westi on wordpress

the long forgotten diary of a wordpress developer

WordPress 2.3.2 in detail

WordPress 2.3.2 has been released and includes a number of changes including one security fix, here is a list of most of the changes in detail:

  • Performance improvements for post sanitization when raw content is required (#5325).
  • Changes to is_admin() to ensure that it is only true for admin pages thereby protecting against exposing draft posts. (#5487).
  • Suppression of database errors unless WP_DEBUG is true (#5473).
  • Check for valid database connection information during install and display and error if the install fails due to database rights (#5495).
  • Support for a custom database down page to be displayed on database connection errors (#5500).
  • Changes to make sure we are more selective in what we make clickable, this introduces different rules for different uri types ([6450]).
  • Changes to wp-mail.php to escape the error messages when displaying them to avoid a possible XSS attack (#5484).
  • Changes to ensure that the post password is only exposed by the xmlrpc method metaWeblog.getRecentPosts to users with rights to edit a post (#5535).
  • Changes to the information exposed the wp.getAuthors xmlrpc method to reduce the information exposed and add a capabilites check (#5534).
  • Addition of extra capabilites checks to xmlrpc methods ([6504]).
  • Addition of extra capabilites checks to APP server ([6508]).
  • Changes to validate_file() to improve its traversal attempt detection when running on windows ([6521]).

For a complete list of all the changes you can read this section of the branches/2.3 log.

Possibly related posts: (automatically generated)

Written by Peter Westwood

December 30, 2007 at 8:09 am

Posted in maintenance release, wordpress

Tagged with , ,

« WordPress weekly digest 17th December to 23rd December 2007
WordPress weekly digest 24th December to 30th December 2007 »

68 Responses

Subscribe to comments with RSS.

  1. [...] spent on the preparation and testing of the recent WordPress 2.3.2 maintenance release for which you can read a detailed list of the changes here – don’t forget to [...]

    WordPress weekly digest 24th December to 30th December 2007 « westi on wordpress

    January 2, 2008 at 8:17 am

  2. [...] preparazione ed il test della recente Versione di mantenimento di WordPress 2.3.2 per la quale potete leggere une elenco dettagliato delle modifiche qui (in inglese) – non dimenticatevi di [...]

    » WordPress weekly digest 24 dic - 30 dic 2007 » WordPress Italy

    January 2, 2008 at 8:54 am

  3. [...] die WordPress-Datenbank nicht erreichbar ist. Genauer beschrieben werden die Änderungen in einem Posting von Peter Westwood. Wer bis dato die Vorversion 2.3.1 verwendete, muss lediglich die 16 geänderten Dateien der [...]

    Blog-Software in neuer Version 2.3.2: WordPress braucht ein Sicherheits-Update - WinBoard - Die Windows Community

    January 2, 2008 at 2:46 pm

  4. [...] To see a comprehensive list of changes in wordpress 2.3.2, click this link. [...]

    Blog Updated to Wordpress 2.3.2 | Silkenhut's World

    January 3, 2008 at 3:00 am

  5. [...] Release WordPress 2.3.2: WordPress 2.3.2 has been released and is a mandatory security upgrade. The full details of the update include an urgent security release to fix a vulnerability in draft posts, suppression of some [...]

    WordPress Wednesday News: Mandatory WordPress Security Release, Sneak Previews of WordPress 2.4, Hoodies, Vote for WordPress, Moving to WordPress, Custom Fields, and More : The Blog Herald

    January 3, 2008 at 4:20 am

  6. [...] 3rd, 2008 I have not encountered any issues with the latest version of the WP software. Go to the WordPress website as soon as possible and read about the issues that have been [...]

    WordPress 2.3.2 Security Update | Port 79

    January 3, 2008 at 6:07 pm

  7. [...] dan menambahkan beberapa fitur baru. Penyempurnaan dan penambahan fitur tersebut dapat kita baca di Westi on WordPress. Hmm … saatnya mengunduh dan meng-upgrade blog [...]

    Wordpress 2.3.2 Telah Dirilis — Agung’s Blog

    January 4, 2008 at 9:45 am

  8. @Peter Westwood
    (http://westi.wordpress.com/2007/12/30/wordpress-232-in-detail/#comment-2478)

    I started with WordPress some time ago and only recently had to manage the upgrade from 2.2.3 to 2.3.1 . Now its time for 2.3.2 and 2.4 is on the way.

