site upgraded minimally to wordpress 2.1.3 from 2.1.2

April 5, 2007 in the early evening · Filed under information security, live journal, site_news, wordpress

Finally got some time tonight to upgrade the wordpress server software powering this site to the latest release 2.1.3.  This is to take advantage of the security enhancements, except  those for xmlrpc.php. The latter had been removed from this site, as recommended by my articles (part I & part II) on how to secure a LAMP server such as a wordpress server.

I am glad to learn from the release notes, that wordpress dev team had taken initiatives to review the wordpress.org code base for security enhancements and bugfixes.

The changes from 2.1.2 to 2.1.3 are mainly of the following two types:

  • values are now explicitly casted to INT type before they get assigned to INT type variables.

For example, it is the only change for wp-admin/import/mt.php

174c174
<               $this->id = $file['id'];

>               $this->id = (int) $file['id'];
298c298
<                               $comment_post_ID = $post_id;

>                               $comment_post_ID = (int) $post_id;

  • calls to sanitize URL strings now use function clean_url() instead of function attribute_escape().

For example, that’s the only change for wp-admin/upload-functions.php and wp-admin/upload.php. Here is the diff for the latter,

93c93
<       $_href = attribute_escape( $href);

>       $_href = clean_url( $href);

Many files has changed. Here are the list of files:

./wp-admin/page.php
./wp-admin/admin-ajax.php
./wp-admin/post.php
./wp-admin/upload.php
./wp-admin/edit-page-form.php
./wp-admin/upload-functions.php
./wp-admin/user-edit.php
./wp-admin/admin-db.php
./wp-admin/admin-header.php
./wp-admin/edit-comments.php
./wp-admin/import/mt.php
./wp-admin/import/dotclear.php
./wp-admin/import/livejournal.php
./wp-admin/import/wordpress.php
./wp-admin/import/blogware.php
./wp-admin/link-manager.php
./wp-admin/upgrade.php
./wp-admin/bookmarklet.php
./wp-admin/custom-header.php
./wp-admin/edit-form-advanced.php
./wp-admin/admin-functions.php
./wp-content/plugins/akismet/akismet.php
./wp-includes/comment-template.php
./wp-includes/general-template.php
./wp-includes/formatting.php
./wp-includes/functions.php
./wp-includes/bookmark.php
./wp-includes/author-template.php
./wp-includes/post.php
./wp-includes/comment.php
./wp-includes/feed.php
./wp-includes/user.php
./wp-includes/script-loader.php
./wp-includes/bookmark-template.php
./wp-includes/registration.php
./wp-includes/default-filters.php
./wp-includes/rss.php
./wp-includes/query.php
./wp-includes/version.php
./wp-includes/pluggable.php
./wp-includes/link-template.php
./wp-includes/category-template.php
./wp-includes/theme.php
./wp-includes/classes.php
./wp-includes/category.php
./wp-login.php
./wp-trackback.php
./xmlrpc.php
./wp-comments-post.php

Leave a Comment

Powered by WP Hashcash