Skip to content

Commit 79d95d0

Browse files
kprajapatiikprajapatii
authored
Merge pull request #850 from kprajapatii/master
Extra sanitization and escaping during remove file field value - FIXED/SECURITY
2 parents 71aa3b3 + 9d7c694 commit 79d95d0

2 files changed

Lines changed: 153 additions & 138 deletions

File tree

includes/class-meta.php

Lines changed: 149 additions & 137 deletions
Original file line numberDiff line numberDiff line change
@@ -9,102 +9,111 @@
99
*/
1010
class UsersWP_Meta {
1111

12-
/**
13-
* Gets UsersWP user meta value using key.
14-
*
15-
* @since 1.0.0
16-
* @package userswp
17-
*
18-
* @param int|bool $user_id User ID.
19-
* @param string $key User meta Key.
20-
* @param bool|string $default Default value.
21-
*
22-
* @return string User meta Value.
23-
*/
24-
public function get_usermeta( $user_id = false, $key = '', $default = false ) {
25-
if (!$user_id) {
26-
return $default;
27-
}
12+
/**
13+
* Gets UsersWP user meta value using key.
14+
*
15+
* @since 1.0.0
16+
* @package userswp
17+
*
18+
* @param int|bool $user_id User ID.
19+
* @param string $key User meta Key.
20+
* @param bool|string $default Default value.
21+
*
22+
* @return string User meta Value.
23+
*/
24+
public function get_usermeta( $user_id = false, $key = '', $default = false ) {
25+
global $wpdb;
2826

29-
if(!$key){
30-
return $default;
31-
}
27+
if ( ! $user_id ) {
28+
return $default;
29+
}
3230

33-
global $wpdb;
34-
$meta_table = get_usermeta_table_prefix() . 'uwp_usermeta';
31+
if ( ! $key ) {
32+
return $default;
33+
}
3534

