Stream - Version 3.8.2

Version Description

Fixes a security vulnerability in the way the order query parameter was passed to the database query for authenticated users when viewing the Stream records page in the WordPress admin.

=

Download this release

Release Info

Developer kasparsd
Plugin Icon 128x128 Stream
Version 3.8.2
Comparing to
See all releases

Code changes from version 3.8.1 to 3.8.2

Files changed (4) hide show
  1. classes/class-plugin.php +1 -1
  2. classes/class-query.php +14 -9
  3. readme.txt +12 -1
  4. stream.php +1 -1
classes/class-plugin.php CHANGED
@@ -18,7 +18,7 @@ class Plugin {
18
  *
19
  * @const string
20
  */
21
- const VERSION = '3.8.1';
22
 
23
  /**
24
  * WP-CLI command
18
  *
19
  * @const string
20
  */
21
+ const VERSION = '3.8.2';
22
 
23
  /**
24
  * WP-CLI command
classes/class-query.php CHANGED
@@ -179,21 +179,26 @@ class Query {
179
  /**
180
  * PARSE ORDER PARAMS
181
  */
182
- $order = esc_sql( $args['order'] );
183
- $orderby = esc_sql( $args['orderby'] );
184
  $orderable = array( 'ID', 'site_id', 'blog_id', 'object_id', 'user_id', 'user_role', 'summary', 'created', 'connector', 'context', 'action' );
185
 
186
- if ( in_array( $orderby, $orderable, true ) ) {
187
- $orderby = sprintf( '%s.%s', $wpdb->stream, $orderby );
188
- } elseif ( 'meta_value_num' === $orderby && ! empty( $args['meta_key'] ) ) {
 
 
 
189
  $orderby = "CAST($wpdb->streammeta.meta_value AS SIGNED)";
190
- } elseif ( 'meta_value' === $orderby && ! empty( $args['meta_key'] ) ) {
191
  $orderby = "$wpdb->streammeta.meta_value";
192
- } else {
193
- $orderby = "$wpdb->stream.ID";
194
  }
195
 
196
- $orderby = "ORDER BY {$orderby} {$order}";
 
 
 
 
 
 
197
 
198
  /**
199
  * PARSE FIELDS PARAMETER
179
  /**
180
  * PARSE ORDER PARAMS
181
  */
 
 
182
  $orderable = array( 'ID', 'site_id', 'blog_id', 'object_id', 'user_id', 'user_role', 'summary', 'created', 'connector', 'context', 'action' );
183
 
184
+ // Default to sorting by record ID.
185
+ $orderby = "$wpdb->stream.ID";
186
+
187
+ if ( in_array( $args['orderby'], $orderable, true ) ) {
188
+ $orderby = sprintf( '%s.%s', $wpdb->stream, $args['orderby'] );
189
+ } elseif ( 'meta_value_num' === $args['orderby'] && ! empty( $args['meta_key'] ) ) {
190
  $orderby = "CAST($wpdb->streammeta.meta_value AS SIGNED)";
191
+ } elseif ( 'meta_value' === $args['orderby'] && ! empty( $args['meta_key'] ) ) {
192
  $orderby = "$wpdb->streammeta.meta_value";
 
 
193
  }
194
 
195
+ // Show the recent records first by default.
196
+ $order = 'DESC';
197
+ if ( 'ASC' === strtoupper( $args['order'] ) ) {
198
+ $order = 'ASC';
199
+ }
200
+
201
+ $orderby = sprintf( 'ORDER BY %s %s', $orderby, $order );
202
 
203
  /**
204
  * PARSE FIELDS PARAMETER
readme.txt CHANGED
@@ -3,7 +3,7 @@ Contributors: xwp
3
  Tags: wp stream, stream, activity, logs, track
4
  Requires at least: 4.5
5
  Tested up to: 5.8
6
- Stable tag: 3.8.1
7
  License: GPLv2 or later
8
  License URI: https://www.gnu.org/licenses/gpl-2.0.html
9
 
@@ -89,8 +89,19 @@ Past Contributors: fjarrett, shadyvb, chacha, westonruter, johnregan3, jacobschw
89
  3. Create rules for excluding certain kinds of records from appearing in Stream.
90
 
91
 
 
 
 
 
 
 
 
92
  == Changelog ==
93
 
 
 
 
 
94
  = 3.8.1 - September 17, 2021 =
95
 
96
  - Fix: Ensure Stream database tables are present on all WP admin requests to help with installations where the plugin activate hook never runs [#1286](https://github.com/xwp/stream/pull/1286), props [@tomjn](https://github.com/tomjn).
3
  Tags: wp stream, stream, activity, logs, track
4
  Requires at least: 4.5
5
  Tested up to: 5.8
6
+ Stable tag: 3.8.2
7
  License: GPLv2 or later
8
  License URI: https://www.gnu.org/licenses/gpl-2.0.html
9
 
89
  3. Create rules for excluding certain kinds of records from appearing in Stream.
90
 
91
 
92
+ == Upgrade Notice ==
93
+
94
+ = 3.8.2 =
95
+
96
+ Fixes a security vulnerability in the way the `order` query parameter was passed to the database query for authenticated users when viewing the Stream records page in the WordPress admin.
97
+
98
+
99
  == Changelog ==
100
 
101
+ = 3.8.2 - October 12, 2021 =
102
+
103
+ - Security fix: Ensure the value of `order` query parameter forwarded to the database query when viewing the Stream records in the WordPress admin (for authenticated users) is only `ASC` or `DESC`. Previously it passed the whole value of the `order` parameter filtered through `esc_sql()`.
104
+
105
  = 3.8.1 - September 17, 2021 =
106
 
107
  - Fix: Ensure Stream database tables are present on all WP admin requests to help with installations where the plugin activate hook never runs [#1286](https://github.com/xwp/stream/pull/1286), props [@tomjn](https://github.com/tomjn).
stream.php CHANGED
@@ -3,7 +3,7 @@
3
  * Plugin Name: Stream
4
  * Plugin URI: https://xwp.co/work/stream/
5
  * Description: Stream tracks logged-in user activity so you can monitor every change made on your WordPress site in beautifully organized detail. All activity is organized by context, action and IP address for easy filtering. Developers can extend Stream with custom connectors to log any kind of action.
6
- * Version: 3.8.1
7
  * Author: XWP
8
  * Author URI: https://xwp.co
9
  * License: GPLv2+
3
  * Plugin Name: Stream
4
  * Plugin URI: https://xwp.co/work/stream/
5
  * Description: Stream tracks logged-in user activity so you can monitor every change made on your WordPress site in beautifully organized detail. All activity is organized by context, action and IP address for easy filtering. Developers can extend Stream with custom connectors to log any kind of action.
6
+ * Version: 3.8.2
7
  * Author: XWP
8
  * Author URI: https://xwp.co
9
  * License: GPLv2+