Relevanssi – A Better Search - Version 3.6.1

Version Description

  • SECURITY: This version fixes a SQL injection vulnerability, where a site admin could theoretically inject SQL code into Relevanssi search queries. Doing this required access to Relevanssi settings page and in my tests, I couldn't do any damage, just break the Relevanssi search, but in any case, this vulnerability is now fixed.
  • Search and Filter shortcode is added to the blacklist.
  • Groups plugin is now supported automatically to restrict access to posts.
  • The filter relevanssi_index_custom_fields now works even if the custom field setting is empty.
  • The filter relevanssi_post_to_index now has a second parameter. For posts, it simply repeats the post object, but for taxonomy terms, it has the term object.
Download this release

Release Info

Developer msaari
Plugin Icon 128x128 Relevanssi – A Better Search
Version 3.6.1
Comparing to
See all releases

Code changes from version 3.6.0 to 3.6.1

Files changed (5) hide show
  1. lib/common.php +5 -0
  2. lib/indexing.php +34 -33
  3. lib/interface.php +1 -1
  4. readme.txt +11 -1
  5. relevanssi.php +1 -1
lib/common.php CHANGED
@@ -183,6 +183,11 @@ function relevanssi_default_post_ok($post_ok, $doc) {
183
  $current_user = wp_get_current_user();
184
  $post_ok = awp_user_can('read_post', $doc, $current_user->ID);
185
  }
 
 
 
 
 
186
  else {
187
  // Basic WordPress version
188
  $type = relevanssi_get_post_type($doc);
183
  $current_user = wp_get_current_user();
184
  $post_ok = awp_user_can('read_post', $doc, $current_user->ID);
185
  }
186
+ else if (defined('GROUPS_CORE_VERSION')) {
187
+ // Groups
188
+ $current_user = wp_get_current_user();
189
+ $access = Groups_Post_Access::user_can_read_post($doc, $current_user->ID);
190
+ }
191
  else {
192
  // Basic WordPress version
193
  $type = relevanssi_get_post_type($doc);
lib/indexing.php CHANGED
@@ -263,7 +263,8 @@ function relevanssi_index_doc($indexpost, $remove_first = false, $custom_fields
263
 
264
  $n = 0;
265
 
266
- $post = apply_filters('relevanssi_post_to_index', $post);
 
267
 
268
  $min_word_length = get_option('relevanssi_min_word_length', 3);
269
  $insert_data = array();
@@ -307,40 +308,39 @@ function relevanssi_index_doc($indexpost, $remove_first = false, $custom_fields
307
  }
308
  }
309
 
310
- if ($custom_fields) {
311
- $remove_underscore_fields = false;
312
- if ($custom_fields == 'all')
313
- $custom_fields = get_post_custom_keys($post->ID);
314
- if ($custom_fields == 'visible') {
315
- $custom_fields = get_post_custom_keys($post->ID);
316
- $remove_underscore_fields = true;
317
- }
318
- $custom_fields = apply_filters('relevanssi_index_custom_fields', $custom_fields);
319
- if (is_array($custom_fields)) {
320
- if ($debug) relevanssi_debug_echo("Custom fields to index: " . implode(", ", $custom_fields));
321
- $custom_fields = array_unique($custom_fields); // no reason to index duplicates
322
 
323
- $repeater_fields = array();
324
- if (function_exists('relevanssi_add_repeater_fields')) relevanssi_add_repeater_fields($custom_fields, $post->ID);
 
325
 
326
- foreach ($custom_fields as $field) {
327
- if ($remove_underscore_fields) {
328
- if (substr($field, 0, 1) == '_') continue;
329
- }
330
- $values = get_post_meta($post->ID, $field, false);
331
- if ("" == $values) continue;
332
- foreach ($values as $value) {
333
- // Quick hack : allow indexing of PODS relationship custom fields // TMV
334
- if (is_array($value) && isset($value['post_title'])) $value = $value['post_title'];
335
- relevanssi_index_acf($insert_data, $post->ID, $field, $value);
336
- if ($debug) relevanssi_debug_echo("\tKey: " . $field . " – value: " . $value);
337
-
338
- $value_tokens = relevanssi_tokenize($value, true, $min_word_length);
339
- foreach ($value_tokens as $token => $count) {
340
- isset($insert_data[$token]['customfield']) ? $insert_data[$token]['customfield'] += $count : $insert_data[$token]['customfield'] = $count;
341
- if (function_exists('relevanssi_customfield_detail')) {
342
- $insert_data = relevanssi_customfield_detail($insert_data, $token, $count, $field);
343
- }
 
