Version Description
Fixes a security vulnerability in the way the order
query parameter was passed to the database query for authenticated users when viewing the Stream records page in the WordPress admin.
=
Download this release
Release Info
Developer | kasparsd |
Plugin | Stream |
Version | 3.8.2 |
Comparing to | |
See all releases |
Code changes from version 3.8.1 to 3.8.2
- classes/class-plugin.php +1 -1
- classes/class-query.php +14 -9
- readme.txt +12 -1
- stream.php +1 -1
classes/class-plugin.php
CHANGED
@@ -18,7 +18,7 @@ class Plugin {
|
|
18 |
*
|
19 |
* @const string
|
20 |
*/
|
21 |
-
const VERSION = '3.8.
|
22 |
|
23 |
/**
|
24 |
* WP-CLI command
|
18 |
*
|
19 |
* @const string
|
20 |
*/
|
21 |
+
const VERSION = '3.8.2';
|
22 |
|
23 |
/**
|
24 |
* WP-CLI command
|
classes/class-query.php
CHANGED
@@ -179,21 +179,26 @@ class Query {
|
|
179 |
/**
|
180 |
* PARSE ORDER PARAMS
|
181 |
*/
|
182 |
-
$order = esc_sql( $args['order'] );
|
183 |
-
$orderby = esc_sql( $args['orderby'] );
|
184 |
$orderable = array( 'ID', 'site_id', 'blog_id', 'object_id', 'user_id', 'user_role', 'summary', 'created', 'connector', 'context', 'action' );
|
185 |
|
186 |
-
|
187 |
-
|
188 |
-
|
|
|
|
|
|
|
189 |
$orderby = "CAST($wpdb->streammeta.meta_value AS SIGNED)";
|
190 |
-
} elseif ( 'meta_value' === $orderby && ! empty( $args['meta_key'] ) ) {
|
191 |
$orderby = "$wpdb->streammeta.meta_value";
|
192 |
-
} else {
|
193 |
-
$orderby = "$wpdb->stream.ID";
|
194 |
}
|
195 |
|
196 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
197 |
|
198 |
/**
|
199 |
* PARSE FIELDS PARAMETER
|
179 |
/**
|
180 |
* PARSE ORDER PARAMS
|
181 |
*/
|
|
|
|
|
182 |
$orderable = array( 'ID', 'site_id', 'blog_id', 'object_id', 'user_id', 'user_role', 'summary', 'created', 'connector', 'context', 'action' );
|
183 |
|
184 |
+
// Default to sorting by record ID.
|
185 |
+
$orderby = "$wpdb->stream.ID";
|
186 |
+
|
187 |
+
if ( in_array( $args['orderby'], $orderable, true ) ) {
|
188 |
+
$orderby = sprintf( '%s.%s', $wpdb->stream, $args['orderby'] );
|
189 |
+
} elseif ( 'meta_value_num' === $args['orderby'] && ! empty( $args['meta_key'] ) ) {
|
190 |
$orderby = "CAST($wpdb->streammeta.meta_value AS SIGNED)";
|
191 |
+
} elseif ( 'meta_value' === $args['orderby'] && ! empty( $args['meta_key'] ) ) {
|
192 |
$orderby = "$wpdb->streammeta.meta_value";
|
|
|
|
|
193 |
}
|
194 |
|
195 |
+
// Show the recent records first by default.
|
196 |
+
$order = 'DESC';
|
197 |
+
if ( 'ASC' === strtoupper( $args['order'] ) ) {
|
198 |
+
$order = 'ASC';
|
199 |
+
}
|
200 |
+
|
201 |
+
$orderby = sprintf( 'ORDER BY %s %s', $orderby, $order );
|
202 |
|
203 |
/**
|
204 |
* PARSE FIELDS PARAMETER
|
readme.txt
CHANGED
@@ -3,7 +3,7 @@ Contributors: xwp
|
|
3 |
Tags: wp stream, stream, activity, logs, track
|
4 |
Requires at least: 4.5
|
5 |
Tested up to: 5.8
|
6 |
-
Stable tag: 3.8.
|
7 |
License: GPLv2 or later
|
8 |
License URI: https://www.gnu.org/licenses/gpl-2.0.html
|
9 |
|
@@ -89,8 +89,19 @@ Past Contributors: fjarrett, shadyvb, chacha, westonruter, johnregan3, jacobschw
|
|
89 |
3. Create rules for excluding certain kinds of records from appearing in Stream.
|
90 |
|
91 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
92 |
== Changelog ==
|
93 |
|
|
|
|
|
|
|
|
|
94 |
= 3.8.1 - September 17, 2021 =
|
95 |
|
96 |
- Fix: Ensure Stream database tables are present on all WP admin requests to help with installations where the plugin activate hook never runs [#1286](https://github.com/xwp/stream/pull/1286), props [@tomjn](https://github.com/tomjn).
|
3 |
Tags: wp stream, stream, activity, logs, track
|
4 |
Requires at least: 4.5
|
5 |
Tested up to: 5.8
|
6 |
+
Stable tag: 3.8.2
|
7 |
License: GPLv2 or later
|
8 |
License URI: https://www.gnu.org/licenses/gpl-2.0.html
|
9 |
|
89 |
3. Create rules for excluding certain kinds of records from appearing in Stream.
|
90 |
|
91 |
|
92 |
+
== Upgrade Notice ==
|
93 |
+
|
94 |
+
= 3.8.2 =
|
95 |
+
|
96 |
+
Fixes a security vulnerability in the way the `order` query parameter was passed to the database query for authenticated users when viewing the Stream records page in the WordPress admin.
|
97 |
+
|
98 |
+
|
99 |
== Changelog ==
|
100 |
|
101 |
+
= 3.8.2 - October 12, 2021 =
|
102 |
+
|
103 |
+
- Security fix: Ensure the value of `order` query parameter forwarded to the database query when viewing the Stream records in the WordPress admin (for authenticated users) is only `ASC` or `DESC`. Previously it passed the whole value of the `order` parameter filtered through `esc_sql()`.
|
104 |
+
|
105 |
= 3.8.1 - September 17, 2021 =
|
106 |
|
107 |
- Fix: Ensure Stream database tables are present on all WP admin requests to help with installations where the plugin activate hook never runs [#1286](https://github.com/xwp/stream/pull/1286), props [@tomjn](https://github.com/tomjn).
|
stream.php
CHANGED
@@ -3,7 +3,7 @@
|
|
3 |
* Plugin Name: Stream
|
4 |
* Plugin URI: https://xwp.co/work/stream/
|
5 |
* Description: Stream tracks logged-in user activity so you can monitor every change made on your WordPress site in beautifully organized detail. All activity is organized by context, action and IP address for easy filtering. Developers can extend Stream with custom connectors to log any kind of action.
|
6 |
-
* Version: 3.8.
|
7 |
* Author: XWP
|
8 |
* Author URI: https://xwp.co
|
9 |
* License: GPLv2+
|
3 |
* Plugin Name: Stream
|
4 |
* Plugin URI: https://xwp.co/work/stream/
|
5 |
* Description: Stream tracks logged-in user activity so you can monitor every change made on your WordPress site in beautifully organized detail. All activity is organized by context, action and IP address for easy filtering. Developers can extend Stream with custom connectors to log any kind of action.
|
6 |
+
* Version: 3.8.2
|
7 |
* Author: XWP
|
8 |
* Author URI: https://xwp.co
|
9 |
* License: GPLv2+
|