Changeset 7015 for trunk/bp-groups/bp-groups-classes.php

Timestamp:

05/07/2013 11:45:58 PM (12 years ago)

Author:

boonebgorges

Message:

Audit of parameter sanitization in Groups and Core database classes

• Uses wp_parse_id_list() to sanitize parameters of integer arrays
• Implements a more consistent approach to LIKE clause sanitization

Props johnjamesjacoby

Introduces a number of unit tests for the Groups and Core database classes, to
accompany the security hardening.

See #4989

File:

• trunk/bp-groups/bp-groups-classes.php (modified) (18 diffs)

trunk/bp-groups/bp-groups-classes.php

@@ -222 +222 @@
             $user_id = bp_displayed_user_id();
 
-        $filter = like_escape( $wpdb->escape( $filter ) );
+        $filter = esc_sql( like_escape( $filter ) );
 
         if ( !empty( $limit ) && !empty( $page ) )
@@ -241 +241 @@
     }
 
+    /**
+     * @todo Deprecate in favor of get()
+     */
     function search_groups( $filter, $limit = null, $page = null, $sort_by = false, $order = false ) {
         global $wpdb, $bp;
 
-        $filter = like_escape( $wpdb->escape( $filter ) );
+        $filter = esc_sql( like_escape( $filter ) );
 
         if ( !empty( $limit ) && !empty( $page ) )
@@ -250 +253 @@
 
         if ( !empty( $sort_by ) && !empty( $order ) ) {
-            $sort_by   = $wpdb->escape( $sort_by );
-            $order     = $wpdb->escape( $order );
-            $order_sql = "ORDER BY $sort_by $order";
+            $sort_by   = esc_sql( $sort_by );
+            $order     = esc_sql( $order );
+            $order_sql = "ORDER BY {$sort_by} {$order}";
         }
 
@@ -365 +368 @@
 
         if ( !empty( $search_terms ) ) {
-            $search_terms = like_escape( $wpdb->escape( $search_terms ) );
+            $search_terms = esc_sql( like_escape( $search_terms ) );
             $sql['search'] = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
         }
@@ -384 +387 @@
 
         if ( !empty( $include ) ) {
-            if ( is_array( $include ) )
-                $include = implode( ',', $include );
-
-            $include = $wpdb->escape( $include );
+            $include        = wp_parse_id_list( $r['include'] );
+            $include        = $wpdb->escape( implode( ',', $include ) );
             $sql['include'] = " AND g.id IN ({$include})";
         }
 
         if ( !empty( $exclude ) ) {
-            if ( is_array( $exclude ) )
-                $exclude = implode( ',', $exclude );
-
-            $exclude = $wpdb->escape( $exclude );
+            $exclude        = wp_parse_id_list( $r['exclude'] );
+            $exclude        = $wpdb->escape( implode( ',', $exclude ) );
             $sql['exclude'] = " AND g.id NOT IN ({$exclude})";
         }
@@ -544 +543 @@
 
         if ( !empty( $search_terms ) ) {
-            $search_terms = like_escape( $wpdb->escape( $search_terms ) );
+            $search_terms = esc_sql( like_escape( trim( $search_terms ) ) );
             $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
         }
 
         if ( !empty( $exclude ) ) {
-            $exclude = $wpdb->escape( $exclude );
+            $exclude     = wp_parse_id_list( $exclude );
+            $exclude     = $wpdb->escape( implode( ',', $exclude ) );
             $exclude_sql = " AND g.id NOT IN ({$exclude})";
         }
 
