Saturday 02 February 2008 by

After quite a while and lots of work from many, many people it’s finally here. Textpattern 4.0.6 is available as always on the download page.

We have fixed no less than six security issues. Because half of those can be used from the public side, updating is strongly recommended.

Updates should be seamless for the vast majority of people, otherwise make sure that all plugins are also updated to their most recent version, especially admin-side plugins. We’ll add entries to the FAQ specifically for 4.0.6 where questions may arise.

Changes in 4.0.6:

  • Security (public side):
    • safer use of txp_login cookie + nonce (note: users are logged out after upgrading!)
    • fixed XSS vulnerability (thanks DSecRG) and input validation in setup script.
    • fixed XSS vulnerability and parameter value overflow in comments preview (thanks DSecRG)
  • Security (admin side):
    • add missing escape in SQL query (admin side)
    • fixed local file include vulnerability (publisher only) in textpattern/index.php (thanks DSecRG and Victor)
    • escape request method as shown on logs tab (thanks Victor)
  • New languages: Croatian, Korean, Português (Brasil), Serbian (Latin + Cyrillic), Turkish and Vietnamese
  • New tags:
    • <txp:if_search_results> </txp:if_search_results>
    • <txp:search_term />
  • Changed tags:
    • <txp:thumbnail /> allows non-JS links to the full-size image
    • <txp:article_custom /> allows comma-separated lists for category, section and author attributes (thanks Manfr
      e)
    • <txp:linklist /> allows comma-separated list for category attribute
    • <txp:file_download_list /> allows comma-separated list for category attribute
    • <txp:recent_articles /> allows comma-separated lists for category and section attribute
    • <txp:related_articles /> allows comma-separated list for section attribute
    • <txp:search_result_excerpt /> allows a custom “break” attribute defaulting to an ellipsis
  • Several tags have been deprecated and will be replaced automatically during the upgrade: <txp:sitename />, <txp:request_uri />, <txp:s />, <txp:c />, <txp:q />, <txp:id />, <txp:pg /> (more info)
  • Added ‘password reset’ functionality (with confirmation email) on the login screen
  • Update to jQuery 1.2.2 as a default JavaScript library
  • Fix textile list incompatibility with PHP 5.2.4 (and higher)
  • Fix http-auth when using lighttpd or (mostly) apache+fcgi
  • Fix HTTPS protocol check for ISAPI with IIS
  • Fix use of article tags on a sticky article page
  • Speed improvements (less SQL queries needed)
  • Pages, sections and styles can no longer be accidentally deleted if they are used on other tabs.
  • Corrections in the tag builder
  • Refrain from showing sticky articles from non-frontpage sections in search results
  • Enable separate search section for messy URL mode
  • Plugin developers should note that using add_privs() for admin-side plugins is now required (used to be optional for publisher-only plugins) and the included HISTORY.txt contains other useful information.
  • Many, many minor improvements, see SVN logs

Further reading:
FAQ-Entries specific to 4.0.6 (will be added when they arise)
Textpattern Contributors (will soon be updated to 4.0.6)
Forum-Thread for the announcement