westi on wordpress

WordPress 2.3.2 in detail

Posted in maintenance release, wordpress by Peter Westwood on December 30th, 2007

WordPress 2.3.2 has been released and includes a number of changes including one security fix, here is a list of most of the changes in detail:

  • Performance improvements for post sanitization when raw content is required (#5325).
  • Changes to is_admin() to ensure that it is only true for admin pages thereby protecting against exposing draft posts. (#5487).
  • Suppression of database errors unless WP_DEBUG is true (#5473).
  • Check for valid database connection information during install and display and error if the install fails due to database rights (#5495).
  • Support for a custom database down page to be displayed on database connection errors (#5500).
  • Changes to make sure we are more selective in what we make clickable, this introduces different rules for different uri types ([6450]).
  • Changes to wp-mail.php to escape the error messages when displaying them to avoid a possible XSS attack (#5484).
  • Changes to ensure that the post password is only exposed by the xmlrpc method metaWeblog.getRecentPosts to users with rights to edit a post (#5535).
  • Changes to the information exposed the wp.getAuthors xmlrpc method to reduce the information exposed and add a capabilites check (#5534).
  • Addition of extra capabilites checks to xmlrpc methods ([6504]).
  • Addition of extra capabilites checks to APP server ([6508]).
  • Changes to validate_file() to improve its traversal attempt detection when running on windows ([6521]).

For a complete list of all the changes you can read this section of the branches/2.3 log.

Possibly related posts: (automatically generated)

Tagged with: , ,

67 Responses to 'WordPress 2.3.2 in detail'

Subscribe to comments with RSS or TrackBack to 'WordPress 2.3.2 in detail'.

  1. Peter Westwood » WordPress 2.3.2 said, on December 30th, 2007 at 8:15 am

    [...] hit the streets as a late christmas early new years present for you all it include a security fix. You can read a more detailed look at the changes over on my other blog. Comment on this [...]

  2. Upgrade uw WordPressen | futtta’s blog said, on December 30th, 2007 at 9:19 am

    [...] er een nieuwe WP-versie uit is die enkele security-gaatjes dicht. Upgraden (de svn-methode, eventueel geautomatiseerd met een zelfgebakken scriptje kunnen uw leven [...]

  3. LLBB » talkPress 004: Quick WordPress Upgrading said, on December 30th, 2007 at 9:26 am

    [...] Explanations of Major changes in WordPress 2.3.2 [...]

  4. WordPress 2.3.2 As A Christmas Present | Butterfly Media Romania Blog - Marketing, SEO and WordPress said, on December 30th, 2007 at 10:02 am

    [...] I noticed that my dashboard offered an upgrade to 2.3.2. This is indeed a nice Christmas present. I upgraded it and everything went [...]

  5. » WordPress 2.3.2 Huize Sonnendael: zorg met hart, ziel en zakelijkheid. said, on December 30th, 2007 at 10:23 am

    [...] is een belangrijke beveiligings update beschikbaar voor de gebruikers van WordPress. Details kunt u hier [...]

  6. WordPress 2.3.2 is out : Losing it[1] said, on December 30th, 2007 at 10:59 am

    [...] information on the WordPress Development Blog, gory details available from Westi on WordPress, download it from the usual place, and mind-bogglingly quick and easy updates with Bryan [...]

  7. Wordpress 2.3.2 lista para descarga | Ayuda Wordpress said, on December 30th, 2007 at 11:29 am

    [...] Esta versión es recomendable para todos los usuarios porque soluciona problemas de seguridad y puedes ver algunas de las mejoras o soluciones en este enlace y el detalle de la actualización en esta página. [...]

  8. Kakkoi said, on December 30th, 2007 at 11:50 am

    [..] WordPress developer had to release this ’securities’ fixes before the upcoming 2.4. You could either wait for 2.4 (the milestone is almost ready?) or upgrade immediately. But before others exploit this vulnerability its better to upgrade [..]

  9. WordPress 2.3.2 » Aarne bloog said, on December 30th, 2007 at 11:57 am

    [...] Eile tuli välja WordPress’i uus versioon 2.3.2. Uuenduses on parandatud üks oluline turvaauk, mille kaudu kõrvalised isikud võisid näha su mustandeid. Lisaks on peidetud mõned veateated mis võisid kasutajale su installatsiooni kohta liialt infot anda. Täpsemalt saab uuendustest lugeda siit: WordPress 2.3.2 in detail. [...]

