Pods 3.2.8.2 (#7396)

sc0ttkclark · web-flow · commit 69d701170803 · 2025-02-07T17:06:37.000-06:00
diff --git a/changelog.txt b/changelog.txt
@@ -2,6 +2,10 @@ Found a bug? Have a great feature idea? Get on GitHub and tell us about it and w
 
 Our GitHub has the full list of all prior releases of Pods: https://github.com/pods-framework/pods/releases
 
+= 3.2.8.2 - February 7th, 2025 =
+
+* Security: Do not allow using custom SQL clauses for Relationship fields when SQL clauses are disabled in the Pods security settings. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this. (@sc0ttkclark) 
+
 = 3.2.8.1 - November 22nd, 2024 =
 
 * Security: Resolve stored XSS issue with the File Upload field Add Button Text option. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this (their second report, they are doing good work!). (@sc0ttkclark)
diff --git a/classes/fields/pick.php b/classes/fields/pick.php
@@ -2696,14 +2696,23 @@ public function get_object_data( $object_params = null ) {
 				$params = array(
 					'select'     => "`t`.`{$search_data->field_id}`, `t`.`{$search_data->field_index}`",
 					'table'      => $search_data->table,
-					'where'      => pods_v( static::$type . '_where', $options, (array) $table_info['where_default'], true ),
+					'where'      => pods_v( static::$type . '_where', $options, null, true ),
 					'orderby'    => pods_v( static::$type . '_orderby', $options, null, true ),
 					'having'     => pods_v( static::$type . '_having', $options, null, true ),
 					'groupby'    => pods_v( static::$type . '_groupby', $options, null, true ),
 					'pagination' => false,
 					'search'     => false,
 				);
 
+				if ( ! pods_can_use_dynamic_feature_sql_clauses() ) {
+					$params['where'] = $params['where'] ? '0=1 /* Dynamic SQL clauses disabled in Pods */' : (array) $table_info['where_default'];
+					$params['orderby'] = null;
+					$params['having'] = null;
+					$params['groupby'] = null;
+				} elseif ( null === $params['where'] ) {
+					$params['where'] = (array) $table_info['where_default'];
+				}
+
 				if ( in_array( $options[ static::$type . '_object' ], array( 'site', 'network' ), true ) ) {
 					$params['select'] .= ', `t`.`path`';
 				}
@@ -2883,6 +2892,10 @@ public function get_object_data( $object_params = null ) {
 
 						$pick_orderby = pods_v( static::$type . '_orderby', $options, null, true );
 
+						if ( ! pods_can_use_dynamic_feature_sql_clauses() ) {
+							$pick_orderby = null;
+						}
+
 						if ( is_string( $pick_orderby ) && 0 < strlen( $pick_orderby ) ) {
 							$orderby[] = $pick_orderby;
 						}
diff --git a/classes/widgets/PodsWidgetList.php b/classes/widgets/PodsWidgetList.php
@@ -41,6 +41,11 @@ public function widget( $args, $instance ) {
 			'cache_mode' => trim( (string) pods_v( 'cache_mode', $instance, 'none', true ) ),
 		);
 
+		if ( ! pods_can_use_dynamic_feature_sql_clauses() ) {
+			$args['orderby'] = '';
+			$args['where'] = $args['where'] ? '0=1 /* Dynamic SQL clauses disabled in Pods */' : '';
+		}
+
 		$content = trim( (string) pods_v( 'template_custom', $instance, '' ) );
 
 		if ( 0 < strlen( $args['name'] ) && ( 0 < strlen( $args['template'] ) || 0 < strlen( $content ) ) ) {
diff --git a/init.php b/init.php
@@ -10,7 +10,7 @@
  * Plugin Name:       Pods - Custom Content Types and Fields
  * Plugin URI:        https://pods.io/
  * Description:       Pods is a framework for creating, managing, and deploying customized content types and fields
- * Version:           3.2.8.1
+ * Version:           3.2.8.2
  * Author:            Pods Framework Team
  * Author URI:        https://pods.io/about/
  * Text Domain:       pods
@@ -43,7 +43,7 @@
 	add_action( 'init', 'pods_deactivate_pods_ui' );
 } else {
 	// Current version.
-	define( 'PODS_VERSION', '3.2.8.1' );
+	define( 'PODS_VERSION', '3.2.8.2' );
 
 	// Current database version, this is the last version the database changed.
 	define( 'PODS_DB_VERSION', '2.3.5' );
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "pods",
-  "version": "3.2.8.1",
+  "version": "3.2.8.2",
   "description": "Pods is a development framework for creating, extending, managing, and deploying customized content types in WordPress.",
   "author": "Pods Foundation, Inc",
   "homepage": "https://pods.io/",
diff --git a/readme.txt b/readme.txt
@@ -5,7 +5,7 @@ Tags: pods, custom post types, custom taxonomies, content types, custom fields
 Requires at least: 6.0
 Tested up to: 6.7
 Requires PHP: 7.2
-Stable tag: 3.2.8.1
+Stable tag: 3.2.8.2
 License: GPLv2 or later
 License URI: http://www.gnu.org/licenses/gpl-2.0.html
 
@@ -182,6 +182,10 @@ Pods really wouldn't be where it is without all the contributions from our [dono
 
 == Changelog ==
 
+= 3.2.8.2 - February 7th, 2025 =
+
+* Security: Do not allow using custom SQL clauses for Relationship fields when SQL clauses are disabled in the Pods security settings. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this. (@sc0ttkclark) 
+
 = 3.2.8.1 - November 22nd, 2024 =
 
 * Security: Resolve stored XSS issue with the File Upload field Add Button Text option. Props to the CleanTalk / Dmitrii Ignatyev for responsibly reporting this (their second report, they are doing good work!). (@sc0ttkclark)

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "pods",`
`3`		`- "version": "3.2.8.1",`
	`3`	`+ "version": "3.2.8.2",`
`4`	`4`	`"description": "Pods is a development framework for creating, extending, managing, and deploying customized content types in WordPress.",`
`5`	`5`	`"author": "Pods Foundation, Inc",`
`6`	`6`	`"homepage": "https://pods.io/",`