Merge pull request #1292 from xwp/release/3.8.2

Release 3.8.2 (security fix)

classes/class-plugin.php

@@ -18,7 +18,7 @@ class Plugin {
 	 *
 	 * @const string
 	 */
-	const VERSION = '3.8.1';
+	const VERSION = '3.8.2';
 
 	/**
 	 * WP-CLI command

classes/class-query.php

@@ -179,21 +179,26 @@ public function query( $args ) {
 		/**
 		 * PARSE ORDER PARAMS
 		 */
-		$order     = esc_sql( $args['order'] );
-		$orderby   = esc_sql( $args['orderby'] );
 		$orderable = array( 'ID', 'site_id', 'blog_id', 'object_id', 'user_id', 'user_role', 'summary', 'created', 'connector', 'context', 'action' );
 
-		if ( in_array( $orderby, $orderable, true ) ) {
-			$orderby = sprintf( '%s.%s', $wpdb->stream, $orderby );
-		} elseif ( 'meta_value_num' === $orderby && ! empty( $args['meta_key'] ) ) {
+		// Default to sorting by record ID.
+		$orderby = "$wpdb->stream.ID";
+
+		if ( in_array( $args['orderby'], $orderable, true ) ) {
+			$orderby = sprintf( '%s.%s', $wpdb->stream, $args['orderby'] );
+		} elseif ( 'meta_value_num' === $args['orderby'] && ! empty( $args['meta_key'] ) ) {
 			$orderby = "CAST($wpdb->streammeta.meta_value AS SIGNED)";
-		} elseif ( 'meta_value' === $orderby && ! empty( $args['meta_key'] ) ) {
+		} elseif ( 'meta_value' === $args['orderby'] && ! empty( $args['meta_key'] ) ) {
 			$orderby = "$wpdb->streammeta.meta_value";
-		} else {
-			$orderby = "$wpdb->stream.ID";
 		}
 
-		$orderby = "ORDER BY {$orderby} {$order}";
+		// Show the recent records first by default.
+		$order = 'DESC';
+		if ( 'ASC' === strtoupper( $args['order'] ) ) {
+			$order = 'ASC';
+		}
+
+		$orderby = sprintf( 'ORDER BY %s %s', $orderby, $order );
 
 		/**
 		 * PARSE FIELDS PARAMETER

readme.txt

@@ -3,7 +3,7 @@ Contributors: xwp
 Tags: wp stream, stream, activity, logs, track
 Requires at least: 4.5
 Tested up to: 5.8
-Stable tag: 3.8.1
+Stable tag: 3.8.2
 License: GPLv2 or later
 License URI: https://www.gnu.org/licenses/gpl-2.0.html
 
@@ -89,8 +89,19 @@ Past Contributors: fjarrett, shadyvb, chacha, westonruter, johnregan3, jacobschw
 3. Create rules for excluding certain kinds of records from appearing in Stream.
 
 
+== Upgrade Notice ==
+
+= 3.8.2 =
+
+Fixes a security vulnerability in the way the `order` query parameter was passed to the database query for authenticated users when viewing the Stream records page in the WordPress admin.
+
+
 == Changelog ==
 
+= 3.8.2 - October 12, 2021 =
+
+- Security fix: Ensure the value of `order` query parameter forwarded to the database query when viewing the Stream records in the WordPress admin (for authenticated users) is only `ASC` or `DESC`. Previously it passed the whole value of the `order` parameter filtered through `esc_sql()`.
+
 = 3.8.1 - September 17, 2021 =
 
 - Fix: Ensure Stream database tables are present on all WP admin requests to help with installations where the plugin activate hook never runs [#1286](https://github.com/xwp/stream/pull/1286), props [@tomjn](https://github.com/tomjn).

stream.php

@@ -3,7 +3,7 @@
  * Plugin Name: Stream
  * Plugin URI: https://xwp.co/work/stream/
  * Description: Stream tracks logged-in user activity so you can monitor every change made on your WordPress site in beautifully organized detail. All activity is organized by context, action and IP address for easy filtering. Developers can extend Stream with custom connectors to log any kind of action.
- * Version: 3.8.1
+ * Version: 3.8.2
  * Author: XWP
  * Author URI: https://xwp.co
  * License: GPLv2+