36-
if (uwp_str_ends_with($key, '_privacy')) {
37-
if (uwp_str_ends_with($key, '_tab_privacy')) {
38-
$obj_key = $user_id.'_tabs_privacy';
39-
$row = wp_cache_get( $obj_key, 'uwp_usermeta_tabs_privacy' );
40-
if ( ! $row ) {
41-
$row = $wpdb->get_row($wpdb->prepare("SELECT tabs_privacy FROM {$meta_table} WHERE user_id = %d", $user_id), ARRAY_A);
42-
wp_cache_set( $obj_key, $row, 'uwp_usermeta_tabs_privacy' );
43-
}
44-
45-
$value = false;
46-
if (!empty($row)) {
47-
$public_fields = isset($row['tabs_privacy']) ? maybe_unserialize($row['tabs_privacy']) : $default;
48-
$public_fields_keys = is_array($public_fields) ? array_keys($public_fields) : $public_fields;
49-
if (is_array($public_fields) && in_array($key, $public_fields_keys)) {
50-
$value = $public_fields[$key];
51-
}
52-
}
53-
} else {
54-
$obj_key = $user_id.'_user_privacy';
55-
$row = wp_cache_get( $obj_key, 'uwp_usermeta_user_privacy' );
56-
if ( ! $row ) {
57-
$row = $wpdb->get_row($wpdb->prepare("SELECT user_privacy FROM {$meta_table} WHERE user_id = %d", $user_id), ARRAY_A);
58-
wp_cache_set( $obj_key, $row, 'uwp_usermeta_user_privacy' );
59-
}
60-
61-
$value = 'yes';
62-
if (!empty($row)) {
63-
$output = isset($row['user_privacy']) ? $row['user_privacy'] : $default;
64-
$public_fields = explode(',', $output);
65-
if (in_array($key, $public_fields)) {
66-
$value = 'no';
67-
}
68-
}
69-
}
70-
} else {
71-
$value = null;
72-
$user_data = get_userdata($user_id);
73-
74-
if (!$user_data) {
75-
return $value;
76-
}
77-
78-
switch ($key){
79-
case 'email': $value = $user_data->user_email; break;
80-
case 'username': $value = $user_data->user_login; break;
81-
case 'user_nicename': $value = $user_data->user_nicename; break;
82-
case 'bio': $value = $user_data->description; break;
83-
case 'uwp_language': $value = $user_data->locale; break;
84-
default :
35+
$meta_table = get_usermeta_table_prefix() . 'uwp_usermeta';
36+
37+
if ( uwp_str_ends_with( $key, '_privacy' ) ) {
38+
if ( uwp_str_ends_with( $key, '_tab_privacy' ) ) {
39+
$obj_key = $user_id.'_tabs_privacy';
40+
$row = wp_cache_get( $obj_key, 'uwp_usermeta_tabs_privacy' );
41+
42+
if ( ! $row ) {
43+
$row = $wpdb->get_row( $wpdb->prepare( "SELECT tabs_privacy FROM `{$meta_table}` WHERE user_id = %d", $user_id ), ARRAY_A );
44+
wp_cache_set( $obj_key, $row, 'uwp_usermeta_tabs_privacy' );
45+
}
46+
47+
$value = false;
48+
49+
if ( ! empty( $row ) ) {
50+
$public_fields = isset( $row['tabs_privacy'] ) ? maybe_unserialize( $row['tabs_privacy'] ) : $default;
51+
$public_fields_keys = is_array( $public_fields ) ? array_keys( $public_fields ) : $public_fields;
52+
53+
if ( is_array( $public_fields ) && in_array( $key, $public_fields_keys ) ) {
54+
$value = $public_fields[ $key ];
55+
}
56+
}
57+
} else {
58+
$obj_key = $user_id.'_user_privacy';
59+
$row = wp_cache_get( $obj_key, 'uwp_usermeta_user_privacy' );
60+
61+
if ( ! $row ) {
62+
$row = $wpdb->get_row( $wpdb->prepare("SELECT user_privacy FROM `{$meta_table}` WHERE user_id = %d", $user_id ), ARRAY_A );
63+
wp_cache_set( $obj_key, $row, 'uwp_usermeta_user_privacy' );
64+
}
65+
66+
$value = 'yes';
67+
68+
if ( ! empty( $row ) ) {
69+
$output = isset( $row['user_privacy'] ) ? $row['user_privacy'] : $default;
70+
$public_fields = explode( ',', $output );
71+
72+
if ( in_array( $key, $public_fields ) ) {
73+
$value = 'no';
74+
}
75+
}
76+
}
77+
} else {
78+
$value = null;
79+
$user_data = get_userdata( $user_id );
80+
81+
if ( ! $user_data ) {
82+
return $value;
83+
}
84+
85+
switch ( $key ) {
86+
case 'email': $value = $user_data->user_email; break;
87+
case 'username': $value = $user_data->user_login; break;
88+
case 'user_nicename': $value = $user_data->user_nicename; break;
89+
case 'bio': $value = $user_data->description; break;
90+
case 'uwp_language': $value = $user_data->locale; break;
91+
default :
8592
$obj_key = $user_id.'_'.$key;
86-
$row = wp_cache_get( $obj_key, 'uwp_usermeta' );
87-
if ( ! $row ) {
88-
if(uwp_column_exist($meta_table, $key)){
89-
$row = $wpdb->get_row($wpdb->prepare("SELECT {$key} FROM {$meta_table} WHERE user_id = %d", $user_id), ARRAY_A);
90-
wp_cache_set( $obj_key, $row, 'uwp_usermeta' );
91-
}
92-
}
93-
94-
if (!empty($row)) {
95-
$value = isset($row[$key]) ? $row[$key] : $default;
96-
} else {
97-
$value = $default;
98-
}
99-
break;
100-
}
101-
}
93+
$row = wp_cache_get( $obj_key, 'uwp_usermeta' );
94+
95+
if ( ! $row ) {
96+
if ( in_array( $key, array( 'user_id', 'user_ip', 'user_privacy', 'tabs_privacy', 'username', 'email', 'first_name', 'last_name', 'avatar_thumb', 'banner_thumb', 'display_name', 'user_url', 'bio' ) ) || uwp_column_exist( $meta_table, $key ) ) {
97+
$row = $wpdb->get_row( $wpdb->prepare( "SELECT `{$key}` FROM `{$meta_table}` WHERE user_id = %d", $user_id ), ARRAY_A );
98+
wp_cache_set( $obj_key, $row, 'uwp_usermeta' );
99+
}
100+
}
101+
102+
if ( ! empty( $row ) ) {
103+
$value = isset( $row[ $key ] ) ? $row[ $key ] : $default;
104+
} else {
105+
$value = $default;
106+
}
107+
break;
108+
}
109+
}
102110

103-
$value = uwp_maybe_unserialize($key, $value);
104-
$value = wp_unslash($value);
105-
$value = apply_filters( 'uwp_get_usermeta', $value, $user_id, $key, $default );
106-
return apply_filters( 'uwp_get_usermeta_' . $key, $value, $user_id, $key, $default );
107-
}
111+
$value = uwp_maybe_unserialize($key, $value);
112+
$value = wp_unslash($value);
113+
$value = apply_filters( 'uwp_get_usermeta', $value, $user_id, $key, $default );
114+
115+
return apply_filters( 'uwp_get_usermeta_' . $key, $value, $user_id, $key, $default );
116+
}
108117

109118
/**
110119
* Updates UsersWP user meta value using key.
@@ -118,64 +127,67 @@ public function get_usermeta( $user_id = false, $key = '', $default = false ) {
118127
*
119128
* @return bool Update success or not?.
120129
*/
121-
public function update_usermeta( $user_id, $key, $value ) {
130+
public function update_usermeta( $user_id, $key, $value ) {
131+
global $wpdb;
122132

