Context Navigation

← Previous Change
Next Change →

class-bp-messages-thread.php

Timestamp:

06/16/2015 10:50:15 PM (10 years ago)

Author:

johnjamesjacoby

Message:

Messages: Introduce filter to enforce private message thread query boundaries.

This change ensures that all queries for private messages will always return anticipated results, even when certain malformed values are passed in. It specifically hardens the user ID argument to prevent accidental overriding.

Fixes #6504. Props r-a-y. (2.3 branch, for 2.3.2)

File:

: 1 edited

branches/2.3/src/bp-messages/classes/class-bp-messages-thread.php (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

branches/2.3/src/bp-messages/classes/class-bp-messages-thread.php

-                      r9929
+                      r9949
+        }
+        if ( ! empty( $r['user_id'] ) ) {
+            if ( 'sentbox' == $r['box'] ) {
+        $r['user_id'] = (int) $r['user_id'];
+        switch ( $r['box'] ) {
+            case 'sentbox' :
                 $user_id_sql = 'AND ' . $wpdb->prepare( 'm.sender_id = %d', $r['user_id'] );
+                $sender_sql  = ' AND m.sender_id = r.user_id';
+            } else {
+                $sender_sql  = 'AND m.sender_id = r.user_id';
+                break;
+            case 'inbox' :
+            default :
                 $user_id_sql = 'AND ' . $wpdb->prepare( 'r.user_id = %d', $r['user_id'] );
                 $sender_sql  = ' AND r.sender_only = 0';
+            }
+                $sender_sql  = 'AND r.sender_only = 0';
+                break;
+        }

Note: See TracChangeset for help on using the changeset viewer.

Trac UI Preferences

BuddyPress.org

Context Navigation

Changeset 9949 for branches/2.3/src/bp-messages/classes/class-bp-messages-thread.php

Legend:

branches/2.3/src/bp-messages/classes/class-bp-messages-thread.php

Download in other formats: