Bug in DLM_Shortcodes::download()

On pages with a large number of download links I’d noticed that page loads were very slow (> 20s). I traced this to a slow query when processing Download tags:

SELECT tefr_posts.*
FROM tefr_posts
WHERE 1=1
AND tefr_posts.post_type = 'dlm_download_version'
AND (tefr_posts.post_status = 'publish'
OR tefr_posts.post_status = 'acf-disabled'
OR tefr_posts.post_status = 'private')
ORDER BY tefr_posts.menu_order ASC

(this unconstrained query pulls all download posts not just a single one, bound by id)

triggered by

WP_Query->get_posts()
wp-includes/class-wp-query.php:3034
WP_Query->query()
wp-includes/class-wp-query.php:3465
DLM_WordPress_Version_Repository->retrieve()
wp-content/plugins/download-monitor/src/Version/WordPressVersionRepository.php:92
DLM_WordPress_Version_Repository->retrieve_single()
wp-content/plugins/download-monitor/src/Version/WordPressVersionRepository.php:69
DLM_Shortcodes->download()
wp-content/plugins/download-monitor/src/Shortcodes.php:114
do_shortcode_tag()
wp-includes/shortcodes.php:343
preg_replace_callback()
wp-includes/shortcodes.php:343
do_shortcode()

The problem is that in DLM_Shortcodes->download() $version_id is initialised to ” (empty string) rather than to null if $version is unset.

isset() treats ” as set so the check for isset and != 0 passes (when it was clearly intended to fail).

if ( isset( $version_id ) && 0 != $version_id )

That allows an unbounded query for all dlm_download_version posts rather than just for a single id.

The solution is to initialise $version_id to null rather than ” at line 78

extract( shortcode_atts( array(
			'id'         => '',
			'autop'      => false,
			'template'   => dlm_get_default_download_template(),
			'version_id' => null // was ''
			'version'    => ''
		), $atts ) );

thanks,

Tom