Changeset 3465852

Timestamp:

02/20/2026 02:08:10 PM (3 months ago)

Author:

PierreLannoy

Message:

MailArchiver 4.5.1 released from GitHub

Location:

mailarchiver

Files:

• tags/4.5.1 (copied) (copied from mailarchiver/trunk)
• tags/4.5.1/CHANGELOG.md (modified) (1 diff)
• tags/4.5.1/admin/class-mailarchiver-admin.php (modified) (1 diff)
• tags/4.5.1/includes/features/class-inlinehelp.php (modified) (2 diffs)
• tags/4.5.1/includes/system/class-uuid.php (modified) (1 diff)
• tags/4.5.1/init.php (modified) (1 diff)
• tags/4.5.1/mailarchiver.php (modified) (1 diff)
• tags/4.5.1/readme.txt (modified) (1 diff)
• trunk/CHANGELOG.md (modified) (1 diff)
• trunk/admin/class-mailarchiver-admin.php (modified) (1 diff)
• trunk/includes/features/class-inlinehelp.php (modified) (2 diffs)
• trunk/includes/system/class-uuid.php (modified) (1 diff)
• trunk/init.php (modified) (1 diff)
• trunk/mailarchiver.php (modified) (1 diff)
• trunk/readme.txt (modified) (1 diff)

mailarchiver/tags/4.5.1/CHANGELOG.md

@@ -3 +3 @@
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and **MailArchiver** adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [4.5.1] - 2026-02-20
+
+### Fixed
+- [SEC007] Authenticated (Admininistrator+) SQL Injection via the `logid` parameter / [CVE-2026-2831](https://www.cve.org/CVERecord?id=CVE-2026-2831) (thanks to Ronnachai Chaipha (rxnr) via [Wordfence](https://www.wordfence.com)).
+
 
 ## [4.5.0] - 2026-02-19

mailarchiver/tags/4.5.1/admin/class-mailarchiver-admin.php

@@ -125 +125 @@
         $this->current_view = null;
         add_action( 'load-' . $hook_suffix, [ new InlineHelp(), 'set_contextual_viewer' ] );
-        $logid   = filter_input( INPUT_GET, 'logid', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
-        $eventid = filter_input( INPUT_GET, 'eventid', FILTER_SANITIZE_NUMBER_INT );
+        $logid   = UUID::sanitize_v4( filter_input( INPUT_GET, 'logid', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) );
+        $eventid = (int) filter_input( INPUT_GET, 'eventid', FILTER_SANITIZE_NUMBER_INT );
         if ( 'mailarchiver-viewer' === filter_input( INPUT_GET, 'page', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) ) {
             if ( isset( $logid ) && isset( $eventid ) && 0 !== $eventid ) {

mailarchiver/tags/4.5.1/includes/features/class-inlinehelp.php

@@ -15 +15 @@
 use Mailarchiver\System\L10n;
 use Mailarchiver\System\Role;
+use Mailarchiver\System\UUID;
 
 /**
@@ -82 +83 @@
         if ( ! ( $this->event_id = filter_input( INPUT_GET, 'eventid', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) ) ) {
             $this->event_id = filter_input( INPUT_POST, 'eventid', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
+        }
+        if ( $this->log_id ) {
+            $this->log_id = UUID::sanitize_v4( $this->log_id );
+        }
+        if ( $this->event_id ) {
+            $this->event_id = (int) $this->event_id ;
         }
     }

mailarchiver/tags/4.5.1/includes/system/class-uuid.php

@@ -54 +54 @@
 
     /**
+     * Check if a string is a valid v4 UUID
+     *
+     * @param mixed $uuid The string to check
+     * @return  boolean True if the string is a valid v4 UUID, false otherwise.
+     * @since  2.0.0
+     */
+    public static function is_valid_v4( $uuid ) {
+        return is_string( $uuid ) && preg_match( '/^[a-f\d]{8}(-[a-f\d]{4}){4}[a-f\d]{8}$/i', $uuid );
+    }
+
+    /**
+     * Sanitize a v4 UUID
+     *
+     * @param mixed $uuid The string to sanitize
+     * @return  string The sanitized v4 UUID.
+     * @since  2.0.0
+     */
+    public static function sanitize_v4( $uuid ) {
+        return self::is_valid_v4( $uuid ) ? (string) $uuid : '00000000-0000-4000-0000-000000000000';
+    }
+
+    /**
      * Generates a (pseudo) unique ID.
      * This function does not generate cryptographically secure values, and should not be used for cryptographic purposes.