123-
if (!$user_id || !$key ) {
124-
return false;
125-
}
126-
127-
global $wpdb;
128-
$meta_table = get_usermeta_table_prefix() . 'uwp_usermeta';
129-
$cache_group = 'uwp_usermeta';
130-
$obj_key = $user_id . '_' . $key;
133+
if ( ! $user_id || ! $key ) {
134+
return false;
135+
}
131136

132-
if (uwp_str_ends_with($key, '_privacy')) {
133-
if ( 'tabs_privacy' == $key ) {
134-
$obj_key = $user_id . '_tabs_privacy';
135-
$cache_group = 'uwp_usermeta_tab_privacy';
136-
} elseif('user_privacy' == $key) {
137-
$obj_key = $user_id . '_user_privacy';
138-
$cache_group = 'uwp_usermeta_user_privacy';
139-
}
140-
}
137+
$meta_table = get_usermeta_table_prefix() . 'uwp_usermeta';
138+
$cache_group = 'uwp_usermeta';
139+
$obj_key = $user_id . '_' . $key;
141140

142-
$user_meta_info = $wpdb->get_col( $wpdb->prepare( "SELECT $key FROM $meta_table WHERE user_id = %d", $user_id ) );
141+
if ( ! in_array( $key, array( 'user_id', 'user_ip', 'user_privacy', 'tabs_privacy', 'username', 'email', 'first_name', 'last_name', 'avatar_thumb', 'banner_thumb', 'display_name', 'user_url', 'bio' ) ) && ! uwp_column_exist( $meta_table, $key ) ) {
142+
return false;
143+
}
143144

144-
$value = apply_filters( 'uwp_update_usermeta', $value, $user_id, $key, $user_meta_info );
145-
$value = apply_filters( 'uwp_update_usermeta_' . $key, $value, $user_id, $key, $user_meta_info );
145+
if ( uwp_str_ends_with( $key, '_privacy' ) ) {
146+
if ( 'tabs_privacy' == $key ) {
147+
$obj_key = $user_id . '_tabs_privacy';
148+
$cache_group = 'uwp_usermeta_tab_privacy';
149+
} elseif('user_privacy' == $key) {
150+
$obj_key = $user_id . '_user_privacy';
151+
$cache_group = 'uwp_usermeta_user_privacy';
152+
}
153+
}
146154

147-
do_action( 'uwp_before_update_usermeta', $user_id, $key, $value, $user_meta_info );
155+
$user_meta_info = $wpdb->get_col( $wpdb->prepare( "SELECT `{$key}` FROM `{$meta_table}` WHERE user_id = %d", $user_id ) );
148156

149-
$value = uwp_maybe_serialize($key, $value);
157+
$value = apply_filters( 'uwp_update_usermeta', $value, $user_id, $key, $user_meta_info );
158+
$value = apply_filters( 'uwp_update_usermeta_' . $key, $value, $user_id, $key, $user_meta_info );
150159

151-
if (!empty($user_meta_info)) {
152-
$result = $wpdb->update(
153-
$meta_table,
154-
array($key => $value),
155-
array('user_id' => $user_id),
156-
array('%s'),
157-
array('%d')
158-
);
160+
do_action( 'uwp_before_update_usermeta', $user_id, $key, $value, $user_meta_info );
159161

160-
if ( ! $result ) {
161-
return false;
162-
}
162+
$value = uwp_maybe_serialize( $key, $value );
163163

164-
} else {
165-
$result = $wpdb->insert(
166-
$meta_table,
167-
array('user_id' => $user_id, $key => $value)
168-
);
164+
if ( ! empty( $user_meta_info ) ) {
165+
$result = $wpdb->update(
166+
$meta_table,
167+
array( $key => $value ),
168+
array( 'user_id' => $user_id ),
169+
array('%s'),
170+
array('%d')
171+
);
169172

170-
if ( ! $result ) {
171-
return false;
172-
}
173-
}
173+
if ( ! $result ) {
174+
return false;
175+
}
176+
} else {
177+
$result = $wpdb->insert(
178+
$meta_table,
179+
array( 'user_id' => $user_id, $key => $value )
180+
);
181+
182+
if ( ! $result ) {
183+
return false;
184+
}
185+
}
174186

175-
wp_cache_delete( $obj_key, $cache_group );
187+
wp_cache_delete( $obj_key, $cache_group );
176188

177-
return true;
178-
}
189+
return true;
190+
}
179191

180192
/**
181193
* Gets UsersWP user meta row using user ID.

readme.txt

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -150,7 +150,10 @@ Yes, you can customize it with Elementor, but also with Gutenberg, Divi, Beaver
150150

151151
== Changelog ==
152152

153-
= 1.2.44 - 2025-06-28 =
153+
= 1.2.45 - 2025-09-TBD =
154+
* Extra sanitization and escaping during remove file field value - FIXED/SECURITY
155+
156+
= 1.2.44 - 2025-08-28 =
154157
* Merge AUI 0.2.41 & SD 1.2.26 - CHANGED
155158

156159
= 1.2.43 - 2025-08-25 =

0 commit comments

Comments
 (0)