 
344
  }
345
  }
346
  }
@@ -447,6 +447,7 @@ function relevanssi_index_doc($indexpost, $remove_first = false, $custom_fields
447
  remove_shortcode('woocommerce_edit_address');
448
  remove_shortcode('tc_process_payment');
449
  remove_shortcode('maxmegamenu'); // Max Mega Menu
 
450
 
451
  $post_before_shortcode = $post;
452
  $contents = do_shortcode($contents);
263
 
264
  $n = 0;
265
 
266
+ // The second parameter is useless here, but used elsewhere
267
+ $post = apply_filters('relevanssi_post_to_index', $post, $post);
268
 
269
  $min_word_length = get_option('relevanssi_min_word_length', 3);
270
  $insert_data = array();
308
  }
309
  }
310
 
311
+ $remove_underscore_fields = false;
312
+ if (isset($custom_fields) && $custom_fields == 'all')
313
+ $custom_fields = get_post_custom_keys($post->ID);
314
+ if (isset($custom_fields) && $custom_fields == 'visible') {
315
+ $custom_fields = get_post_custom_keys($post->ID);
316
+ $remove_underscore_fields = true;
317
+ }
318
+ $custom_fields = apply_filters('relevanssi_index_custom_fields', $custom_fields);
 
 
 
 
319
 
320
+ if (is_array($custom_fields)) {
321
+ if ($debug) relevanssi_debug_echo("Custom fields to index: " . implode(", ", $custom_fields));
322
+ $custom_fields = array_unique($custom_fields); // no reason to index duplicates
323
 
324
+ $repeater_fields = array();
325
+ if (function_exists('relevanssi_add_repeater_fields')) relevanssi_add_repeater_fields($custom_fields, $post->ID);
326
+
327
+ foreach ($custom_fields as $field) {
328
+ if ($remove_underscore_fields) {
329
+ if (substr($field, 0, 1) == '_') continue;
330
+ }
331
+ $values = get_post_meta($post->ID, $field, false);
332
+ if ("" == $values) continue;
333
+ foreach ($values as $value) {
334
+ // Quick hack : allow indexing of PODS relationship custom fields // TMV
335
+ if (is_array($value) && isset($value['post_title'])) $value = $value['post_title'];
336
+ relevanssi_index_acf($insert_data, $post->ID, $field, $value);
337
+ if ($debug) relevanssi_debug_echo("\tKey: " . $field . " – value: " . $value);
338
+
339
+ $value_tokens = relevanssi_tokenize($value, true, $min_word_length);
340
+ foreach ($value_tokens as $token => $count) {
341
+ isset($insert_data[$token]['customfield']) ? $insert_data[$token]['customfield'] += $count : $insert_data[$token]['customfield'] = $count;
342
+ if (function_exists('relevanssi_customfield_detail')) {
343
+ $insert_data = relevanssi_customfield_detail($insert_data, $token, $count, $field);
344
  }
345
  }
346
  }
447
  remove_shortcode('woocommerce_edit_address');
448
  remove_shortcode('tc_process_payment');
449
  remove_shortcode('maxmegamenu'); // Max Mega Menu
450
+ remove_shortcode('searchandfilter'); // Search and Filter
451
 
