| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
www/wordpress update
Revisions pulled up:
- pkgsrc/www/wordpress/Makefile 1.15
- pkgsrc/www/wordpress/distinfo 1.11
-------------------------------------------------------------------------
Module Name: pkgsrc
Committed By: morr
Date: Thu Feb 10 10:25:50 UTC 2011
Modified Files:
pkgsrc/www/wordpress: Makefile distinfo
Log Message:
Security update to 3.0.5. Changes:
* Fix XSS bug: Properly encode title used in Quick/Bulk Edit, and offer
additional sanitization to various fields. Affects users of the
Author or Contributor role.
* Fix XSS bug: Preserve tag escaping in the tags meta box. Affects
users of the Author or Contributor role.
* Fix potential information disclosure of posts through the media
uploader. Affects users of the Author role.
* Enhancement: Force HTML filtering on comment text in the admin
* Enhancement: Harden check_admin_referer() when called without
arguments, which plugins should avoid.
* Update the license to GPLv2 (or later) and update copyright
information for the KSES library.
|
|
ChangeLog:
* Fix XSS vulnerabilities in the KSES library: Don't be case sensitive to
attribute names. Handle padded entities when checking for bad protocols.
Normalize entities before checking for bad protocols in esc_url().
|
|
Fixes issues in the XML-RPC remote publishing interface which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish or delete posts.
|
|
* Fix moderate security issue where a malicious Author-level user could gain further access to the site.
* Remove pingback/trackback blogroll whitelisting feature as it can easily be abused.
* Fix canonical redirection for permalinks containing %category% with nested categories and paging.
* Fix occasional irrelevant error messages on plugin activation.
* Minor XSS fixes in request_filesystem_credentials() and when deleting a plugin.
* Clarify the license in the readme
* Multisite: Fix the delete_user meta capability
* Multisite: Force current_user_can_for_blog() to run map_meta_cap() even for super admins
* Multisite: Fix ms-files.php content type headers when requesting a URL with a query string
* Multisite: Fix the usage of the SUBDOMAIN_INSTALL constant for upgraded WordPress MU installs
While here, set license.
|
|
3.0.1:
* Fixed 54 tickets total. A break down of ticket status by component can be found in Trac (http://core.trac.wordpress.org/milestone/3.0.1).
* Added unregister_nav_menu(), for child themes.
3.0:
* WordPress and WordPress MU have merged, allowing the management of multiple sites (called Multisite) from one WordPress installation.
* New default theme "Twenty Ten" takes full advantage of the current features of WordPress.
* New Custom Menu Management feature, allows creation of custom menus combining posts, pages, categories, tags, and links for use in theme menus or widgets.
* Custom Header and Custom Background APIs.
* Contextual help text accessed under the Help tab of every screen in the WordPress administration.
* Ability to set the admin username and password during installation.
* Bulk updating of themes with an automatic maintenance mode during the process.
* Support for Shortlinks.
* Improved Custom Post Types and Custom Taxonomies including hierarchical (category-style) support. (Try the Custom Post Type UI or GD Custom Posts And Taxonomies Tools plugins to see the possibilities.)
* A lighter admin color scheme to increase accessibility and put the focus more squarely on your content.
|
|
2.9.2:
* Fixed problem where where logged in users can peek at trashed posts belonging to other authors.
