Sunday 01 July 2007 by sencer

After quite a while and lots of work from many, many people it’s finally here. Textpattern 4.0.5 is available as always on the download page.

We have fixed one security issue (XSS) on the public-side with comment-previews, which means that updates are strongly recommended. The relevance and potential attack vectors are described on wikipedia [type 1]. Since the authentification cookie is restricted to the admin-directory and not accessible from the front-end, in most cases this means “only” the info from the comment-data-cookie might be leaked. Users that run textpattern together with other software or third party plugins that set cookies might be at risk of having other data leaked, when a user can be tricked into following certain links.

Updates should be seamless for the vast majority of people, otherwise make sure that all plugins are also updated to their most recent version. We’ll add entries to the FAQ specifically for 4.0.5 where questions may arise. There’s also a very minor, low-impact issue for 4.0.5rc1-testers, but I’ll write more about that in the next few days, but nothing that has any impact on updating to 4.0.5 final right away.

Changes since 4.0.4:

  • Fixed security issue on public-side (XSS) (thanks zarathu)
  • Fixed path disclosure issue (thanks zarathu)
  • Search for posted and last modifed dates in article list
  • New tag: <txp:hide /> as a container for comments and other internal content
  • Changed tags: <txp:comments />, <txp:category_list />, <txp:section_list /> and <txp:image_index /> support ‘sort’ attribute
  • Distribute jQuery 1.1.2 as a default JavaScript library
  • Keep image properties on replacement
  • Add ‘delete thumbnail’ function
  • Support back end branding: customizable logo and color bar
  • Table sort indicators
  • Textile improvements
  • Fix non-utf8 mails (iso 8859-1)
  • better wrapping in admin-interface to prevent horizontal scrollbar
  • Add comment status to comment notification mails
  • Fix “infinite” pagination in rare edge cases
  • Work around apache bug for file-downloads (in connection with mod_deflate)
  • Fix error messages on wrong logins for older mysql versions
  • Fix comment spam blacklist false positives
  • Fix file_download-tag from showing the same url for different downloads
  • Fix disappearing comment preferences in certain circumstances
  • Fix “active class” in section_list, category_list
  • Better cooperation with some proxies (and other HTTP/1.0 clients)
  • Smarter comment submit button emphasises preview step
  • Optionally hide spam comments in back end list
  • Truncate longish article category titles in the write screen
  • Handle thumbnailing of larger images
  • Better MoveableType import
  • Fix some more IIS issues
  • New callback event: ‘textpattern_end’
  • New callback event: ‘ping’
  • New tag: <txp:article_url_title />
  • Changed tag: <txp:permlink /> loses default title attribute
  • Changed tag: <txp:file_download_link /> returns filename as an additional URL part
  • Many, many minor improvements, see svn-logs

Further reading:
FAQ-Entries specific to 4.0.5 (will be added when they arise)
Textpattern Contributors (will soon be updated to 4.0.5)
Forum-Thread for the announcement