Relevanssi – A Better Search - Version 4.14.6

Version Description

  • Security fix: Extra hardening for AJAX requests. Some AJAX actions in Relevanssi could leak information to site subscribers who knew what to look for.
Download this release

Release Info

Developer msaari
Plugin Icon 128x128 Relevanssi – A Better Search
Version 4.14.6
Comparing to
See all releases

Code changes from version 4.14.5 to 4.14.6

Files changed (3) hide show
  1. lib/admin-ajax.php +36 -1
  2. readme.txt +7 -1
  3. relevanssi.php +2 -2
lib/admin-ajax.php CHANGED
@@ -17,6 +17,25 @@ add_action( 'wp_ajax_relevanssi_admin_search', 'relevanssi_admin_search' );
17
  add_action( 'wp_ajax_relevanssi_update_counts', 'relevanssi_update_counts' );
18
  add_action( 'wp_ajax_nopriv_relevanssi_update_counts', 'relevanssi_update_counts' );
19
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
20
  /**
21
  * Truncates the Relevanssi index.
22
  *
@@ -24,6 +43,7 @@ add_action( 'wp_ajax_nopriv_relevanssi_update_counts', 'relevanssi_update_counts
24
  */
25
  function relevanssi_truncate_index_ajax_wrapper() {
26
  check_ajax_referer( 'relevanssi_indexing_nonce', 'security' );
 
27
 
28
  $response = relevanssi_truncate_index();
29
  echo wp_json_encode( $response );
@@ -38,6 +58,7 @@ function relevanssi_truncate_index_ajax_wrapper() {
38
  */
39
  function relevanssi_index_posts_ajax_wrapper() {
40
  check_ajax_referer( 'relevanssi_indexing_nonce', 'security' );
 
41
 
42
  $completed = absint( $_POST['completed'] );
43
  $total = absint( $_POST['total'] );
@@ -112,6 +133,8 @@ function relevanssi_index_posts_ajax_wrapper() {
112
  * AJAX wrapper for relevanssi_count_total_posts().
113
  */
114
  function relevanssi_count_posts_ajax_wrapper() {
 
 
115
  $count = relevanssi_count_total_posts();
116
  echo wp_json_encode( $count );
117
  wp_die();
@@ -123,6 +146,8 @@ function relevanssi_count_posts_ajax_wrapper() {
123
  * AJAX wrapper for relevanssi_count_missing_posts().
124
  */
125
  function relevanssi_count_missing_posts_ajax_wrapper() {
 
 
126
  $count = relevanssi_count_missing_posts();
127
  echo wp_json_encode( $count );
128
  wp_die();
@@ -134,6 +159,8 @@ function relevanssi_count_missing_posts_ajax_wrapper() {
134
  * AJAX wrapper for get_categories().
135
  */
136
  function relevanssi_list_categories() {
 
 
137
  $categories = get_categories(
138
  array(
139
  'taxonomy' => 'category',
@@ -153,6 +180,14 @@ function relevanssi_list_categories() {
153
  */
154
  function relevanssi_admin_search() {
155
  check_ajax_referer( 'relevanssi_admin_search_nonce', 'security' );
 
 
 
 
 
 
 
 
156
 
157
  $args = array();
158
  if ( isset( $_POST['args'] ) ) {
@@ -291,7 +326,7 @@ EOH;
291
  * Formats the WP_Query parameters, looks at some filter hooks and presents the
292
  * information in an easy-to-read format.
293
  *
294
- * @param array $query The WP_Query object.
295
  *
296
  * @return string The formatted debugging information.
297
  *
17
  add_action( 'wp_ajax_relevanssi_update_counts', 'relevanssi_update_counts' );
18
  add_action( 'wp_ajax_nopriv_relevanssi_update_counts', 'relevanssi_update_counts' );
19
 
20
+ /**
21
+ * Checks if current user can access Relevanssi options.
22
+ *
23
+ * If the current user doesn't have sufficient access to Relevanssi options,
24
+ * the function will die. If the user has access, nothing happens.
25
+ *
26
+ * @return void
27
+ */
28
+ function relevanssi_current_user_can_access_options() {
29
+ /**
30
+ * Filters the capability required to access Relevanssi options.
31
+ *
32
+ * @param string The capability required. Default 'manage_options'.
33
+ */
34
+ if ( ! current_user_can( apply_filters( 'relevanssi_options_capability', 'manage_options' ) ) ) {
35
+ wp_die( esc_html__( 'You do not have sufficient permissions to access this page.', 'relevanssi' ) );
36
+ }
37
+ }
38
+
39
  /**
40
  * Truncates the Relevanssi index.
41
  *
43
  */
44
  function relevanssi_truncate_index_ajax_wrapper() {
45
  check_ajax_referer( 'relevanssi_indexing_nonce', 'security' );
46
+ relevanssi_current_user_can_access_options();
47
 
48
  $response = relevanssi_truncate_index();
49
  echo wp_json_encode( $response );
58
  */
59
  function relevanssi_index_posts_ajax_wrapper() {
60
  check_ajax_referer( 'relevanssi_indexing_nonce', 'security' );
61
+ relevanssi_current_user_can_access_options();
62
 