         if ( !empty( $user_id ) ) {
-            $user_id = $wpdb->escape( $user_id );
+            $user_id      = absint( $wpdb->escape( $user_id ) );
             $paged_groups = $wpdb->get_results( "SELECT DISTINCT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bp->groups->table_name_members} m, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.topics > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql} ORDER BY f.topics DESC {$pag_sql}" );
             $total_groups = $wpdb->get_var( "SELECT COUNT(DISTINCT g.id) FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_groupmeta} gm3, {$bbdb->forums} f, {$bp->groups->table_name} g WHERE g.id = gm1.group_id AND g.id = gm2.group_id AND g.id = gm3.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND (gm3.meta_key = 'forum_id' AND gm3.meta_value = f.forum_id) AND f.topics > 0 {$hidden_sql} {$search_sql} AND m.user_id = {$user_id} AND m.is_confirmed = 1 AND m.is_banned = 0 {$exclude_sql}" );
@@ -585 +585 @@
 
         if ( !empty( $search_terms ) ) {
-            $search_terms = like_escape( $wpdb->escape( $search_terms ) );
+            $search_terms = esc_sql( like_escape( trim( $search_terms ) ) );
             $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
         }
 
         if ( !empty( $exclude ) ) {
-            $exclude = $wpdb->escape( $exclude );
+            $exclude     = wp_parse_id_list( $exclude );
+            $exclude     = $wpdb->escape( implode( ',', $exclude ) );
             $exclude_sql = " AND g.id NOT IN ({$exclude})";
         }
@@ -627 +628 @@
 
         if ( !empty( $exclude ) ) {
-            $exclude = $wpdb->escape( $exclude );
+            $exclude     = wp_parse_id_list( $exclude );
+            $exclude     = $wpdb->escape( implode( ',', $exclude ) );
             $exclude_sql = " AND g.id NOT IN ({$exclude})";
         }
@@ -634 +636 @@
             $hidden_sql = " AND status != 'hidden'";
 
-        $letter = like_escape( $wpdb->escape( $letter ) );
+        $letter = esc_sql( like_escape( $letter ) );
 
         if ( !empty( $limit ) && !empty( $page ) ) {
@@ -666 +668 @@
 
         if ( !empty( $search_terms ) ) {
-            $search_terms = like_escape( $wpdb->escape( $search_terms ) );
+            $search_terms = esc_sql( like_escape( trim( $search_terms ) ) );
             $search_sql = " AND ( g.name LIKE '%%{$search_terms}%%' OR g.description LIKE '%%{$search_terms}%%' )";
         }
 
         if ( !empty( $exclude ) ) {
-            $exclude = $wpdb->escape( $exclude );
+            $exclude     = wp_parse_id_list( $exclude );
+            $exclude     = $wpdb->escape( implode( ',', $exclude ) );
             $exclude_sql = " AND g.id NOT IN ({$exclude})";
         }
@@ -699 +702 @@
             return $paged_groups;
 
+        // Sanitize group IDs
+        $group_ids = wp_parse_id_list( $group_ids );
+        $group_ids = implode( ',', $group_ids );
+
         // Fetch the logged in users status within each group
         $user_status = $wpdb->get_col( $wpdb->prepare( "SELECT group_id FROM {$bp->groups->table_name_members} WHERE user_id = %d AND group_id IN ( {$group_ids} ) AND is_confirmed = 1 AND is_banned = 0", bp_loggedin_user_id() ) );
@@ -800 +807 @@
         $sql['where']  = "WHERE gm.meta_key = 'forum_id' {$status_sql} AND t.topic_status = '0' AND t.topic_sticky != '2'";
 
-        if ( $search_terms ) {
-            $st = like_escape( $search_terms );
+        if ( !empty( $search_terms ) ) {
+            $st = esc_sql( like_escape( $search_terms ) );
             $sql['where'] .= " AND (  t.topic_title LIKE '%{$st}%' )";
         }
@@ -1062 +1069 @@
 
         if ( !empty( $filter ) ) {
-            $filter = like_escape( $wpdb->escape( $filter ) );
+            $filter     = esc_sql( like_escape( $filter ) );
             $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";
         }
@@ -1084 +1091 @@
 