  10. cdharrison.com » Wordpress 2.3.2 said, on December 30th, 2007 at 12:05 pm

    [...] I just upgraded without any problems. More info on what’s new in 2.3.2 can be found here. Tags: WordPress [...]

  11. Actualización wordpress 2.3.2y limpieza de plugins | primate blog said, on December 30th, 2007 at 12:17 pm

    [...] de mirar la versión, y demás engorros…. Por si algún usuario de WP se lo perdió, la explicación de que cambia en la nueva versión y el que nunca está demás revisarlo antes de cualquier actualización: el paso a paso para no [...]

  12. WordPress 2.3.2 « Broeder’s Weblog said, on December 30th, 2007 at 12:26 pm

    [...] is een belangrijke beveiligings update beschikbaar voor de gebruikers van WordPress. Details kunt u hier [...]

  13. Place of Stuff » Blog Archive » Wordpress 2.3.2 is out said, on December 30th, 2007 at 1:06 pm

    [...] WordPress 2.3.2 in Detail [...]

  14. tekArtist » WordPress 2.3.2 Security Update said, on December 30th, 2007 at 1:46 pm

    [...] Here’s Peter Westwood’s “WordPress 2.3.2 in detail“, with backlinks to addressed Trac tickets. Share Permalink Last modified: December 30, [...]

  15. gidibao’s Cafe | WordPress 2.3.2: nuova release per la serie 2.3 said, on December 30th, 2007 at 1:47 pm

    [...] *per ulteriori informazioni, leggere la Custom Query e l’articolo “WordPress 2.3.2 in detail“. [...]

  16. Update wordpress: 2.3.2 » Sietchul lui L3ST said, on December 30th, 2007 at 2:03 pm

    [...] din noua versiune: aici Tags: Blog • Update • [...]

  17. Wordpress 2.3.2 Available - Security Fix | Bieber Labs said, on December 30th, 2007 at 3:02 pm

    [...] This release includes some security fixes that should necessitate an upgrade immediately. Details on the release are here. Download 2.3.2 [...]

  18. WordPress Россия » WordPress 2.3.2 said, on December 30th, 2007 at 3:13 pm

    [...] …и несколько других изменений. Полный список можно найти здесь (на англ.) [...]

  19. Big Dog said, on December 30th, 2007 at 3:27 pm

    Why don’t they list the files that have been changed so we can replace just those instead of replacing every file for the three or four that were affected?

  20. WordPress 2.3.2 Released - Security » Solo Technology said, on December 30th, 2007 at 3:30 pm

    [...] a new version (2.3.2) of WordPress was released and Peter Westwood offers details on what’s all involved. Definitely worth a read if you’re curious about what to expect [...]

  21. ulyssesonline.com » WordPress 2.3.2 said, on December 30th, 2007 at 4:45 pm

    [...] woke up this morning to with a message saying, WordPress 2.3.2 is available! I’ve been waiting for this moment because I switched over to WordPress Subversion upgrades [...]

  22. Projects Possible: WordPress Bloggers - New Version do I NEED It? said, on December 30th, 2007 at 5:04 pm

    [...] this morning and was notified of a new update.  I read what Westi had to say on his blog WordPress 2.3.2 in Detail and while I do use Drafts I can’t help but wonder if it is worth the effort to update when the 2.4 [...]

  23. Tas-te coto! » WordPress 2.3.2 said, on December 30th, 2007 at 5:28 pm

    [...] Fa unes hores ha sortit la versió 2.3.2 del WordPress, una actualització de seguretat urgent. Entre d’altres coses corregeix un error que permetia veure els esborranys dels articles abans d’ésser publicats (més detalls). [...]

  24. WordPress 2.3.2 released! | //beconfused said, on December 30th, 2007 at 5:31 pm

    [...] Go here to view the changes between WordPress 2.3.2 and WordPress 2.3.1. Read more details on this WordPress update. [...]

  25. WordPress 2.3.2 | Unexpected said, on December 30th, 2007 at 7:15 pm

    [...] nieuwe en dringende release. Iets met een security probleem en zo. Upgraden dus. [...]

  26. Peter Westwood said, on December 30th, 2007 at 7:59 pm

    @BigDog: We don’t offer an official list or download of changed files because this can often be a more difficult way to upgrade. You can however generate a zip file containing the changed files or a unified diff using trac from the links at the bottom of the differences page linked from the dev blog post.: Zip File Unified Diff

  27. Cyde Weys said, on December 30th, 2007 at 8:00 pm

    Thanks a lot for the changelog. I ended up finding this through Google, as it wasn’t listed anywhere in the update announcement I found in my Site Admin console! What’s the point of telling me an update is available if there’s no reasoning as to why I should perform the upgrade? Newer doesn’t always mean better.

