Tag Archives: security

WordPress weekly digest 11th February to 17th February 2008

It has been a busy week again for WordPress 2.5, the changes this week were:

  • Introduction of the beginnings of a plugin update system (#5586).
  • Changes to allow uploads to be stored outside of the WP path and have custom URLs ([6780]).
  • A fix for the human readable time offset for future posts (#5817).
  • Change to using the full slug rather than the abbreviated one when editing (#5816).
  • Reduction of the number of SQL queries made by wp_count_posts() (#5820).
  • Changes to make a nonce mismatch fail instead of showing an “Are you sure?” message (#5838).
  • Improved metadata for atom comment search feeds (#5493).
  • Allow is_single(), is_category(), and is_tag() to accept arrays of items to test (#5593).
  • Addition of random order option to wp_tag_cloud() (#5726).
  • Fixes to the markup generated by the Walker class so that it matches 2.3 (#5844).
  • Addition of bulk delete to the links manager ([6842]).
  • Improvements to the performance of generic_ping() (#5855).
  • Changes to make sure private posts stay private when they are published ( #5881, #4206).
  • Introduction of more specific moderation emails for {ping|track}backs. (#4986).

On top of all of this there has been a lot of work this week on finishing off the new admin design.

For even more information on some of the other little changes that went in this week you can read the whole weekly trac timeline, look at a complete changelog for trunk or view a diffstat of the changes.

WordPress weekly digest 4th February to 10th February 2008

It has been a busy week again for WordPress 2.5, the changes this week were:

  • Addition of extra capabilities checks to the xmlrpc code (#5313).
  • New filters for comments_open() and pings_open() (#5761).
  • Addition of a key on comment_approved,comment_date to speed up the get_lastcommentmodified() mysql queries (#5773).
  • Introduction of wp_count_posts() ([6730]).
  • More portable and extensible database structure (#4778).
  • Renaming of is_front() to is_front_page() to avoid conflict with bbPress (#3682).
  • Changes to make RSS 2.0 comment feed GUIDs immutable (#5072).
  • New redirect_canonical filter to allow a plugin to cancel a redirect (#5766).
  • Introduction of a new pluggable get_avatar() function which defaults to using gravatar (#5775).
  • Changes to add the post_password to the WXR export file so that the posts are still protected after import (#4376).
  • Update to jQuery 1.2.3 ([6757]).
  • Introduction of a new meta box api for adding boxes to the write pages (#5798).
  • Introduction of the ability to have random post ordering (#4617).
  • Reversion to full content, including content after the more tag, for feeds (#2582).
  • A more informative error message when theme files are not writeable (#5783).
  • Removal of gzip_compression(). Leave it to the server to handle (#4342).

For even more information on some of the other little changes that went in this week you can read the whole weekly trac timeline.

WordPress 2.3.3 in detail

WordPress 2.3.3 has been released and includes a number of changes including one security fix, here is a list of most of the changes in detail:

  • Reversion of the change to sent the “Sender” in wp_mail() (#5273).
  • Changes to the magic number detection for gettext file loading for better support of 64bit systems (#3780).
  • A fix in install-helper.php so that you do not get errors when included from a plugin (#5090).
  • Addition of extra capabilities checks to the xmlrpc code (#5313).
  • Fixes to the naming of some query variables used for category intersections (#5788).

For a complete list of all the changes you can read this section of the branches/2.3 log.

WordPress weekly digest 28th January to 3rd February 2008

It has been a busy week again for WordPress 2.5, the changes this week were:

  • A Tag Searching interface for the Tag Editor (#5684).
  • Removal of any old compatibility functions for PHP 4.2 and 4.3 (#5415).
  • I18N updates for the new widgets interface (#5583).
  • Changes to increase the memory limit for PHP (#3141).
  • Comment feed fixes to ensure that we have got a post before we a querying for the comments (#5185).
  • Introduction of a wp_authenticate_user filter ([6685]).
  • Addition of the TinyMCE Fullscreen plugin (#5735).
  • Add depth arg to wp_dropdown_categories() (#2461).
  • Fixes to future post publishing over xmlrpc (#5721).
  • Update TinyMCE to v3.0 final (#5674).
  • Merging of wp-admin/profile.php and wp-admin/user-edit.php (#5736).
  • Changes to allow for multiple database connections (#2722).
  • Introduction of a new template tag is_front() which is only true on the front page of a WordPress install (#3682).
  • Addition of extra capabilities checks to the xmlrpc code (#5313).

