Thanks to Jurriaan Koops of Aiwos, last week we were notified about a bug in the Previewer add-on that could cause random Gravity Forms entry data loss and we have pushed out Gravity PDF Previewer 1.2.8 to resolve this issue.
We strongly advise our current and past Gravity PDF Previewer Add-on users to UPDATE IMMEDIATELY to prevent any potential data loss from occurring in the future.
Changelog
- Bug: Fix string-to-number type conversion bug that can cause random entry data loss under specific conditions (credit goes to Jurriaan Koops, Aiwos BV, for discovery and responsible disclosure).
- Bug: Use relative URL when loading PDF previews to reduce the chance Windows Defender in Edge throws a security warning.
How to update the Previewer Add-on to v1.2.8
If you have an active Previewer Add-on license and if it’s currently activated on your website, you can instantly update via the Plugin admin page. If no update prompt is displaying, you can update manually by logging in to your Gravity PDF account, locating the file gravity-pdf-previewer-1.2.8.zip from the Download Page (for Access Pass users, head to the Plugins Download page), and completing the install via Plugins admin page.
If your license has expired, and you are still using the Previewer Add-on on your website, you will need to purchase a new license to gain access to the v1.2.8 update, otherwise, you should deactivate the plugin entirely.
Technical Rundown
This bug stems from our original architectural decision to prevent any potential conflict with real Gravity Forms entries by psudo-randomly generating a temporary 13-character alpha-numeric ID every time a PDF preview is loaded. The ID might look like this: 621aef930ccab.
When Gravity Forms calculates an entry’s product information for the very first time, that information is saved in the entry meta data table. Unbeknown to us at the time, this is where the first of two string-to-integer type conversions occur that lead to the bug. The ID was silently converted to an integer, where 621aef930ccab became 621. And because the ID is psudo-random based off the current time, subsequent IDs might share the same starting number.
From a user perspective, making changes to a Product quantity field while filling out the form would yield the original cached product data when viewing the Previewer. To solve this, it was decided that simply deleting the entry meta data using the temporary ID was the easiest solution. But like saving, deleting also converts the ID to an integer. So if a legitimate entry already exists with the ID 621, its contents would be deleted.
In version 1.2.8, the add-on now takes advantage of Gravity Forms’ PHP-based caching layer (which prevents multiple database lookups during a single request) to pre-fill the correct Product information. This completely removes the need to store or delete this information in the database. The exact changes can be found in this Git commit.
The bug effects Gravity PDF Previewer v1.0.1 to v1.2.7, and has been in the wild since October 2017.