mailarchiver/tags/4.5.1/init.php

@@ -13 +13 @@
 define( 'MAILARCHIVER_PRODUCT_ABBREVIATION', 'mailarchiver' );
 define( 'MAILARCHIVER_SLUG', 'mailarchiver' );
-define( 'MAILARCHIVER_VERSION', '4.5.0' );
+define( 'MAILARCHIVER_VERSION', '4.5.1' );
 define( 'MAILARCHIVER_MONOLOG_VERSION', '2.9.3' );
 define( 'MAILARCHIVER_CODENAME', '"-"' );

mailarchiver/tags/4.5.1/mailarchiver.php

@@ -11 +11 @@
  * Plugin URI:        https://perfops.one/mailarchiver
  * Description:       Automatically archive and store all emails sent from your site.
- * Version:           4.5.0
+ * Version:           4.5.1
  * Requires at least: 6.2
  * Requires PHP:      8.1

mailarchiver/tags/4.5.1/readme.txt

@@ -5 +5 @@
 Requires PHP: 8.1
 Tested up to: 6.9
-Stable tag: 4.5.0
+Stable tag: 4.5.1
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html

mailarchiver/trunk/CHANGELOG.md

@@ -3 +3 @@
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and **MailArchiver** adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [4.5.1] - 2026-02-20
+
+### Fixed
+- [SEC007] Authenticated (Admininistrator+) SQL Injection via the `logid` parameter / [CVE-2026-2831](https://www.cve.org/CVERecord?id=CVE-2026-2831) (thanks to Ronnachai Chaipha (rxnr) via [Wordfence](https://www.wordfence.com)).
+
 
 ## [4.5.0] - 2026-02-19

mailarchiver/trunk/admin/class-mailarchiver-admin.php

@@ -125 +125 @@
         $this->current_view = null;
         add_action( 'load-' . $hook_suffix, [ new InlineHelp(), 'set_contextual_viewer' ] );
-        $logid   = filter_input( INPUT_GET, 'logid', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
-        $eventid = filter_input( INPUT_GET, 'eventid', FILTER_SANITIZE_NUMBER_INT );
+        $logid   = UUID::sanitize_v4( filter_input( INPUT_GET, 'logid', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) );
+        $eventid = (int) filter_input( INPUT_GET, 'eventid', FILTER_SANITIZE_NUMBER_INT );
         if ( 'mailarchiver-viewer' === filter_input( INPUT_GET, 'page', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) ) {
             if ( isset( $logid ) && isset( $eventid ) && 0 !== $eventid ) {

mailarchiver/trunk/includes/features/class-inlinehelp.php

@@ -15 +15 @@
 use Mailarchiver\System\L10n;
 use Mailarchiver\System\Role;
+use Mailarchiver\System\UUID;
 
 /**
@@ -82 +83 @@
         if ( ! ( $this->event_id = filter_input( INPUT_GET, 'eventid', FILTER_SANITIZE_FULL_SPECIAL_CHARS ) ) ) {
             $this->event_id = filter_input( INPUT_POST, 'eventid', FILTER_SANITIZE_FULL_SPECIAL_CHARS );
+        }
+        if ( $this->log_id ) {
+            $this->log_id = UUID::sanitize_v4( $this->log_id );
+        }
+        if ( $this->event_id ) {
+            $this->event_id = (int) $this->event_id ;
         }
     }

mailarchiver/trunk/includes/system/class-uuid.php

@@ -54 +54 @@
 
     /**
+     * Check if a string is a valid v4 UUID
+     *
+     * @param mixed $uuid The string to check
+     * @return  boolean True if the string is a valid v4 UUID, false otherwise.
+     * @since  2.0.0
+     */
+    public static function is_valid_v4( $uuid ) {
+        return is_string( $uuid ) && preg_match( '/^[a-f\d]{8}(-[a-f\d]{4}){4}[a-f\d]{8}$/i', $uuid );
+    }
+
+    /**
+     * Sanitize a v4 UUID
+     *
+     * @param mixed $uuid The string to sanitize
+     * @return  string The sanitized v4 UUID.
+     * @since  2.0.0
+     */
+    public static function sanitize_v4( $uuid ) {
+        return self::is_valid_v4( $uuid ) ? (string) $uuid : '00000000-0000-4000-0000-000000000000';
+    }
+
+    /**
      * Generates a (pseudo) unique ID.
      * This function does not generate cryptographically secure values, and should not be used for cryptographic purposes.

mailarchiver/trunk/init.php

@@ -13 +13 @@
 define( 'MAILARCHIVER_PRODUCT_ABBREVIATION', 'mailarchiver' );
 define( 'MAILARCHIVER_SLUG', 'mailarchiver' );
-define( 'MAILARCHIVER_VERSION', '4.5.0' );
+define( 'MAILARCHIVER_VERSION', '4.5.1' );
 define( 'MAILARCHIVER_MONOLOG_VERSION', '2.9.3' );
 define( 'MAILARCHIVER_CODENAME', '"-"' );

mailarchiver/trunk/mailarchiver.php

@@ -11 +11 @@
  * Plugin URI:        https://perfops.one/mailarchiver
  * Description:       Automatically archive and store all emails sent from your site.
- * Version:           4.5.0
+ * Version:           4.5.1
  * Requires at least: 6.2
  * Requires PHP:      8.1

mailarchiver/trunk/readme.txt

@@ -5 +5 @@
 Requires PHP: 8.1
 Tested up to: 6.9
-Stable tag: 4.5.0
+Stable tag: 4.5.1
 License: GPLv3
 License URI: https://www.gnu.org/licenses/gpl-3.0.html