  28. Peter Westwood said, on December 30th, 2007 at 8:11 pm

    @Cyde: Ryan couldn’t really link to this from the update announcement as it wasn’t written until after the release. However, you should find this linked from your dashboard as well in the “Other WordPress news” section at the bottom.

  29. News Corpse said, on December 30th, 2007 at 9:53 pm

    Regarding the differences page you cited above:

    There are 16 files listed at the top. Can I just copy those from 2.3.2? That would be easier for me because I have other mods I don’t want to have to re-do.

    Thanks

  30. Peter Westwood said, on December 30th, 2007 at 10:16 pm

    @News Corpse: You can yes - you should be able to get those files from the Zip File link in the same comment.

    In general it is always best to avoid modifying the core files and use the hooks/filters available within a plugin to make the changes you want.

  31. La domo de karotoj » WordPress 2.3.2-a said, on December 30th, 2007 at 10:49 pm

    [...] Nu, mi ĵus promociis ĝis eldono 2.3.2-a de WordPress. Ĉi tiu eldono inkluzivas multajn sekurecajn riparojn (detale). [...]

  32. WordPress 2.3.2 Is Released said, on December 31st, 2007 at 12:25 am

    [...] you’re new here, you may want to subscribe to my RSS feed. Thanks for visiting!A new version of WordPress is available!  That’s right, you might have seen this message when you logged into your [...]

  33. Actualizacion a Wordpress 2.3.2 | Denken Über said, on December 31st, 2007 at 1:20 am

    [...] su instalación de WordPress a la 2.3.2; hay un par de problemas de seguridad y un par de mejoras en la performance del CMS que valen la pena… más un detallecito interesante, podés crear un template personalizado [...]

  34. Nueva versión de WordPress y algunas aclaraciones en Buayacorp - Diseño y Programación said, on December 31st, 2007 at 1:57 am

    [...] Fuente [...]

  35. WordPress 2.3.2 | archshrk said, on December 31st, 2007 at 3:10 am

    [...] WordPress 2.3.2 in detail « westi on wordpress [...]

  36. Wordpress 2.3.2 Released - Webmaster News by Clickfire said, on December 31st, 2007 at 8:50 am

    [...] WordPress 2.3.2 is an urgent security release that fixes a bug that can be used to expose your draft posts. 2.3.2 also suppresses some error messages that can give away information about your database table structure and limits and stops some information leaks in the XML-RPC and APP implementations. See details here. [...]

  37. Einen guten Rutsch ins Jahr 2008! « Data Travelers-Blog said, on December 31st, 2007 at 10:27 am

    [...] noch? Zum einen eine neue WordPress-Version die 2.3.2 und was sich geändert hat, dass lese man hier. Die Timeline hat sich auch verschoben, so erwartet uns dann erst gegen Ende Januar die Version 2.4 [...]

  38. Wordpress 2.3.2 : New Year Gift from Wordpress | Black Quanta v1 said, on December 31st, 2007 at 10:31 am

    [...] Here is a list of most of the changes in detail Westi: [...]

  39. BlogSecurity » Blog Archive » WP 2.3.2 Security Fixes said, on December 31st, 2007 at 10:43 am

    [...] info on changes is available from Westi.     Enjoy the article? Please take a second to: Digg it! | StumbleUpon it! [...]

  40. WordPress 2.3.2 Upgrade Changed Files | WordPress Web 2.0 Spot-Er said, on December 31st, 2007 at 2:14 pm

    [...] it addresses several security issues as well as bug fixes. You can read more complete details on what has changed with this release here but this is not what this post is [...]

  41. ChemDev » Update to WP 2.3.2 said, on December 31st, 2007 at 3:25 pm

    [...] So then, once again I’ve updated this here. What the update’s all about can be read here. [...]

  42. Новогодний подарок блоггерам - WordPress 2.3.2 | Tapac - Обо всём по немногу said, on December 31st, 2007 at 5:08 pm

    [...] Как всегда я плетусь в самом конце WP-движения, это я о скорости реакции на анонсы релизов) Уже успели выложить и две разные версии русского вордпресса 2.3.2, который только-только сошёл с конвейера (от Максима и от mywordpress.ru), но, тем не менее, я всё же рискну быть не оригинальным и отписать ещё раз изменения со своими комментариями. И так, данные взяты из официального анонса. [...]