452
  $post_before_shortcode = $post;
453
  $contents = do_shortcode($contents);
lib/interface.php CHANGED
@@ -245,7 +245,7 @@ function update_relevanssi_options() {
245
  foreach ($_REQUEST as $key => $value) {
246
  if (substr($key, 0, strlen('relevanssi_weight_')) == 'relevanssi_weight_') {
247
  $type = substr($key, strlen('relevanssi_weight_'));
248
- $post_type_weights[$type] = $value;
249
  }
250
  if (substr($key, 0, strlen('relevanssi_index_type_')) == 'relevanssi_index_type_') {
251
  $type = substr($key, strlen('relevanssi_index_type_'));
245
  foreach ($_REQUEST as $key => $value) {
246
  if (substr($key, 0, strlen('relevanssi_weight_')) == 'relevanssi_weight_') {
247
  $type = substr($key, strlen('relevanssi_weight_'));
248
+ $post_type_weights[$type] = floatval($value);
249
  }
250
  if (substr($key, 0, strlen('relevanssi_index_type_')) == 'relevanssi_index_type_') {
251
  $type = substr($key, strlen('relevanssi_index_type_'));
readme.txt CHANGED
@@ -5,7 +5,7 @@ Tags: search, relevance, better search
5
  Requires at least: 4.0
6
  Tested up to: 4.9
7
  Requires PHP: 5.6
8
- Stable tag: 3.6.0
9
  License: GPLv2 or later
10
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
11
 
@@ -269,6 +269,13 @@ Each document database is full of useless words. All the little words that appea
269
 
270
  == Changelog ==
271
 
 
 
 
 
 
 
 
272
  = 3.6.0 =
273
  * Changed a bit how Relevanssi attaches itself to queries. Instead of the global $wp_query, Relevanssi now uses the query passed as the parameter to `the_posts` filter hook. This should improve compatibility in some cases, but may cause problems in some fringe cases. If you're doing something unusual with Relevanssi, try this out before deploying to public use.
274
  * Some meta queries caused major problems with the Relevanssi weighting algorithm. This has now been fixed.
@@ -1073,6 +1080,9 @@ Each document database is full of useless words. All the little words that appea
1073
 
1074
  == Upgrade notice ==
1075
 
 
 
 
1076
  = 3.6.0 =
1077
  * A big change in how Relevanssi works with queries. This should reduce compatibility issues, but may cause unexpected results.
1078
 
5
  Requires at least: 4.0
6
  Tested up to: 4.9
7
  Requires PHP: 5.6
8
+ Stable tag: 3.6.1
9
  License: GPLv2 or later
10
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
11
 
269
 
270
  == Changelog ==
271
 
272
+ = 3.6.1 =
273
+ * SECURITY: This version fixes a SQL injection vulnerability, where a site admin could theoretically inject SQL code into Relevanssi search queries. Doing this required access to Relevanssi settings page and in my tests, I couldn't do any damage, just break the Relevanssi search, but in any case, this vulnerability is now fixed.
274
+ * Search and Filter shortcode is added to the blacklist.
275
+ * Groups plugin is now supported automatically to restrict access to posts.
276
+ * The filter `relevanssi_index_custom_fields` now works even if the custom field setting is empty.
277
+ * The filter `relevanssi_post_to_index` now has a second parameter. For posts, it simply repeats the post object, but for taxonomy terms, it has the term object.
278
+
279
  = 3.6.0 =
280
  * Changed a bit how Relevanssi attaches itself to queries. Instead of the global $wp_query, Relevanssi now uses the query passed as the parameter to `the_posts` filter hook. This should improve compatibility in some cases, but may cause problems in some fringe cases. If you're doing something unusual with Relevanssi, try this out before deploying to public use.
281
  * Some meta queries caused major problems with the Relevanssi weighting algorithm. This has now been fixed.
1080
 
1081
  == Upgrade notice ==
1082
 
1083
+ = 3.6.1 =
1084
+ * Fix for a security vulnerability where a site admin could inject SQL code into search queries.
1085
+
1086
  = 3.6.0 =
1087
  * A big change in how Relevanssi works with queries. This should reduce compatibility issues, but may cause unexpected results.
1088
 
relevanssi.php CHANGED
@@ -3,7 +3,7 @@
3
  Plugin Name: Relevanssi
4
  Plugin URI: http://www.relevanssi.com/
5
  Description: This plugin replaces WordPress search with a relevance-sorting search.
6
- Version: 3.6.0
7
  Author: Mikko Saari
8
  Author URI: http://www.mikkosaari.fi/
9
  */
3
  Plugin Name: Relevanssi
4
  Plugin URI: http://www.relevanssi.com/
5
  Description: This plugin replaces WordPress search with a relevance-sorting search.
6
+ Version: 3.6.1
7
  Author: Mikko Saari
8
  Author URI: http://www.mikkosaari.fi/
9
  */