63
  $completed = absint( $_POST['completed'] );
64
  $total = absint( $_POST['total'] );
133
  * AJAX wrapper for relevanssi_count_total_posts().
134
  */
135
  function relevanssi_count_posts_ajax_wrapper() {
136
+ relevanssi_current_user_can_access_options();
137
+
138
  $count = relevanssi_count_total_posts();
139
  echo wp_json_encode( $count );
140
  wp_die();
146
  * AJAX wrapper for relevanssi_count_missing_posts().
147
  */
148
  function relevanssi_count_missing_posts_ajax_wrapper() {
149
+ relevanssi_current_user_can_access_options();
150
+
151
  $count = relevanssi_count_missing_posts();
152
  echo wp_json_encode( $count );
153
  wp_die();
159
  * AJAX wrapper for get_categories().
160
  */
161
  function relevanssi_list_categories() {
162
+ relevanssi_current_user_can_access_options();
163
+
164
  $categories = get_categories(
165
  array(
166
  'taxonomy' => 'category',
180
  */
181
  function relevanssi_admin_search() {
182
  check_ajax_referer( 'relevanssi_admin_search_nonce', 'security' );
183
+ /**
184
+ * Filters the capability required to access Relevanssi admin search page.
185
+ *
186
+ * @param string The capability required. Default 'edit_posts'.
187
+ */
188
+ if ( ! current_user_can( apply_filters( 'relevanssi_admin_search_capability', 'edit_posts' ) ) ) {
189
+ wp_die( esc_html__( 'You do not have sufficient permissions to access this page.', 'relevanssi' ) );
190
+ }
191
 
192
  $args = array();
193
  if ( isset( $_POST['args'] ) ) {
326
  * Formats the WP_Query parameters, looks at some filter hooks and presents the
327
  * information in an easy-to-read format.
328
  *
329
+ * @param WP_Query $query The WP_Query object.
330
  *
331
  * @return string The formatted debugging information.
332
  *
readme.txt CHANGED
@@ -5,7 +5,7 @@ Tags: search, relevance, better search, product search, woocommerce search
5
  Requires at least: 4.9
6
  Tested up to: 5.8.2
7
  Requires PHP: 7.0
8
- Stable tag: 4.14.5
9
  License: GPLv2 or later
10
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
11
 
@@ -128,6 +128,9 @@ Each document database is full of useless words. All the little words that appea
128
  * John Calahan for extensive 4.0 beta testing.
129
 
130
  == Changelog ==
 
 
 
131
  = 4.14.5 =
132
  * Security fix: Any registered user could empty the Relevanssi index by triggering the index truncate AJAX action. That is no longer possible.
133
  * New feature: The [searchform] shortcode has a new parameter, 'checklist', which you can use to create taxonomy checklists.
@@ -262,6 +265,9 @@ Each document database is full of useless words. All the little words that appea
262
  * Minor fix: In some cases, having less than or greater than symbols in PDF content would block that PDF content from being indexed.
263
 
264
  == Upgrade notice ==
 
 
 
265
  = 4.14.5 =
266
  * Security fix: registered users could delete the Relevanssi index.
267
 
5
  Requires at least: 4.9
6
  Tested up to: 5.8.2
7
  Requires PHP: 7.0
8
+ Stable tag: 4.14.6
9
  License: GPLv2 or later
10
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
11
 
128
  * John Calahan for extensive 4.0 beta testing.
129
 
130
  == Changelog ==
131
+ = 4.14.6 =
132
+ * Security fix: Extra hardening for AJAX requests. Some AJAX actions in Relevanssi could leak information to site subscribers who knew what to look for.
133
+
134
  = 4.14.5 =
135
  * Security fix: Any registered user could empty the Relevanssi index by triggering the index truncate AJAX action. That is no longer possible.
136
  * New feature: The [searchform] shortcode has a new parameter, 'checklist', which you can use to create taxonomy checklists.
265
  * Minor fix: In some cases, having less than or greater than symbols in PDF content would block that PDF content from being indexed.
266
 
267
  == Upgrade notice ==
268
+ = 4.14.6 =
269
+ * Security fix: Extra security checks for AJAX actions.
270
+
271
  = 4.14.5 =
272
  * Security fix: registered users could delete the Relevanssi index.
273
 
relevanssi.php CHANGED
@@ -13,7 +13,7 @@
13
  * Plugin Name: Relevanssi
14
  * Plugin URI: https://www.relevanssi.com/
15
  * Description: This plugin replaces WordPress search with a relevance-sorting search.
16
- * Version: 4.14.5
17
  * Author: Mikko Saari
18
  * Author URI: http://www.mikkosaari.fi/
19
  * Text Domain: relevanssi
@@ -67,7 +67,7 @@ $relevanssi_variables['database_version'] = 6;
67
  $relevanssi_variables['file'] = __FILE__;
68
  $relevanssi_variables['plugin_dir'] = plugin_dir_path( __FILE__ );
69
  $relevanssi_variables['plugin_basename'] = plugin_basename( __FILE__ );
70
- $relevanssi_variables['plugin_version'] = '4.14.5';
71
 
72
  require_once 'lib/admin-ajax.php';
73
  require_once 'lib/common.php';
13
  * Plugin Name: Relevanssi
14
  * Plugin URI: https://www.relevanssi.com/
15
  * Description: This plugin replaces WordPress search with a relevance-sorting search.
16
+ * Version: 4.14.6
17
  * Author: Mikko Saari
18
  * Author URI: http://www.mikkosaari.fi/
19
  * Text Domain: relevanssi
67
  $relevanssi_variables['file'] = __FILE__;
68
  $relevanssi_variables['plugin_dir'] = plugin_dir_path( __FILE__ );
69
  $relevanssi_variables['plugin_basename'] = plugin_basename( __FILE__ );
70
+ $relevanssi_variables['plugin_version'] = '4.14.6';
71
 
72
  require_once 'lib/admin-ajax.php';
73
  require_once 'lib/common.php';