files.php

-                      r3264477
+                      r3321992
      * @param string $subdir
      * @param string $file_path
      * @param bool $create_folders
+     * @param bool   $create_folders
+     *
      * @return string
 …
+    }
+    /**
+     * @var array
+     */
+    protected $uploads_path = [];
+    /**
+     * Change the default upload directory
+     *
+     * @param $param
+     *
+     * @return mixed
+     */
+    public function files_upload_dir( $param ) {
+        $param['path']   = $this->uploads_path['path'];
+        $param['url']    = $this->uploads_path['url'];
+        $param['subdir'] = $this->uploads_path['subdir'];
+        return $param;
+    }
+    /**
+     * Initialize the base upload path
+     *
+     * @param string $where
+     */
+    private function set_uploads_path( $where='imports' ) {
+        $this->uploads_path['subdir'] = Plugin::$instance->utils->files->get_base_uploads_dir();
+        $this->uploads_path['path']   = Plugin::$instance->utils->files->get_uploads_dir( $where, '', true );
+        $this->uploads_path['url']    = Plugin::$instance->utils->files->get_uploads_dir( $where, '', true );
+    function is_allowed_stream( $file ) {
+        $allowed_streams = [
+            'https:',
+            'http:',
+        ];
+    }
+    /**
+     * Sideload a file
+     *
+     * @param $file               array from constructed to resemble something from $_FILES
+     * @param $allowed_mime_types array list of allowed mime types for this upload
+     * @param $folder             string the folder to upload to within the /wp-content/uploads/groundhogg directory
+     *
+     * @return array|string[]|WP_Error
+     *
+     * @see wp_check_filetype_and_ext()
+     * @see get_allowed_mime_types()
+     */
+    function safe_file_sideload( &$file, $allowed_mime_types, $folder ) {
+        $uploads_dir = wp_get_upload_dir();
+        // given local path to a file, only allow sideloading within the uploads directory
+        // protects against ../../ traversal attack
+        if ( file_exists( $file['tmp_name'] ) && ! self::is_file_within_directory( $file['tmp_name'], $uploads_dir['basedir'] ) ) {
+            return new WP_Error( 'nope', 'File upload not allowed.' );
+        }
+        return $this->safe_file_upload( $file, $allowed_mime_types, $folder, true );
+    }
+    /**
+     * Upload a file safely
+     *
+     * @param $file               array from $_FILES
+     * @param $allowed_mime_types array list of allowed mime types for this upload
+     * @param $folder             string the folder to upload to within the /wp-content/uploads/groundhogg directory
+     *
+     * @return array|string[]|WP_Error
+     *
+     * @see wp_check_filetype_and_ext()
+     * @see get_allowed_mime_types()
+     */
+    function safe_file_upload( &$file, $allowed_mime_types, $folder, $sideload = false ) {
+        if ( ! function_exists( '_wp_handle_upload' ) ) {
+            require_once( ABSPATH . '/wp-admin/includes/file.php' );
+        }
+        // do some basic checks on the file content to test for malicious content
+        if ( self::is_malicious( $file['tmp_name'], $file['name'] ) ) {
+            return new WP_Error( 'file_upload_malicious', 'Potentially malicious upload detected.' );
+        }
+        $upload_overrides = [
+            'test_form' => false,
+            'test_size' => true,
+            'test_type' => true,
+            'mimes'     => $allowed_mime_types,
+        ];
+        $path = $this->get_uploads_dir( $folder );
+        $url  = $this->get_uploads_url( $folder );
+        $change_upload_dir = fn( $uploads ) => array_merge( $uploads, [
+            'path'    => $path,
+            'url'     => $url,
+            'subdir'  => basename( $path ),
+            'basedir' => dirname( $path ),
+            'baseurl' => dirname( $url ),
+        ] );
+        add_filter( 'upload_dir', $change_upload_dir );
+        $result = _wp_handle_upload(
+            $file,
+            $upload_overrides,
+            null,
+            $sideload ? 'wp_handle_sideload' : 'wp_handle_upload'
+        );
+        remove_filter( 'upload_dir', $change_upload_dir );
+        if ( isset( $result['error'] ) ) {
+            return new WP_Error( 'file_upload_failed', $result['error'] );
+        }
+        return $result;
+    }
 …
      * @return array|bool|WP_Error
      */
+    function upload( &$file, $where='imports' ) {
+        $upload_overrides = array( 'test_form' => false );
+        if ( ! function_exists( 'wp_handle_upload' ) ) {
+            require_once( ABSPATH . '/wp-admin/includes/file.php' );
+        }
+        $this->set_uploads_path( $where );
+        add_filter( 'upload_dir', array( $this, 'files_upload_dir' ) );
+        $mfile = wp_handle_upload( $file, $upload_overrides );
+        remove_filter( 'upload_dir', array( $this, 'files_upload_dir' ) );
+        if ( isset( $mfile['error'] ) ) {
+            if ( empty( $mfile['error'] ) ) {
+                $mfile['error'] = _x( 'Could not upload file.', 'error', 'groundhogg' );
+    function upload( &$file, $where = 'imports' ) {
+        return $this->safe_file_upload( $file, get_allowed_mime_types(), $where );
+    }
+    /**
+     * Check if a file path is strictly inside a base directory.
+     *
+     * @param string $file_path Absolute path to the file.
+     * @param string $base_dir  Absolute base directory to restrict access to.
+     *
+     * @return bool True if the file is inside the base directory, false otherwise.
+     */
+    static public function is_file_within_directory( string $file_path, string $base_dir ): bool {
+        $file_path_real = realpath( $file_path );
+        $base_dir_real  = realpath( $base_dir );
+        if ( ! $file_path_real || ! $base_dir_real ) {
+            return false;
+        }
+        $file_path_real = wp_normalize_path( $file_path_real );
+        $base_dir_real  = wp_normalize_path( rtrim( $base_dir_real, '/' ) );
+        return str_starts_with( $file_path_real, $base_dir_real . '/' );
+    }
+    /**
+     * Basic check for potentially malicious file content.
+     *
+     * @param string $filepath Path to the file on disk.
+     *
+     * @return bool True if the file appears malicious, false otherwise.
+     */
+    static public function is_malicious( string $filepath, string $filename ): bool {
+        // Fail safe: unreadable or missing file
+        if ( ! file_exists( $filepath ) || ! is_readable( $filepath ) ) {
+            return true;
+        }
+        // Block known dangerous filenames
+        $basename          = strtolower( basename( $filename ) );
+        $blocked_filenames = [
+            '.htaccess',
+            '.user.ini',
+            'php.ini',
+            'web.config',
+            '.env',
+        ];
+        if ( in_array( $basename, $blocked_filenames, true ) ) {
+            return true;
+        }
+        // Read the first part of the file
+        $bytes = file_get_contents( $filepath, false, null, 0, 2048 );
+        if ( $bytes === false ) {
+            return true;
+        }
+        $bytes = strtolower( $bytes );
+        // Look for dangerous patterns
+        $danger_signatures = [
+            '<?php',               // Executable PHP
+            '__halt_compiler()',  // PHAR stub
+            'phar://',            // PHAR stream reference
+            'base64_decode',      // Obfuscation
+            'eval(',              // Dynamic execution
+            'shell_exec',         // Command execution
+            'passthru',           // Another dangerous system function
+        ];
+        foreach ( $danger_signatures as $needle ) {
+            if ( strpos( $bytes, $needle ) !== false ) {
+                return true;
+            }
+            return new WP_Error( 'BAD_UPLOAD', $mfile['error'] );
+        }
+        return $mfile;
+        }
+        return false;
+    }