* Fixed other issues
2.9.1:
* Fixed problem where scheduled posts and pingbacks are not processed correctly due to incompatibilities with some hosts
* Fixed other issues
2.9:
User Features
* Trash status for posts, pages, and comments (includes restore and permanent delete)
* Add support for 'include' and 'exclude' to [gallery] (Gallery Shortcode)
* Allow user registration to be enabled by an XMLRPC client
* Add support for sticky posts to the WXR exporter and importer
* 'rel=canonical' for singular pages
* Scroll back to the same location after saving a file in the Plugin and Theme editors
* Correct comments and remove unnecessary echos from the default themes sidebar template file
* Enable the APP (Atom) attachment file download to work correctly
* Support location of category templates based on 'category-slug' as well as 'category-id' (Ticket 10614)
* Support location of tag templates based on 'tag-id' as well as 'tag-slug' (Ticket 10868)
* Support location of page templates based on 'page-slug' and 'page-id'
* Set "Allow my blog to appear in search engines" to checked in installation
* Don't offer to make a category its own parent
* Remove Sphere from search list
* Minify admin CSS
* Show correct max upload filesize error message
* Add 'rel' attribute to next/previous post links
* Make the default and classic themes comment textareas valid XHTML
* Clean up '.button' and '.button[disabled]' CSS classes, add 'spinner' and 'gray-out' buttons after clicking Publish or Update post
* Fix race condition with autosave when clicking Publish immediately after entering post title
* Add Comments for Pages in the WordPress Default theme
* Define '$content_width' for Kubrick
* Better feedback on publishing of future posts and pages
* Display comments in descending date order, consistently
* Add means of automatically repairing tables
* Press This bookmarklet fixes
* Give plugins and themes simple control over the text displayed at the end of an autogenerated Excerpt
* Don't show "Change Permalinks" button when editing the page set as "Front page"
* Image editing
* Retire BunnyTags importer
* Retire Jerome's keywords importer
* Explain that the permalink is temporary for autosave generated permalinks
* Update SimplePie to 1.2
* Eliminate the redundant and confusing comment threading depth of 1
* Easier Embeds with oEmbed support (see Ticket #10337) (oEmbed discovery disabled by default, use plugin to enable it)
* TinyMCE 3.2.7
* Remove rel='tag' on links in Tag Clouds
* Add a title to the Home link output by wp_page_menu()
* Adjust comment moderation keyboard shortcut keys 'd = trash' or delete depending on the screen
* Show "Draft updated" instead of "Post updated" when saving draft
* Show the login form in a popup when autosave hits the login grace period
* Open View/Preview post in a new window from the link in the Saved/Updated message
* Separate fields for 'image alt' and 'image caption' in Media uploader
* Display better information about broken themes when there is no stylesheet
* Improve situation when tables such as wp_options table were 'corrupt' new installation message was offered. Add means of automatically repairing tables
* Export and import custom taxonomies
* Admin copy improvements
* Don't show page templates in the drop down if they are in a subdirectory
* Make codex link open in a new window
* Change 'Remove' link on widgets to 'Delete' because it doesn't just remove it, it deletes the settings for that widget instance.
Development, Themes, Plugins
* Added 'excerpt_more' filter to wp_trim_excerpt() function, which allow developers to change excerpt '[...]' more string (Ticket 10395)
* Add 'smilies_src' filter so plugins can better add smilies
* Canonical redirects for post name queries
* Allow _wp_get_comment_list() to handle custom comment types
* Return an empty array instead of false for get_children() when no children found
* Add some filters so that HTTP requests can be filtered
* Move plugin update notice output to the plugin specific hook
* Limit wp-mail 'blog by email' checks to every 5 minutes
* Make it much easier to filter contact methods from user profiles
* Allow filtering of get_edit_post_link for custom post_type
* 'get_sample_permalink_html' filter
* Enforce activation key to be a string, reject activation keys that are arrays
* Support for new post types
* Respect custom post_type in queries
* Send Retry-After header when in maintenance mode
* Various WP Filesystem related fixes and documentation
* Add constants for ftp connections timeouts
* Increase timeout on cron-based requests when checking for upgrades
* Don't use has_action() before do_action() in http.php
* Speed up jQuery based scripts
* Use the current user as author for autosave
* Show My Posts as default view on the Edit Posts screen for users without 'edit_others_posts' cap
* Ensure that drafts viewed over XMLRPC have a correct gmt date set
* Pass user id to 'get_' the_author_meta filters
* Move _wp_get_user_contactmethods() into the registrations functions file
* Machine parseable db error codes
* Add global JS vars and actions to the media uploader iframe
* Add JSON compat for PHP < 5.2
* Make option_name the primary key for the options table
* Allow a plugin to do a complete takeover of Post by Email
* Logarithmic scale for tag cloud
* Pass Post ID to the 'get_comments_number' filter
* Always filter the url in the media upload form
* Add a 'the_terms' filter
* is_blog_installed() improvements
* Allow force_ssl_admin() to properly accept false as a value
* Pass logged_in cookie to async-upload and filter the cookie scheme in auth_redirect()
* Add more actions around database add/delete/update operations
* phpDoc for wp_"check|set"_post_lock functions
* Use the old strings which are more translator friendly and add a generic default string to aid re-use by plugins adding post_types
* Filter fields through kses upon display and introduce sanitize_user_object() and sanitize_user_field()
* Use null instead of 0 when setting content length
* Include 'hidden' directories in filesystem dirlist by default
* Pass args array to 'wp_list_pages' filter
* Actions for taxonomy updates
* Key should be 'comment_id' not 'post_id' in comments table
* Add get_delete_post_link () to retrieve delete posts link for post
* Add 'separator' parameter to wp_tag_cloud() and wp_generate_tag_cloud() functions (Ticket 10315)
* Added add_comment_meta() family of functions
* Use a post_parent of 0 instead of -1 to indicate unattached posts
* Improve get_page_hierarchy() function
* Deprecate the_content_rss(), add the_content_feed() and get_the_content_feed(). Convert places that called the_content_rss() with an excerpt length to the_excerpt_rss(). Remove the rss_excerpt_length option. Use the_content_feed() where the_content() was previously used in feeds.
