Matt announced a security release for Wordpress today on the Wordpress Development Blog. This release addresses unannounced XSS problems apparently with comment posting & registration. The files affected by this release are:
Here is a short summary of some of the notable changes:
- Forced default values of
$_POST['comment_status'] = 'closed' &
$_POST['ping_status'] = 'closed' when they are not set.
- Added escaping of attachment data-objects.
- Added escaping of posts data-objects.
- Added check for ‘manage_categories’ privileges before showing the “Add” option to the category list while writing a post.
- Abstracted deletion of links from direct SQL to a
- New ‘admin_notices’ Action allowing plugins to insert HTML immediately after the ‘adminmenu’ and ’submenu’ <ul>’s. I think I’ll be using that for my “New version of SpamKit available” messages.
- Additional HTTP Referrer checks using the ‘check_admin_referer’ method when submitting a new post, editing an attachment and editing a post.
- Additional HTTP Referrer checks using the ‘check_admin_referer’ method when updating a User.
- Sanitising of user-submitted Name, Email & URL from cookies.
- Forced blank default value of user-submitted email address & login name.
- Sanitising of the display of user-submitted email address & login.
I have created a patch to take 2.0.1 installations of Wordpress up to version 2.0.2 without having to reinstall and possibly loose customisations.
You can apply this patch from the top directory of your Wordpress installation using the ‘patch’ program from a UNIX shell.
patch -p1 < wordpress-2.0.1-2.0.2.patch
Full Example Usage:
[michael@lobstertechnology ~] $ cd blog.lobstertechnology.com
[michael@lobstertechnology blog.lob...] $ patch -p1 < wordpress-2.0.1-2.0.2.patch
patching file wp-admin/admin-functions.php
patching file wp-admin/admin-header.php
patching file wp-admin/admin.php
patching file wp-admin/edit-pages.php
patching file wp-admin/import/blogger.php
patching file wp-admin/list-manipulation.php
patching file wp-admin/menu-header.php
patching file wp-admin/post.php
patching file wp-admin/user-edit.php
patching file wp-comments-post.php
patching file wp-includes/classes.php
[michael@lobstertechnology blog.lob...] $
Alternatively, you can simply replace only the files which have changed – listed above.