We have fixed one security issue (XSS) on the public-side with comment-previews, which means that updates are strongly recommended. The relevance and potential attack vectors are described on wikipedia [type 1]. Since the authentification cookie is restricted to the admin-directory and not accessible from the front-end, in most cases this means “only” the info from the comment-data-cookie might be leaked. Users that run textpattern together with other software or third party plugins that set cookies might be at risk of having other data leaked, when a user can be tricked into following certain links.

Updates should be seamless for the vast majority of people, otherwise make sure that all plugins are also updated to their most recent version. There’s also a very minor, low-impact issue for 4.0.5rc1-testers, but I’ll write more about that in the next few days, but nothing that has any impact on updating to 4.0.5 final right away.

Download

File download

textpattern-4.0.5.zip

Zip format.
File size 323 kB | Created
File download

textpattern-4.0.5.tar.gz

Gzip format.
File size 281 kB | Created

Changes since 4.0.4

  • Fixed security issue on public-side (XSS) (thanks zarathu)
  • Fixed path disclosure issue (thanks zarathu)
  • Search for posted and last modifed dates in article list
  • New tag: <txp:hide /> as a container for comments and other internal content
  • Changed tags: <txp:comments />, <txp:category_list />, <txp:section_list /> and <txp:image_index /> support sort attribute
  • Distribute jQuery 1.1.2 as a default JavaScript library
  • Keep image properties on replacement
  • Added ‘delete thumbnail’ function
  • Support for back end branding: customizable logo and color bar
  • Table sort indicators
  • Textile improvements
  • Fix non-UTF-8 mails (iso 8859-1)
  • Better wrapping in admin-interface to prevent horizontal scrollbar
  • Added comment status to comment notification mails
  • Fixed infinite pagination in rare edge cases
  • Worked around apache bug for file downloads (in connection with mod_deflate)
  • Fixed error messages on wrong logins for older mysql versions
  • Fixed comment spam blacklist false positives
  • Fixed file_download tag from showing the same URL for different downloads
  • Fixed disappearing comment preferences in certain circumstances
  • Fixed active class in section_list, category_list
  • Better cooperation with some proxies (and other HTTP/1.0 clients)
  • Smarter comment submit button emphasises preview step
  • Optionally hide spam comments in back end list
  • Truncate longish article category titles in the write screen
  • Handle thumbnailing of larger images
  • Better MoveableType import
  • Fixed some more IIS issues
  • New callback event: textpattern_end
  • New callback event: ping
  • New tag: <txp:article_url_title />
  • Changed tag: <txp:permlink /> loses default title attribute
  • Changed tag: <txp:file_download_link /> returns filename as an additional URL part
  • Many, many minor improvements

Further reading

Forum thread for the announcement.