For even more information on some of the other little changes that went in this week you can read the whole weekly trac timeline.

WordPress 2.3.2 in detail

WordPress 2.3.2 has been released and includes a number of changes including one security fix, here is a list of most of the changes in detail:

  • Performance improvements for post sanitization when raw content is required (#5325).
  • Changes to is_admin() to ensure that it is only true for admin pages thereby protecting against exposing draft posts. (#5487).
  • Suppression of database errors unless WP_DEBUG is true (#5473).
  • Check for valid database connection information during install and display and error if the install fails due to database rights (#5495).
  • Support for a custom database down page to be displayed on database connection errors (#5500).
  • Changes to make sure we are more selective in what we make clickable, this introduces different rules for different uri types ([6450]).
  • Changes to wp-mail.php to escape the error messages when displaying them to avoid a possible XSS attack (#5484).
  • Changes to ensure that the post password is only exposed by the xmlrpc method metaWeblog.getRecentPosts to users with rights to edit a post (#5535).
  • Changes to the information exposed the wp.getAuthors xmlrpc method to reduce the information exposed and add a capabilites check (#5534).
  • Addition of extra capabilites checks to xmlrpc methods ([6504]).
  • Addition of extra capabilites checks to APP server ([6508]).
  • Changes to validate_file() to improve its traversal attempt detection when running on windows ([6521]).

For a complete list of all the changes you can read this section of the branches/2.3 log.

WordPress weekly digest 17th December to 23rd December 2007

It has been a very busy week for WordPress 2.4, partly due to a mid week bug-hunt, the changes this week were:

  • Introduction of a wp_set_password() pluggable function to allow it to be overridden easily (#2394).
  • Changes to is_page() to allow for an array of pages to be specified (#5430).
  • Faster rewrite rules for pages for some permalink structures (#3614).
  • Escaping added to the POP3 error messages to avoid XSS attacks (#5484).
  • Fixes to the valid element configuration of TinyMCE to allow for more valid combinations (#3826).
  • Fixes to the tag entry field to avoid erroneous blank tags (#5412).
  • Changes to sanitize_title() to allow ‘0’ to be a valid title (#5293).
  • New get_search_feed_link() and get_search_comments_feed_link() template tags (#5442).
  • Improvements to the relative links provided in atom comments feeds (#5435).
  • Addition of an xmlrpc method for deleting categories (#4599).
  • Custom field support for the xmlrpc interface (#5148).
  • Addition of a password strength meter to the user profile page (#4470).
  • Improvements to the strings used where a different message text is displayed for plurals (#4865).
  • Add a link to the relevant post to the comment editing screen (#4345).
  • Documentation for wp-settings.php (#5211).
  • Fixes for some of the NOTICE errors visible when WP_DEBUG is enabled ([6435], [6436]).
  • Improvements to the image metadata extraction functionality to ensure we only try and extra metadata from valid file types (#5397).
  • Changes to ensure that PNG transparency and alpha channels are preserved during thumbnail generation (#2805).
  • Addition of file level documentation to the third party libraries (#5443).
  • Changes to the wpdb class to suppress database errors by default (#5473).
  • Support for a custom database down page (#5500).
  • Improvements to make_clickable() to have different rules for different uri types ([6449]).
  • Improvements to the install process to check for valid database connection info (#5495).
  • Addition of pages to the things searched (#5149).
  • Addition of new actions import_done and xmlrpc_call ([6472], [6473]).

We have also seen the beginnings of the new admin design being checked in. Hopefully next week I will be able to bring you some screenshots!

For even more information on some of the other little changes that went in this week you can read the whole weekly trac timeline.