GravityForms WordPress Plugin file upload broken and fix with licensing

Posted by Benjamin Close on June 3, 2015 under Computers | Read the First Comment

gravity-formThis article talks about the wordpress plugin gravityforms and how the fileupload mysteriously may break when a license expires.

I was working for a company a little while back which made heavy use of wordpress. They company used gravity forms for a number of different submission. They had a licensed version of gravity forms which they let the support on the license expire – thinking it would continue to work without support as the gravity forms webpage states:

All licenses must be renewed after one calendar year for continued software updates and support. Discounted renewal rates are available. See information below for details. All purchases are subject to our terms and condition of use.” – http://www.gravityforms.com/purchase-gravity-forms/

Now the terms and conditions, and everything I could find certainly gave no indication that NOT renewing support would break anything that was existing.  However a couple days after the license expired, the company got me to investigate why their file uploads via gravity forms were no longer working. They end result flawed me.  By looking at the backups for the site for the proceeding few days it became clear why things had suddenly stopped working.

Here’s what I found when I checked the difference between the gravity forms plugin on the last day of the license and the day after the license expired:

diff -ur ./gravityforms.php /data/Backup/[PREVDAY]/var/www/wordpress/wp-content//plugins/gravityforms/gravityforms.php
--- ./gravityforms.php  2014-11-01 11:35:45.000000000 +1030
+++ /data/Backup/[PREVDAY]/Current/var/www/wordpress/wp-content//plugins/gravityforms/gravityforms.php    2015-01-21 02:29:09.000000000 +0330
@@ -297,7 +297,7 @@
         if(rgempty("gf_page", $_GET))
             return;

-        if("upload" === rgget("gf_page")){
+        if("dbzy" === rgget("gf_page")){
             require_once(GFCommon::get_base_path() . "/includes/upload.php");
             exit();
         }

As you can see the ‘upload’ function, used for handling file uploads magically got renamed to ‘dbzy’. Hence file uploads broke. Now I would have thought it was shear coincidence and something else happened. However, the company decided they might use the support so renewed the license.

Amazingly the exact reverse of above happened when the license was renewed. The dbzy magically went back to upload. So how did this happen? My guess is there is something that happens as part of the wordpress cron job which deliberately disables the upload function when a license expires. Because there is then no support and things are broken, a company renews the support to get help from gravity forms for a broken upload and magically it all starts working again!

Anyway, you can manually change the value back and uploads all magically work.. whether it magically changes again later I never found out as the license was renewed.



Donations keep this site alive

  • avatar

    Carl Hancock said,

    I’m one of the co-founders of Rocketgenius, the company that develops Gravity Forms.

    Gravity Forms does not make any changes to your installation when your license key expires. Once your license key has expired you will no longer receive software updates.

    When a license key expires you will no longer receive software updates, support, or access to downloads for Gravity Forms or any Gravity Forms Add-Ons you are using.

    This code change is not one that was made by us and is unrelated to the license expiring.

    It looks to me like someone has manually changed the code, possibly for malicious reasons. It looks like someone copy-n-pasted the if statement and changed some of the code in the process. The duplicated if is nested in the real one.

    I would suggest checking the site for malware or any other vulnerable code related to other plugins or the theme being used on the site because this change was not one that was done by us.

    Let me repeat that: No code changes are made to a Gravity Forms installation when a users license key expires.

Add A Comment

*