Context Navigation

← Previous Changeset
Next Changeset →

Changeset 3425729

Timestamp:

12/23/2025 02:02:22 AM (3 months ago)

Author:

kasuga16

Message:

Security fix: Moved spam logs to a non-public directory

Location:

stickeasy-protected-contact-form

Files:

: 11 added
: 5 edited

tags/1.0.1 (added)
tags/1.0.1/assets (added)
tags/1.0.1/assets/spcf-helper.js (added)
tags/1.0.1/assets/spcf-script.js (added)
tags/1.0.1/assets/spcf-style.css (added)
tags/1.0.1/languages (added)
tags/1.0.1/languages/stickeasy-protected-contact-form-ja.mo (added)
tags/1.0.1/languages/stickeasy-protected-contact-form-ja.po (added)
tags/1.0.1/languages/stickeasy-protected-contact-form.pot (added)
tags/1.0.1/readme.txt (added)
tags/1.0.1/stickeasy-protected-contact-form.php (added)
trunk/languages/stickeasy-protected-contact-form-ja.mo (modified) (previous)
trunk/languages/stickeasy-protected-contact-form-ja.po (modified) (2 diffs)
trunk/languages/stickeasy-protected-contact-form.pot (modified) (2 diffs)
trunk/readme.txt (modified) (2 diffs)
trunk/stickeasy-protected-contact-form.php (modified) (5 diffs)

Legend:

: Unmodified
: Added
: Removed

stickeasy-protected-contact-form/trunk/languages/stickeasy-protected-contact-form-ja.po

-                      r3400723
+                      r3425729
 msgid ""
 msgstr ""
 "Project-Id-Version: StickEasy Protected Contact Form 1.0.0\n"
+"Project-Id-Version: StickEasy Protected Contact Form 1.0.1\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2025-11-20 02:54:38+0000\n"
 "PO-Revision-Date: 2025-11-20 03:01:23+0000\n"
+"POT-Creation-Date: 2025-12-23 01:36:13+0000\n"
+"PO-Revision-Date: 2025-12-23 01:37:05+0000\n"
 "Last-Translator: Kasuga\n"
 "Language-Team: \n"
 …
 msgstr "ログをクリア"
-msgid "Log is stored in %s."
-msgstr "ログは %s に保存されています。"

stickeasy-protected-contact-form/trunk/languages/stickeasy-protected-contact-form.pot

-                      r3400723
+                      r3425729
 msgid ""
 msgstr ""
 "Project-Id-Version: StickEasy Protected Contact Form 1.0.0\n"
+"Project-Id-Version: StickEasy Protected Contact Form 1.0.1\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2025-11-20 02:54:38+0000\n"
+"POT-Creation-Date: 2025-12-23 01:36:13+0000\n"
 "PO-Revision-Date: \n"
 "Last-Translator: \n"
 …
 msgstr ""
-msgid "Log is stored in %s."
-msgstr ""

stickeasy-protected-contact-form/trunk/readme.txt

-                      r3418199
+                      r3425729
 Tested up to: 6.9
 Requires PHP: 7.4
 Stable tag: 1.0.0
+Stable tag: 1.0.1
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 …
 == Changelog ==
+= 1.0.1 =
+* Security fix: Moved spam logs to a non-public directory.
 = 1.0.0 =
 * Initial Release.

stickeasy-protected-contact-form/trunk/stickeasy-protected-contact-form.php

-                      r3400723
+                      r3425729
  * Plugin Name: StickEasy Protected Contact Form
  * Description: Just drop the shortcode on any page — your super simple, spam-protected contact form is ready!
  * Version: 1.0.0
+ * Version: 1.0.1
  * Author: Kasuga
  * License: GPLv2 or later
 …
 /**
  * Get the path to the log file (inside uploads).
+ * Get the path to the log file (non-public directory).
+ *
  * @return string Log file path.
  */
 function spcf_get_log_file_path() {
+    $upload_dir = wp_upload_dir();
+    $log_dir    = trailingslashit( $upload_dir['basedir'] ) . 'stickeasy-protected-contact-form';
+    $log_dir = WP_CONTENT_DIR . '/spcf-logs';
     if ( spcf_init_filesystem() ) {
 …
         if ( ! $wp_filesystem->is_dir( $log_dir ) ) {
+            if ( ! $wp_filesystem->mkdir( $log_dir ) ) {
+                wp_mkdir_p( $log_dir );
+            }
+            $wp_filesystem->mkdir( $log_dir );
+        }
     } else {
 …
             <?php wp_nonce_field( 'spcf_settings_nonce' ); ?> <textarea readonly rows="12" style="width:100%; font-family:monospace;"><?php echo esc_textarea( $log_display ); ?></textarea>
             <input type="submit" name="spcf_clear_log" class="button" value="<?php esc_attr_e( 'Clear Log', 'stickeasy-protected-contact-form' ); ?>">
-            <p class="description">
-                <?php
-                printf(
-                    /* translators: %s: Directory path where the log file is stored, relative to the WordPress root directory. */
-                    esc_html__( 'Log is stored in %s.', 'stickeasy-protected-contact-form' ),
-                    esc_html( str_replace( ABSPATH, '', dirname( spcf_get_log_file_path() ) ) )
-                );
-                ?>
-            </p>
         </form>
     </div>
 …
     delete_option( 'spcf_options' );
+    $upload_dir = wp_upload_dir();
+    $log_dir    = trailingslashit( $upload_dir['basedir'] ) . 'stickeasy-protected-contact-form';
+    $logfile    = trailingslashit( $log_dir ) . 'spcf-log.txt';
+    $log_dir = WP_CONTENT_DIR . '/spcf-logs';
+    $logfile = trailingslashit( $log_dir ) . 'spcf-log.txt';
     if ( spcf_init_filesystem() ) {
         global $wp_filesystem;
         if ( $wp_filesystem->exists( $logfile ) ) {
             $wp_filesystem->delete( $logfile );
+        }
         if ( $wp_filesystem->is_dir( $log_dir ) ) {
             $wp_filesystem->rmdir( $log_dir, true );

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

Plugin Directory