  43. Релиз WordPress 2.3.2. | Blog Business said, on December 31st, 2007 at 5:09 pm

    [...] посмотреть, что нового в WordPress 2.3.2 вот здесь «WordPress 2.3.2 in detail». okbm(’http://blogbusiness.ru/archives/99′,’Релиз WordPress [...]

  44. Wordpress 2.3.2 is Out at xentek.net said, on December 31st, 2007 at 5:22 pm

    [...] DB Errors, and providing more tools to the WP Developer when the constant WP_DEBUG is set to true. More details here. Hello There! Thank you for visiting my site. This is the professional blog of Eric Marden, a [...]

  45. ' + title + ' - ' + basename(imgurl) + '(' + w + 'x' + h +') said, on December 31st, 2007 at 5:58 pm

    [...] connaitre la liste des changements apportés par cette nouvelle version visitez Westi on WordPress (en anglais) blog d’un développeur de [...]

  46. Michael said, on December 31st, 2007 at 6:22 pm

    Please include “word count” patch in the next release.

  47. What’s new in WordPress 2.3.2 | to rock, not to roll ! said, on January 1st, 2008 at 9:03 am

    [...] has just posted an article about WordPress 2.3.2 in detail. Any WordPress user should take a look on it. Technorati Tags: wordpress Share and Enjoy: These [...]

  48. Eigene Fehlerseite bei Datenbank-Problemen » BloggingTom said, on January 1st, 2008 at 5:59 pm

    [...] als sicherheitsrelevant eingestuft wird, sonst noch mit sich bringt, lässt sich zum Beispiel bei Westi oder direkt bei WordPress nachlesen. von BloggingTom, abgelegt unter WordPressPermalink | [...]

  49. Elizabeth said, on January 2nd, 2008 at 12:11 am

    I saw this on my Dashboard, and I was wondering if you had come across this problem-I upgraded to 2.3.2, and lost all of my categories. As in, all of my posts now show as uncategorized. I asked at WP Support, and got one reply suggesting that I do something involving dropping tables and rebuilding them. Is there possibly an easier solution?

  50. Peter Westwood said, on January 2nd, 2008 at 7:27 am

    @Elizabeth: Which version of WordPress did you upgrade from? There were no database changed in 2.3.2 so you should not have lost you categories like that.

  51. WordPress weekly digest 24th December to 30th December 2007 « westi on wordpress said, on January 2nd, 2008 at 8:17 am

    [...] spent on the preparation and testing of the recent WordPress 2.3.2 maintenance release for which you can read a detailed list of the changes here - don’t forget to [...]

  52. » WordPress weekly digest 24 dic - 30 dic 2007 » WordPress Italy said, on January 2nd, 2008 at 8:54 am

    [...] preparazione ed il test della recente Versione di mantenimento di WordPress 2.3.2 per la quale potete leggere une elenco dettagliato delle modifiche qui (in inglese) - non dimenticatevi di [...]

  53. Blog-Software in neuer Version 2.3.2: WordPress braucht ein Sicherheits-Update - WinBoard - Die Windows Community said, on January 2nd, 2008 at 2:46 pm

    [...] die WordPress-Datenbank nicht erreichbar ist. Genauer beschrieben werden die nderungen in einem Posting von Peter Westwood. Wer bis dato die Vorversion 2.3.1 verwendete, muss lediglich die 16 genderten Dateien der [...]

  54. Blog Updated to Wordpress 2.3.2 | Silkenhut's World said, on January 3rd, 2008 at 3:00 am

    [...] To see a comprehensive list of changes in wordpress 2.3.2, click this link. [...]

  55. WordPress Wednesday News: Mandatory WordPress Security Release, Sneak Previews of WordPress 2.4, Hoodies, Vote for WordPress, Moving to WordPress, Custom Fields, and More : The Blog Herald said, on January 3rd, 2008 at 4:20 am

    [...] Release WordPress 2.3.2: WordPress 2.3.2 has been released and is a mandatory security upgrade. The full details of the update include an urgent security release to fix a vulnerability in draft posts, suppression of some [...]

  56. WordPress 2.3.2 Security Update | Port 79 said, on January 3rd, 2008 at 6:07 pm

    [...] 3rd, 2008 I have not encountered any issues with the latest version of the WP software. Go to the WordPress website as soon as possible and read about the issues that have been [...]

