auto-patch 638-dev-dev01-2024-05-14T20_44_36

wp/wp-content/plugins/relevanssi-premium/lib/admin-ajax.php

@@ -443,6 +443,12 @@ function relevanssi_admin_search_debugging_info( $query ) {
 function relevanssi_update_counts() {
 	global $wpdb, $relevanssi_variables;
 
+	if ( ! current_user_can( 'manage_options' ) ) {
+		die();
+	}
+
+	check_admin_referer( 'update_counts', '_wpnonce' );
+
 	relevanssi_update_doc_count();
 
 	$terms_count = $wpdb->get_var( 'SELECT COUNT(*) FROM ' . $relevanssi_variables['relevanssi_table'] );  // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared,WordPress.DB.PreparedSQL.NotPrepared

wp/wp-content/plugins/relevanssi-premium/lib/compatibility/ninjatables.php

@@ -77,6 +77,13 @@ function relevanssi_index_ninja_table( $table_id ) {
 		)
 	);
 	foreach ( $rows as $row ) {
+		if ( empty( $row->value ) ) {
+			continue;
+		}
+		$json_decoded = json_decode( $row->value );
+		if ( ! is_object( $json_decoded ) ) {
+			continue;
+		}
 		$array_values = array_map(
 			function ( $value ) {
 				if ( is_object( $value ) ) {
@@ -84,7 +91,7 @@ function relevanssi_index_ninja_table( $table_id ) {
 				}
 				return strval( $value );
 			},
-			array_values( get_object_vars( json_decode( $row->value ) ) )
+			array_values( get_object_vars( $json_decoded ) )
 		);
 
 		$table_contents .= ' ' . implode( ' ', $array_values );

wp/wp-content/plugins/relevanssi-premium/lib/compatibility/tablepress.php

@@ -10,25 +10,6 @@
  * @see     https://www.relevanssi.com/
  */
 
-/**
- * Enables TablePress shortcodes for Relevanssi indexing.
- *
- * @return null|object The TablePress controller.
- */
-function relevanssi_enable_tablepress_shortcodes() {
-	$my_tablepress_controller = null;
-	if ( defined( 'TABLEPRESS_ABSPATH' ) ) {
-		if ( ! isset( TablePress::$model_options ) ) {
-			include_once TABLEPRESS_ABSPATH . 'classes/class-model.php';
-			include_once TABLEPRESS_ABSPATH . 'models/model-options.php';
-			TablePress::$model_options = new TablePress_Options_Model();
-		}
-		$my_tablepress_controller = TablePress::load_controller( 'frontend' );
-		$my_tablepress_controller->init_shortcodes();
-	}
-	return $my_tablepress_controller;
-}
-
 add_filter( 'relevanssi_post_content', 'relevanssi_table_filter' );
 
 /**

wp/wp-content/plugins/relevanssi-premium/lib/compatibility/woocommerce.php

@@ -13,6 +13,7 @@
 add_filter( 'relevanssi_indexing_restriction', 'relevanssi_woocommerce_restriction' );
 add_filter( 'relevanssi_admin_search_blocked_post_types', 'relevanssi_woocommerce_admin_search_blocked_post_types' );
 add_filter( 'relevanssi_modify_wp_query', 'relevanssi_woocommerce_filters' );
+add_filter( 'relevanssi_post_ok', 'relevanssi_variation_post_ok', 10, 2 );
 
 /**
  * This action solves the problems introduced by adjust_posts_count() in
@@ -280,3 +281,20 @@ function relevanssi_filtered_term_product_counts_query( $query ) {
 
 	return $query;
 }
+
+/**
+ * Checks the parent product status for product variations.
+ *
+ * @param bool $ok      Whether the post is OK to return in search.
+ * @param int  $post_id The post ID.
+ *
+ * @return bool
+ */
+function relevanssi_variation_post_ok( $ok, $post_id ) : bool {
+	$post_type = relevanssi_get_post_type( $post_id );
+	if ( 'product_variation' === $post_type ) {
+		$parent = get_post_parent( $post_id );
+		return apply_filters( 'relevanssi_post_ok', $ok, $parent->ID );
+	}
+	return $ok;
+}

wp/wp-content/plugins/relevanssi-premium/lib/log.php

@@ -337,6 +337,16 @@ function relevanssi_output_exported_log( string $filename, array $data, string $
 	}
 	fputcsv( $df, array_keys( reset( $data ) ) );
 	foreach ( $data as $row ) {
+		if (
+			in_array(
+				substr( $row['query'], 0, 1 ),
+				array( '=', '-', '"', '@', '+' ),
+				true
+			)
+		) {
+			$row['query'] = ' ' . $row['query'];
+			$row['query'] = str_replace( "\t", '', $row['query'] );
+		}
 		fputcsv( $df, $row );
 	}
 	fclose( $df ); // phpcs:ignore WordPress.WP.AlternativeFunctions

wp/wp-content/plugins/relevanssi-premium/lib/search.php

@@ -270,7 +270,7 @@ function relevanssi_search( $args ) {
 
 			$total_hits += count( $matches );
 