* Add 'pad_counts' argument to wp_dropdown_categories()
* Remove codepress
* Remove the php-gettext library
* Canonical post thumbanils
* Add a filter to the_author_posts_link()
* Merge post.js with page.js and slug.js, optimize categories and tags JS, standardize postboxes IDs and JS
* Introduce register_theme_directory() which takes a wp-content-relative path and will additionally scan it for themes. Plugins can use this to add themes without requiring copying by the user
* Add set_user_role action hook
* Allow theme devs to change attrs (like CSS class) of thumbnail images
* Add wp-post-image CSS class to post images
* Allow for plugins to enhance the number of metadata fields captured from plugin and theme headers
* Merge updated pomo code
* Switch to using NOOP_Translations for untranslated sites
* Improve wptexturize performance
* Provide context to the strings in the Plugin and Theme installers to allow for different grammatical gender
* Fixes for theme subdir support
* Introduce wp_kses_post() and wp_kses_data() for filtering unescaped data
* Add 'orderby=comment_count' argument to query_posts()
* Honor Post Type for Sticky Posts
* Allow querying multiple post types
* Introduce add_theme_support(feature) and current_theme_supports(feature) for announcing and checking theme support for various features
* Introduce require_if_theme_supports()
* Add number of Embed related filters
* Add 'IMAGE_EDIT_OVERWRITE' constant to control edited image save or replace, most useful for setups that have dynamic image resizing
* Add load_child_theme_textdomain() to allow child themes to have their own translation files
* Add sidebar descriptions to sidebar settings and widget admin screen
* Make option_id primary. Add uniques for option_name and autoload
* Allow plugins to override the behaviour of load_textdomain() in a variety of flexible ways
* Mark _c() as deprecated. The new _x() function should be used instead.
* Allow plugins to change the redirect on post/page publishing/submitting
* Standardize on 'user_id' instead of 'user_ID' when passing comment data. Accept either 'user_id' or 'user_ID'. Remove 'user_id' global.
* Filter imported comments
* Introducing set_post_image_size(w, h, crop) so themes can register their special size/crop for canonical post images
* Standardize around "post image" instead of "post thumbnail"
* Allow registering post image support per post type
* Return false from is_paged() if on the first page.
* Check MySQL and PHP versions when auto upgrading
* Add required php and mysql versions to version.php
* Hard code required version in update-core.php
PR pkg/42765
|
|
|
|
|
|
|
|
No functional change.
|
|
- 2.8.5
* Fix for trackback DOS
* Removal of permalink_structure eval
* Remove some create_function() calls
* Disallow unfiltered uploads by default, even for admins. Enable it again with define('ALLOW_UNFILTERED_UPLOADS', true); in wp-config.php
* Add extra escapes here and there for some backside coverage
* Retire two old importers
* A few small bug fixes
- 2.8.6
* Fixed an XSS vulnerability in Press This
* Fixed issue with sanitizing uploaded file names that can be exploited in certain Apache configurations
|
|
http://wordpress.org/development/2009/08/2-8-4-security-release/
|
|
Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1. Luckily, the entire WordPress community has our backs. Several folks in the community dug deeper and discovered areas that were overlooked. With their help, the remaining issues are fixed in 2.8.3. Since this is a security release, upgrading is highly recommended.
|
|
Highlights
* New drag-and-drop widgets admin interface and new widgets API
* Syntax highlighting and function lookup built into plugin and theme editors
* Browse the theme directory and install themes from the admin
* Allow the dashboard widgets to be arranged in up to four columns
* Allow configuring the number of items to show on management pages with an option in Screen Options
* Support timezones and automatic daylight savings time adjustment
* Support IIS 7.0 URL Rewrite Module
* Faster loading of admin pages via script compression and concatenation
For all the details see: http://codex.wordpress.org/Version_2.8
|
|
|
|
|
|
Initiall packaged by shinden@linux.pl and then hacked by me
WordPress is a state-of-the-art publishing platform with a focus on
aesthetics, web standards, and usability.
|