    Regarding the frequency of output (and considering that I have to manage more than administering one WP installation as Webmaster) it would be really really wonderful if the update process would NOT consist of dumb copying of ALL WordPress files/directories plus standard all-purpose update instructions, as I have to do it over a FTP connection and have not always my best tool at hand (Krusader), which makes upgrading of whole directory structures often VERY annoying and time consuming.
    (Ever tried to do this job over a webFTP interface?)

    To have a direct link to a dedicated update page (from pre-release to new release) containing only the changed files and the specific(!) update process and risks in a concise way would be absolutely helpful.

    E.g. “no DB changes, only copying files in archive x.zip is sufficient” is an absolutely helpful information. Why to find it in a blog comment? Why creating the zip per hand everyone?

    Or perhaps there may be more than one standard type of upgrade processes which could be categorised and described? (So saying: Update from 2.3.1 to 2.3.2 is an update type C, description -here- , and -there- are the files needed)

    KR
    Det

    Det

    January 4, 2008 at 11:09 am

  9. [...] Critical WordPress Upgrade 2.3.2 including a custom DB Error Page, which I suggested (believe it or [...]

    294 Unread Items - [LINICKX].com

    January 4, 2008 at 11:44 am

  10. [...] but anyone who runs a wordpress blog should update to the new wordpress 2.3.2. You can read more in detail about the changes. It really only takes a second of your time to [...]

    Update your wordpress | Tequila Techs

    January 4, 2008 at 9:40 pm

  11. [...] update, WordPress 2.3.2, is out and is a required update to fix some security vulnerabilities. The full details of the update include an urgent security release to fix a vulnerability in draft posts, suppression of some [...]

    WordPress 2.4 Release Delayed « Lorelle on WordPress

    January 5, 2008 at 3:58 am

  12. @Det: I understand your frustration with the suggested upgrade process. We have found in the past that the most reliable and easy to understand upgrade process for the large majority of the audience is to upload all the files each time.

    We do not have the time to provide upgrade packages from multiple previous versions or upgrade packages in multiple formats.

    However, you may be interested in the builtin upgrade functionality that is being discussed for a future version of WordPress where you would be able to upgrade from within your sites admin panel. Please follow the relevant trac ticket for more information.

    Peter Westwood

    January 5, 2008 at 10:13 pm

  13. [...] Posting von Peter Westwood WordPress 2.3. in detail [...]

    reingehört & abgenickt » WordPress Update auf Version 2.3.2

    January 8, 2008 at 10:08 am

  14. [...] actualización es la corrección de algunos problemas de seguridad que tuvo su antecesor. Entre los cambios se destaca la posibilidad de asignar una página de error (La ruta del archivo debe ser [...]

    Actualizar al nuevo Wordpress 2.3.2 -- Agustin Garassino

    January 15, 2008 at 4:41 am

  15. @Elizabeth: We have seen the categories and tags disappear too. In our case this was due to the database needing to be rebooted (contact your web host if you can’t do that yourself). In 2.3.2 the error that you’d normally see in previous versions that would clue you into this is now suppressed for security reasons.

    Brian

    January 17, 2008 at 3:35 pm

  16. [...] Release WordPress 2.3.2: WordPress 2.3.2 has been released and is a mandatory security upgrade. The full details of the update include an urgent security release to fix a vulnerability in draft posts, suppression of some [...]

    WordPress Wednesday News: Happy Birthday WordPress, Automattic Wins and Gets Lots of Money, Security Concerns Over Plugins and Core, WordCamp Hambug and Hating the Name WordPress.com : The Blog Herald

    January 24, 2008 at 6:01 am

  17. [...] idea, why this hasn´t been beta tested before. There are numerous changes to the main tables without notice – numerous incompatibilities even with disabled plugins and themes and the first time that I am [...]

    Science Surf » Wordpress 2.1.x to 2.3.x upgrade - no more hazzle free » Matthias Wjst

    February 2, 2008 at 4:37 pm

  18. [...] connaitre la liste des changements apportĂ©s par cette nouvelle version visitez Westi on WordPress (en anglais) blog d’un dĂ©veloppeur de [...]

    Sortie de WordPress 2.3.2 : mise à jour de sécurité | WebqualitĂ©

    August 26, 2008 at 12:56 am

« Older Comments

Comments are closed.