Skip to:
Content

BuddyPress.org


Ignore:
Timestamp:
06/16/2015 10:48:11 PM (9 years ago)
Author:
johnjamesjacoby
Message:

Messages: Introduce filter to enforce private message thread query boundaries.

This change ensures that all queries for private messages will always return anticipated results, even when certain malformed values are passed in. It specifically hardens the user ID argument to prevent accidental overriding.

Fixes #6504. Props r-a-y. (trunk, for 2.4.0)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/bp-messages/classes/class-bp-messages-thread.php

    r9928 r9948  
    461461        }
    462462
    463         if ( ! empty( $r['user_id'] ) ) {
    464             if ( 'sentbox' == $r['box'] ) {
     463        $r['user_id'] = (int) $r['user_id'];
     464
     465        switch ( $r['box'] ) {
     466            case 'sentbox' :
    465467                $user_id_sql = 'AND ' . $wpdb->prepare( 'm.sender_id = %d', $r['user_id'] );
    466                 $sender_sql  = ' AND m.sender_id = r.user_id';
    467             } else {
     468                $sender_sql  = 'AND m.sender_id = r.user_id';
     469                break;
     470
     471            case 'inbox' :
     472            default :
    468473                $user_id_sql = 'AND ' . $wpdb->prepare( 'r.user_id = %d', $r['user_id'] );
    469                 $sender_sql  = ' AND r.sender_only = 0';
    470             }
     474                $sender_sql  = 'AND r.sender_only = 0';
     475                break;
    471476        }
    472477
Note: See TracChangeset for help on using the changeset viewer.