  57. Wordpress 2.3.2 Telah Dirilis — Agung’s Blog said, on January 4th, 2008 at 9:45 am

    [...] dan menambahkan beberapa fitur baru. Penyempurnaan dan penambahan fitur tersebut dapat kita baca di Westi on WordPress. Hmm … saatnya mengunduh dan meng-upgrade blog [...]

  58. Det said, on January 4th, 2008 at 11:09 am

    @Peter Westwood
    (http://westi.wordpress.com/2007/12/30/wordpress-232-in-detail/#comment-247 8)

    I started with WordPress some time ago and only recently had to manage the upgrade from 2.2.3 to 2.3.1 . Now its time for 2.3.2 and 2.4 is on the way.

    Regarding the frequency of output (and considering that I have to manage more than administering one WP installation as Webmaster) it would be really really wonderful if the update process would NOT consist of dumb copying of ALL WordPress files/directories plus standard all-purpose update instructions, as I have to do it over a FTP connection and have not always my best tool at hand (Krusader), which makes upgrading of whole directory structures often VERY annoying and time consuming.
    (Ever tried to do this job over a webFTP interface?)

    To have a direct link to a dedicated update page (from pre-release to new release) containing only the changed files and the specific(!) update process and risks in a concise way would be absolutely helpful.

    E.g. “no DB changes, only copying files in archive x.zip is sufficient” is an absolutely helpful information. Why to find it in a blog comment? Why creating the zip per hand everyone?

    Or perhaps there may be more than one standard type of upgrade processes which could be categorised and described? (So saying: Update from 2.3.1 to 2.3.2 is an update type C, description -here- , and -there- are the files needed)

    KR
    Det

  59. 294 Unread Items - [LINICKX].com said, on January 4th, 2008 at 11:44 am

    [...] Critical WordPress Upgrade 2.3.2 including a custom DB Error Page, which I suggested (believe it or [...]

  60. Update your wordpress | Tequila Techs said, on January 4th, 2008 at 9:40 pm

    [...] but anyone who runs a wordpress blog should update to the new wordpress 2.3.2. You can read more in detail about the changes. It really only takes a second of your time to [...]

  61. WordPress 2.4 Release Delayed « Lorelle on WordPress said, on January 5th, 2008 at 3:58 am

    [...] update, WordPress 2.3.2, is out and is a required update to fix some security vulnerabilities. The full details of the update include an urgent security release to fix a vulnerability in draft posts, suppression of some [...]

  62. Peter Westwood said, on January 5th, 2008 at 10:13 pm

    @Det: I understand your frustration with the suggested upgrade process. We have found in the past that the most reliable and easy to understand upgrade process for the large majority of the audience is to upload all the files each time.

    We do not have the time to provide upgrade packages from multiple previous versions or upgrade packages in multiple formats.

    However, you may be interested in the builtin upgrade functionality that is being discussed for a future version of WordPress where you would be able to upgrade from within your sites admin panel. Please follow the relevant trac ticket for more information.

  63. reingehört & abgenickt » WordPress Update auf Version 2.3.2 said, on January 8th, 2008 at 10:08 am

    [...] Posting von Peter Westwood WordPress 2.3. in detail [...]

  64. Actualizar al nuevo Wordpress 2.3.2 -- Agustin Garassino said, on January 15th, 2008 at 4:41 am

    [...] actualización es la corrección de algunos problemas de seguridad que tuvo su antecesor. Entre los cambios se destaca la posibilidad de asignar una página de error (La ruta del archivo debe ser [...]

  65. Brian said, on January 17th, 2008 at 3:35 pm

    @Elizabeth: We have seen the categories and tags disappear too. In our case this was due to the database needing to be rebooted (contact your web host if you can’t do that yourself). In 2.3.2 the error that you’d normally see in previous versions that would clue you into this is now suppressed for security reasons.

  66. WordPress Wednesday News: Happy Birthday WordPress, Automattic Wins and Gets Lots of Money, Security Concerns Over Plugins and Core, WordCamp Hambug and Hating the Name WordPress.com : The Blog Herald said, on January 24th, 2008 at 6:01 am

    [...] Release WordPress 2.3.2: WordPress 2.3.2 has been released and is a mandatory security upgrade. The full details of the update include an urgent security release to fix a vulnerability in draft posts, suppression of some [...]

  67. Science Surf » Wordpress 2.1.x to 2.3.x upgrade - no more hazzle free » Matthias Wjst said, on February 2nd, 2008 at 4:37 pm

    [...] idea, why this hasn´t been beta tested before. There are numerous changes to the main tables without notice - numerous incompatibilities even with disabled plugins and themes and the first time that I am [...]

Leave a Reply