diff --git a/classes/class-plugin.php b/classes/class-plugin.php index f2ba3bf7d..ea4f8fc22 100755 --- a/classes/class-plugin.php +++ b/classes/class-plugin.php @@ -18,7 +18,7 @@ class Plugin { * * @const string */ - const VERSION = '3.8.1'; + const VERSION = '3.8.2'; /** * WP-CLI command diff --git a/classes/class-query.php b/classes/class-query.php index 110ca62e0..a05f8b903 100644 --- a/classes/class-query.php +++ b/classes/class-query.php @@ -179,21 +179,26 @@ public function query( $args ) { /** * PARSE ORDER PARAMS */ - $order = esc_sql( $args['order'] ); - $orderby = esc_sql( $args['orderby'] ); $orderable = array( 'ID', 'site_id', 'blog_id', 'object_id', 'user_id', 'user_role', 'summary', 'created', 'connector', 'context', 'action' ); - if ( in_array( $orderby, $orderable, true ) ) { - $orderby = sprintf( '%s.%s', $wpdb->stream, $orderby ); - } elseif ( 'meta_value_num' === $orderby && ! empty( $args['meta_key'] ) ) { + // Default to sorting by record ID. + $orderby = "$wpdb->stream.ID"; + + if ( in_array( $args['orderby'], $orderable, true ) ) { + $orderby = sprintf( '%s.%s', $wpdb->stream, $args['orderby'] ); + } elseif ( 'meta_value_num' === $args['orderby'] && ! empty( $args['meta_key'] ) ) { $orderby = "CAST($wpdb->streammeta.meta_value AS SIGNED)"; - } elseif ( 'meta_value' === $orderby && ! empty( $args['meta_key'] ) ) { + } elseif ( 'meta_value' === $args['orderby'] && ! empty( $args['meta_key'] ) ) { $orderby = "$wpdb->streammeta.meta_value"; - } else { - $orderby = "$wpdb->stream.ID"; } - $orderby = "ORDER BY {$orderby} {$order}"; + // Show the recent records first by default. + $order = 'DESC'; + if ( 'ASC' === strtoupper( $args['order'] ) ) { + $order = 'ASC'; + } + + $orderby = sprintf( 'ORDER BY %s %s', $orderby, $order ); /** * PARSE FIELDS PARAMETER diff --git a/readme.txt b/readme.txt index 70de3579a..c474d49b5 100644 --- a/readme.txt +++ b/readme.txt @@ -3,7 +3,7 @@ Contributors: xwp Tags: wp stream, stream, activity, logs, track Requires at least: 4.5 Tested up to: 5.8 -Stable tag: 3.8.1 +Stable tag: 3.8.2 License: GPLv2 or later License URI: https://www.gnu.org/licenses/gpl-2.0.html @@ -89,8 +89,19 @@ Past Contributors: fjarrett, shadyvb, chacha, westonruter, johnregan3, jacobschw 3. Create rules for excluding certain kinds of records from appearing in Stream. +== Upgrade Notice == + += 3.8.2 = + +Fixes a security vulnerability in the way the `order` query parameter was passed to the database query for authenticated users when viewing the Stream records page in the WordPress admin. + + == Changelog == += 3.8.2 - October 12, 2021 = + +- Security fix: Ensure the value of `order` query parameter forwarded to the database query when viewing the Stream records in the WordPress admin (for authenticated users) is only `ASC` or `DESC`. Previously it passed the whole value of the `order` parameter filtered through `esc_sql()`. + = 3.8.1 - September 17, 2021 = - Fix: Ensure Stream database tables are present on all WP admin requests to help with installations where the plugin activate hook never runs [#1286](https://github.com/xwp/stream/pull/1286), props [@tomjn](https://github.com/tomjn). diff --git a/stream.php b/stream.php index 94ca00034..029fa16fa 100644 --- a/stream.php +++ b/stream.php @@ -3,7 +3,7 @@ * Plugin Name: Stream * Plugin URI: https://xwp.co/work/stream/ * Description: Stream tracks logged-in user activity so you can monitor every change made on your WordPress site in beautifully organized detail. All activity is organized by context, action and IP address for easy filtering. Developers can extend Stream with custom connectors to log any kind of action. - * Version: 3.8.1 + * Version: 3.8.2 * Author: XWP * Author URI: https://xwp.co * License: GPLv2+