Plugin **extremely unsafe** - allows anyone to create a file anywhere in the filesystem

[anton-mellit]

The field "path" is directly passed to the code that saves the comment file. Anyone can easily overwrite it, say using "Inspect" in Chrome, and save the file anywhere they want.

<input data-grav-field="hidden" data-grav-disabled="false" type="hidden" class="input" name="data[path]" value="/blog/post">

just change value="/blog/post" to something like value="/../../../../".

I think form plugin does not offer an easy way around these kind of problems and I suspect many plugins will turn out to have a similar issue.

[rhukster]

I didn't write this one so can't speak to the code quality, but that does appear to be very unsafe as you say. I think this plugin has a variety of issues and could do with a thorough re-write. I will probably look at this one issue immediately though.

[anton-mellit]

I added a pull request to grav-plugin-form with my workaround. Basically, it allows to set values of fields before the form is processed. I'm new here, I guess there is a better way to expose this functionality, let me know

[NicoHood]

Any update on this? This sounds important to me.

[rhukster]

There's really no reason to use this form-based path field to store the data. the current page is enough, and that's already whitelisted via the configuration. I have a fix for this that will be released shortly.

[rhukster]

Fixed

[NicoHood]

Thanks for taking a look at it again!

When posting a comment I still get the following error. I am not sure if this is related to my configuration or the code itself.

Edit: I had to configure or deactivate the email plugin properly. Now everything works as expected!