-			$idf = log( $doc_count + 1 / ( 1 + $df ) );
+			$idf = log( ( $doc_count + 1 ) / ( 1 + $df ) );
 			$idf = $idf * $idf; // Adjustment to increase the value of IDF.
 			if ( $idf < 1 ) {
 				$idf = 1;
@@ -460,10 +460,10 @@ function relevanssi_search( $args ) {
 				if ( ! is_wp_error( $post_object ) ) {
 					$hits[ intval( $i ) ]                  = $post_object;
 					$hits[ intval( $i ) ]->relevance_score = round( $weight, 2 );
-				}
 
-				if ( isset( $missing_terms[ $doc ] ) ) {
-					$hits[ intval( $i ) ]->missing_terms = $missing_terms[ $doc ];
+					if ( isset( $missing_terms[ $doc ] ) ) {
+						$hits[ intval( $i ) ]->missing_terms = $missing_terms[ $doc ];
+					}
 				}
 			}
 			++$i;

wp/wp-content/plugins/relevanssi-premium/lib/utils.php

@@ -206,11 +206,6 @@ function relevanssi_debug_echo( string $notice ) {
  */
 function relevanssi_do_shortcode( string $content ): string {
 	if ( 'on' === get_option( 'relevanssi_expand_shortcodes' ) ) {
-		// TablePress support.
-		if ( function_exists( 'relevanssi_enable_tablepress_shortcodes' ) ) {
-			$tablepress_controller = relevanssi_enable_tablepress_shortcodes();
-		}
-
 		relevanssi_disable_shortcodes();
 
 		/**

wp/wp-content/plugins/relevanssi-premium/readme.txt

@@ -4,8 +4,8 @@ Donate link: https://www.relevanssi.com/
 Tags: search, relevance, better search
 Requires at least: 4.9
 Requires PHP: 7.0
-Tested up to: 6.4
-Stable tag: 2.25.1
+Tested up to: 6.5
+Stable tag: 2.25.2
 
 Relevanssi Premium replaces the default search with a partial-match search that sorts results by relevance. It also indexes comments and shortcode content.
 
@@ -256,6 +256,13 @@ Each document database is full of useless words. All the little words that appea
 * John Calahan for extensive 2.0 beta testing.
 
 == Changelog ==
+= 2.25.2 =
+* Security fix: Prevent CSV injection attack in log export.
+* Security fix: Restrict access to doc count updates.
+* Minor fix: Product variations check the parent product for access restrictions, to avoid situations where variations of a draft product appear in the results.
+* Minor fix: Improved TablePress compatibility.
+* Minor fix: Added error handling to the Ninja Table compatibility code.
+
 = 2.25.1 =
 * Security fix: Relevanssi had a vulnerability where anyone could access the search logs and click logs. The log export is now protected.
 * Minor fix: Relevanssi had problems with Polylang when a post or term didn't have language specified. Now Relevanssi handles those situations better.
@@ -381,6 +388,9 @@ Each document database is full of useless words. All the little words that appea
 * Minor fix: Pinning phrases that had the same word more than once (e.g. 'word by word') didn't work. Now it works better.
 
 == Upgrade notice ==
+= 2.25.2 =
+* Security hardening, improved WooCommerce, TablePress and Ninja Table compatibility.
+
 = 2.25.1 =
 * Security hardening, better Polylang support.
 

wp/wp-content/plugins/relevanssi-premium/relevanssi.php

@@ -13,7 +13,7 @@
  * Plugin Name: Relevanssi Premium
  * Plugin URI: https://www.relevanssi.com/
  * Description: This premium plugin replaces WordPress search with a relevance-sorting search.
- * Version: 2.25.1
+ * Version: 2.25.2
  * Author: Mikko Saari
  * Author URI: https://www.mikkosaari.fi/
  * Text Domain: relevanssi
@@ -83,7 +83,7 @@ $relevanssi_variables['title_boost_default']                   = 5;
 $relevanssi_variables['link_boost_default']                    = 0.75;
 $relevanssi_variables['comment_boost_default']                 = 0.75;
 $relevanssi_variables['database_version']                      = 23;
-$relevanssi_variables['plugin_version']                        = '2.25.1';
+$relevanssi_variables['plugin_version']                        = '2.25.2';
 $relevanssi_variables['plugin_dir']                            = plugin_dir_path( __FILE__ );
 $relevanssi_variables['plugin_basename']                       = plugin_basename( __FILE__ );
 $relevanssi_variables['file']                                  = __FILE__;