Lester Chan's WordPress Plugins – Page 24 – Lester Chan's WordPress Plugins Development Blog

WordPress 3.2 RC1

The first release candidate (RC1) for WordPress 3.2 is now available.

An RC comes after the beta period and before final release. We think we’re done, but with tens of millions of users, a variety of configurations, and thousands of plugins, it’s possible we’ve missed something. So if you haven’t tested WordPress 3.2 yet, now is the time! Please though, not on your live site unless you’re extra adventurous.

Things to keep in mind:

With more than 350 tickets closed, there are plenty of changes. Plugin and theme authors, please test your plugins and themes now, so that if there is a compatibility issue, we can figure it out before the final release.

Users are also encouraged to test things out. If you find problems, let your plugin/theme authors know so they can figure out the cause.

Twenty Eleven isn’t quite at the release candidate stage. Contents may settle.

If any known issues crop up, you’ll be able to find them here.

If you are testing the release candidate and think you’ve found a bug, there are a few ways to let us know:

Post it to the Alpha/Beta area in the support forums or wp-testers

Join the development IRC channel and tell us live at irc.freenode.net #wordpress-dev

File a bug ticket on the WordPress Trac

To test WordPress 3.2, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip).

Happy testing!

If you’d like to know which levers to pull in your testing, check out a list of features in our Beta 1 post.

Download: WordPress 3.2 RC1

(136 votes, average: 3.87 out of 5)

I have updated this site with the following plugins:
» WP-DBManager 2.11
» WP-Email 2.11
» WP-PageNavi 2.11
» WP-PostRatings 1.11
» WP-PostViews 1.11
» WP-Print 2.11
» WP-RelativeDate 1.11
» WP-Stats 2.11
» WP-Sticky 1.00

All of them should be finalized unless there is a last minute bug. I am testing WP-DBManager automatic scheduling of backing up of database, so far so good.

I hope I can release all of them on 1st June 2007. I am left with WP-Ban, WP-Polls and WP-UserOnline as documented on GaMerZ.Wiki.

(104 votes, average: 3.87 out of 5)

WP-Polls 2.61

I have released WP-Polls 2.61 which fixes a code injection via “HTTP Referrer” and affects users who are on WP-Polls 2.60 only.

I also took this chance to port the readme.html to the proper readme.txt which WordPress.org is using and now you can see all the details of WP-Polls right from the plugins page itself regardless if it is from your WP-Admin or WordPress.org.

All users should upgrade now

Vulnerability discovered by + Props to:

Dweeks, Leon Juranic and Chad Lavoie of the Swiftwill Security Team (www.swiftwill.com)

Download: WP-Polls 2.61

(99 votes, average: 3.87 out of 5)

WordPress 2.3.1

WordPress 2.3.1 has been released and this fix is a bug-fix and security release for the 2.3 series.

An XSS issue has been fixed here:

A security fix to ensure that edit-post-rows.php cannot be directly loaded to prevent XSS attacks when register_globals is enabled

Get yours today.

(95 votes, average: 3.87 out of 5)

Code Injection Follow Up

I have release 2 security updates to WP-Polls and WP-PostRatings which basically removes a malicious code that allows code injection.

The malicious code is as follows:
if ($_SERVER['PHP_SELF'] == @links_add_base_url("/", $_SERVER['HTTP_REFERER'])) return;

The code itself does nothing, but hackers are spoofing the $_SERVER['HTTP_REFERER'] that allows arbitrary code injection and note the @ sign which surpress all errors and hence the error will not be displayed.

I am 100% sure based on the points below that the code was not added by me. I am beginning to believe that my account was hacked.

Personally, I have no idea what links_add_base_url() does and hence it is impossible for me to place it in my own plugin code.
I checked the commit date for the changeset of WP-PostRatings and the date/time is 11/04/10 22:10:13. Since I am on the GMT+8 zone, it is 6am for me. I do not wake up at 6am just to update my plugin.
The above changeset is for trunk. However in my readme.txt, I have state that the stable tag is 1.50 and hence the file is copied to /tags/1.50/ in this changeset, but if you note the time, it is 11/05/10 00:52:39. This is almost 3 hours after the trunk commit and it is almost 9am on my timezone and I will be in my office and my office’s computer does not have SVN copies of my plugin. So it is also not possible for me to commit that file
If you notice the same changeset, the file is being copied from trunk to tags/1.50 by SVN copy. I do not do a SVN copy for my plugins, normally I will just copy and paste the files using my Windows Explorer.
For WP-Polls, there is only 1 changeset as my stable tag is from trunk and the timestamp is 11/05/10 12:30:07. This is about 12 hours after the changeset of WP-PostRatings. On my timezone it is about 8.30pm and it is not possible for me to check-in because 8pm to 9pm is my dinner time and I always eat out.
For WP-WAP, there is almost 2 suspicious commit, here and here. As I do not develop WP-Wap anymore, there is no reason for me to commit something to it

I am going to review all my commits to the SVN to ensure that there are no more suspicious code being added.

(89 votes, average: 3.87 out of 5)