Use static salts for gf-download hashes

This is more of a feature request for the developers, I believe my WP installation automatically updates the SALTS in the config file every few weeks as part of the hardening services installed.

This seems to cause issues with the attachment download links from submitted forms (that are generated and sent in the notification emails) - after some time the pages just appear blank

I have seen that this could be because the salts are changed, and then cant decypher the hash in the url

Is it possible to have static salt variables set in wp-config so that the hashes generated in the URL’s, use those salts instead of the main WP salts?


Hello. For any feature request, please add a note to the product team here:

Click the blue :heavy_plus_sign: to get started. Thank you.

@user5fc32f7daafc7268 there is an undocumented filter within the function GFCommon::generate_download_hash() that may work to ensure you have static values here.

$hash = apply_filters( 'gform_download_hash', $hash, $form_id, $file );

I’d expect this could probably be used to accomplish what you need and would be curious to know whether you encounter any issues when employing it.

Nice! i might have look through the code and see what i can do with it on my dev site.

it doesnt look too complicated - there are many instances of the wp_salt( ) function used to get the auth_salt and nonce_salt keys… shouldnt be too difficult to create a new variable in the config file with some relevent data - and tell it to use that scheme in the function.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.