         if ( !empty( $filter ) ) {
-            $filter = like_escape( $wpdb->escape( $filter ) );
+            $filter     = esc_sql( like_escape( $filter ) );
             $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";
         }
@@ -1106 +1113 @@
 
         if ( !empty( $filter ) ) {
-            $filter = like_escape( $wpdb->escape( $filter ) );
+            $filter     = esc_sql( like_escape( trim( $filter ) ) );
             $filter_sql = " AND ( g.name LIKE '%%{$filter}%%' OR g.description LIKE '%%{$filter}%%' )";
         }
@@ -1137 +1144 @@
         $pag_sql = ( !empty( $limit ) && !empty( $page ) ) ? $wpdb->prepare( " LIMIT %d, %d", intval( ( $page - 1 ) * $limit), intval( $limit ) ) : '';
 
-        $exclude_sql = !empty( $exclude ) ? $wpdb->prepare( " AND g.id NOT IN (%s)", $exclude ) : '';
+        if ( !empty( $exclude ) ) {
+            $exclude     = wp_parse_id_list( $exclude );
+            $exclude     = $wpdb->escape( implode( ',', $exclude ) );
+            $exclude_sql = " AND g.id NOT IN ({$exclude})";
+        } else {
+            $exclude_sql = '';
+        }
 
         $paged_groups = $wpdb->get_results( $wpdb->prepare( "SELECT g.*, gm1.meta_value as total_member_count, gm2.meta_value as last_activity FROM {$bp->groups->table_name_groupmeta} gm1, {$bp->groups->table_name_groupmeta} gm2, {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE g.id = m.group_id AND g.id = gm1.group_id AND g.id = gm2.group_id AND gm2.meta_key = 'last_activity' AND gm1.meta_key = 'total_member_count' AND m.is_confirmed = 0 AND m.inviter_id != 0 AND m.invite_sent = 1 AND m.user_id = %d {$exclude_sql} ORDER BY m.date_modified ASC {$pag_sql}", $user_id ) );
@@ -1240 +1253 @@
     }
 
-    function get_random_groups( $user_id, $total_groups = 5 ) {
+    function get_random_groups( $user_id = 0, $total_groups = 5 ) {
         global $wpdb, $bp;
 
         // If the user is logged in and viewing their random groups, we can show hidden and private groups
         if ( bp_is_my_profile() ) {
-            return $wpdb->get_col( $wpdb->prepare( "SELECT DISTINCT group_id FROM {$bp->groups->table_name_members} WHERE user_id = %d AND is_confirmed = 1 AND is_banned = 0 ORDER BY rand() LIMIT $total_groups", $user_id ) );
+            return $wpdb->get_col( $wpdb->prepare( "SELECT DISTINCT group_id FROM {$bp->groups->table_name_members} WHERE user_id = %d AND is_confirmed = 1 AND is_banned = 0 ORDER BY rand() LIMIT %d", $user_id, $total_groups ) );
         } else {
-            return $wpdb->get_col( $wpdb->prepare( "SELECT DISTINCT m.group_id FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id AND g.status != 'hidden' AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 ORDER BY rand() LIMIT $total_groups", $user_id ) );
+            return $wpdb->get_col( $wpdb->prepare( "SELECT DISTINCT m.group_id FROM {$bp->groups->table_name_members} m, {$bp->groups->table_name} g WHERE m.group_id = g.id AND g.status != 'hidden' AND m.user_id = %d AND m.is_confirmed = 1 AND m.is_banned = 0 ORDER BY rand() LIMIT %d", $user_id, $total_groups ) );
         }
     }
@@ -1292 +1305 @@
         $exclude_sql = '';
         if ( !empty( $exclude ) ) {
-            $exclude = implode( ',', wp_parse_id_list( $exclude ) );
+            $exclude     = wp_parse_id_list( $exclude );
+            $exclude     = $wpdb->escape( implode( ',', $exclude ) );
             $exclude_sql = " AND m.user_id NOT IN ({$exclude})";
         }