On Tuesday, November 7, 2023, we released Matador Jobs 3.8.15 to all our users. This release contains an important security update, PHP 8.1 and 8.2 compatibility, a few bug fixes, and some changes to support updates to Matador Extensions. This update also includes the unreleased 3.8.14, which was provided to limited users during beta testing of updated extensions.
Security Update
The most important part of this release is a security related update.
Most web server software have settings allowing a directory’s (folder’s) files to be indexed (listed) for viewing and download when a special file called an index overrides that behavior. While it is a best practice to have directory indexing turned off for web host serving WordPress, most WordPress developers like us at Matador still install empty index.php
files in their folders to override and prevent directory indexing (as well as do other things to secure the code when directory indexing is on).
An issue was discovered where a site that had installed Matador Jobs Lite first, and then, while Matador Jobs Lite was still active, installed Matador Jobs Pro second, missed the setup routine that added the index.php
files in the folders Matador creates to hold user-submitted content like resumes and other application files.
While investigating this issue, we also determined that, perhaps due to user error and when doing database migrations between environments, if a Matador folder or index.php
is deleted or missing, Matador will try to recreate the folder but not recreate the index.php
file. In both cases, this could result in a site revealing sensitive data to third parties if directory indexing is turned on at the server level.
With this update, this will not be the case. Moving forward, whenever a new resume or log file is made, Matador will look for a missing index.php
file and attempt restore it. If Matador fails to restore the missing index.php
file, don’t worry, there are bigger issues, like, your site won’t be able to save any resume files anyway! This change will prevent directory indexing from exposing sensitive data moving forward.
- Security: Fixed an issue that caused upgrades from Matador Jobs Lite to Matador Jobs Pro to not set up folders for log files or resume files with an
index.php
file to prevent directory indexing.
- Security: Added a routine that double-checks for the presence of an empty
index.php
file to prevent directory indexing in the resume uploads folder during each candidate file save. This will restore the index.php
file if it was missing from a previous bug or user action.
- Security: Added routine that double-checks for presence of the
index.php
file to prevent directory indexing in the Matador logs folder during the creation of a new log file. This will restore the index.php
file if it was missing from a previous bug or user action.
To be clear, again, however, a properly configured WordPress website hosting environment will have directory indexing disabled. If you use a managed WordPress web host, this will true in 99% of environments. If you are running your own web host, for example a “cPanel web hosting” plan, it would be wise to review your server settings to secure your whole site. These changes will only improve and prevent access to Matador’s filesystem, not your other plugins or themes, which could then be exploited and grant a malicious user access to your data.
PHP 8.1 and 8.2 Compatibility
While Matador Jobs Pro and Lite were already fully compatible with PHP 8.1 and 8.2, a handful of Deprecations were introduced to PHP 8.1 and 8.2 that resulted in Matador causing PHP E_NOTICE
and E_DEPRECATION
error output when PHP debugging for those levels was turned on.
Since developers may debug sites using log files or error output, this meant Matador created a lot of noise when run on PHP 8.1 or PHP 8.2 making the developer’s job more difficult. With this update, all PHP 8.1 and 8.2 Deprecations are handled in this update, either with backward compatible code changes, polyfills, or PHP attributes.
- Compatibility: Changed an argument in a few WordPress core function calls that previously allowed null but in PHP 8.1 and later requires an empty string.
- Compatibility: Added
#[ReturnTypeWillChange]
PHP attributes to the Cookie Monster class to ensure PHP 8.1 and later compatibility.
- Compatibility: Modified the log delete function to fix an instantiation of the DateTimeImmutable class from a null value, which threw PHP deprecation warnings in 8.1 and later.
- Compatibility: Added a method argument strict typing indicator and modified a function call to prevent an error with PHP’s rtrim() after an accepted argument deprecation was added in PHP 8.2.
Enhancements for Matador Extensions
Matador Jobs Pro is not alone! We have over 15 extensions, and more on the way, to enhance and extend Matador with additional features. We have major updates nearly ready for two popular extensions and to support their updated features, we needed to make a few changes to Matador Jobs.
- Enhancement: Changes to template function visibility to allow extensions to also check for the existence of a Matador template before attempting to call it (the single change in unreleased version 3.8.14).
- Feature: Added filter
matador_settings_page_structure
to allow developers to change the supported fields “structure” for Matador Settings.
- Feature: Added filter
matador_settings_should_skip_field
to allow developers to skip an options field on a settings page.
Misc Bug Fixes
As we do with most updates, we scooped up some recent bug fixes into this release as well.
- Bugfix: Added a routine to restore a missing log file folder that may have been deleted or not created properly on install/activation.
- Bugfix: Added check to prevent loading of Matador Application when “Accept Applications” setting is off. A user with the
[matador_application]
shortcode but that turned off the “Accept Applications” setting would get an application that didn’t process. This “bug” has existed since day one of Matador, and we laugh, because it means no one has ever found it before we randomly ran into it.
- Bugfix: Added a fix to gracefully handle unrecognized dynamic argument values for the
[matador_portal]
shortcode, which in certain cases resulted in an error.
- Bugfix: Added fix to ensure recently new settings to not be available to the WPJM extension settings.
Miscellaneous
Today, WordPress 6.4 released to the world. Matador Jobs has been tested on the final release candidate of WordPress 6.4 and thus fully supports WordPress 6.4.
- Matador Jobs Lite / Pro tested up to WordPress 6.4
Update Now!
Matador Jobs 3.8.15 is released for automatic* update to all subscribers as of Tuesday, November 7, 2023. If your subscription has expired, renew it on your account page. If you find any issues, please send a support request.
* Please Note: if your current installed version is 3.8.0 to 3.8.4, you need to manually install this update.
You must be logged in to post a comment.