Plugin Directory

Context Navigation

Legend:

groundhogg/tags/4.2.2/README.txt

groundhogg/tags/4.2.2/admin/contacts/cards/user.php

groundhogg/tags/4.2.2/admin/contacts/parts/contact-editor.php

groundhogg/tags/4.2.2/admin/tools/tools-page.php

groundhogg/tags/4.2.2/api/v4/files-api.php

groundhogg/tags/4.2.2/assets/js/admin/filters/contacts.js

groundhogg/tags/4.2.2/assets/js/admin/filters/contacts.min.js

groundhogg/tags/4.2.2/db/contacts.php

groundhogg/tags/4.2.2/groundhogg.php

groundhogg/tags/4.2.2/includes/classes/traits/file-box.php

groundhogg/tags/4.2.2/includes/contact-query.php

groundhogg/tags/4.2.2/includes/functions.php

groundhogg/tags/4.2.2/includes/rewrites.php

groundhogg/tags/4.2.2/includes/utils/files.php

groundhogg/trunk/README.txt

groundhogg/trunk/admin/contacts/cards/user.php

groundhogg/trunk/admin/contacts/parts/contact-editor.php

groundhogg/trunk/admin/tools/tools-page.php

groundhogg/trunk/api/v4/files-api.php

groundhogg/trunk/assets/js/admin/filters/contacts.js

groundhogg/trunk/assets/js/admin/filters/contacts.min.js

groundhogg/trunk/db/contacts.php

groundhogg/trunk/groundhogg.php

groundhogg/trunk/includes/classes/traits/file-box.php

groundhogg/trunk/includes/contact-query.php

groundhogg/trunk/includes/functions.php

groundhogg/trunk/includes/rewrites.php

groundhogg/trunk/includes/utils/files.php

Download in other formats: