diff --git a/changelog.txt b/changelog.txt index 5c4127bf86..9c9fc517bb 100644 --- a/changelog.txt +++ b/changelog.txt @@ -2,6 +2,10 @@ Found a bug? Have a great feature idea? Get on GitHub and tell us about it and w Our GitHub has the full list of all prior releases of Pods: https://github.com/pods-framework/pods/releases += 3.2.8.2 - February 7th, 2025 = + +* Security: Do not allow using custom SQL clauses for Relationship fields when SQL clauses are disabled in the Pods security settings. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this. (@sc0ttkclark) + = 3.2.8.1 - November 22nd, 2024 = * Security: Resolve stored XSS issue with the File Upload field Add Button Text option. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this (their second report, they are doing good work!). (@sc0ttkclark) diff --git a/classes/fields/pick.php b/classes/fields/pick.php index bc150f3895..0ac903b84e 100644 --- a/classes/fields/pick.php +++ b/classes/fields/pick.php @@ -2696,7 +2696,7 @@ public function get_object_data( $object_params = null ) { $params = array( 'select' => "`t`.`{$search_data->field_id}`, `t`.`{$search_data->field_index}`", 'table' => $search_data->table, - 'where' => pods_v( static::$type . '_where', $options, (array) $table_info['where_default'], true ), + 'where' => pods_v( static::$type . '_where', $options, null, true ), 'orderby' => pods_v( static::$type . '_orderby', $options, null, true ), 'having' => pods_v( static::$type . '_having', $options, null, true ), 'groupby' => pods_v( static::$type . '_groupby', $options, null, true ), @@ -2704,6 +2704,15 @@ public function get_object_data( $object_params = null ) { 'search' => false, ); + if ( ! pods_can_use_dynamic_feature_sql_clauses() ) { + $params['where'] = $params['where'] ? '0=1 /* Dynamic SQL clauses disabled in Pods */' : (array) $table_info['where_default']; + $params['orderby'] = null; + $params['having'] = null; + $params['groupby'] = null; + } elseif ( null === $params['where'] ) { + $params['where'] = (array) $table_info['where_default']; + } + if ( in_array( $options[ static::$type . '_object' ], array( 'site', 'network' ), true ) ) { $params['select'] .= ', `t`.`path`'; } @@ -2883,6 +2892,10 @@ public function get_object_data( $object_params = null ) { $pick_orderby = pods_v( static::$type . '_orderby', $options, null, true ); + if ( ! pods_can_use_dynamic_feature_sql_clauses() ) { + $pick_orderby = null; + } + if ( is_string( $pick_orderby ) && 0 < strlen( $pick_orderby ) ) { $orderby[] = $pick_orderby; } diff --git a/classes/widgets/PodsWidgetList.php b/classes/widgets/PodsWidgetList.php index 1072a5e554..abdfed482a 100644 --- a/classes/widgets/PodsWidgetList.php +++ b/classes/widgets/PodsWidgetList.php @@ -41,6 +41,11 @@ public function widget( $args, $instance ) { 'cache_mode' => trim( (string) pods_v( 'cache_mode', $instance, 'none', true ) ), ); + if ( ! pods_can_use_dynamic_feature_sql_clauses() ) { + $args['orderby'] = ''; + $args['where'] = $args['where'] ? '0=1 /* Dynamic SQL clauses disabled in Pods */' : ''; + } + $content = trim( (string) pods_v( 'template_custom', $instance, '' ) ); if ( 0 < strlen( $args['name'] ) && ( 0 < strlen( $args['template'] ) || 0 < strlen( $content ) ) ) { diff --git a/init.php b/init.php index a860e39078..911ef652e7 100644 --- a/init.php +++ b/init.php @@ -10,7 +10,7 @@ * Plugin Name: Pods - Custom Content Types and Fields * Plugin URI: https://pods.io/ * Description: Pods is a framework for creating, managing, and deploying customized content types and fields - * Version: 3.2.8.2-a-1 + * Version: 3.2.8.2 * Author: Pods Framework Team * Author URI: https://pods.io/about/ * Text Domain: pods @@ -43,7 +43,7 @@ add_action( 'init', 'pods_deactivate_pods_ui' ); } else { // Current version. - define( 'PODS_VERSION', '3.2.8.2-a-1' ); + define( 'PODS_VERSION', '3.2.8.2' ); // Current database version, this is the last version the database changed. define( 'PODS_DB_VERSION', '2.3.5' ); diff --git a/package.json b/package.json index 3f20538ef9..3958765e6f 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "pods", - "version": "3.2.8.2-a-1", + "version": "3.2.8.2", "description": "Pods is a development framework for creating, extending, managing, and deploying customized content types in WordPress.", "author": "Pods Foundation, Inc", "homepage": "https://pods.io/", diff --git a/readme.txt b/readme.txt index 627042a7b7..4ca0840fbc 100644 --- a/readme.txt +++ b/readme.txt @@ -5,7 +5,7 @@ Tags: pods, custom post types, custom taxonomies, content types, custom fields Requires at least: 6.0 Tested up to: 6.7 Requires PHP: 7.2 -Stable tag: 3.2.8.2-a-1 +Stable tag: 3.2.8.2 License: GPLv2 or later License URI: http://www.gnu.org/licenses/gpl-2.0.html @@ -182,6 +182,10 @@ Pods really wouldn't be where it is without all the contributions from our [dono == Changelog == += 3.2.8.2 - February 7th, 2025 = + +* Security: Do not allow using custom SQL clauses for Relationship fields when SQL clauses are disabled in the Pods security settings. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this. (@sc0ttkclark) + = 3.2.8.1 - November 22nd, 2024 = * Security: Resolve stored XSS issue with the File Upload field Add Button Text option. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this (their second report, they are doing good work!). (@sc0ttkclark)