Textpattern CMS 4.4.0 released: focus on security

Yes we know we said 4.3.0 would be the last version before Textpattern 5… but sometimes things don’t turn out the way we planned. Please take a moment to read about Textpattern 4.4.0, a very important step up for the security of your Textpattern web sites.

Textpattern CMS 4.4.0 is immediately available for download and we strongly recommend that you upgrade. This release fixes several important security vulnerabilities that have recently been discovered. We advise that you are fully logged out of Textpattern before commencing this upgrade.

Download

File download

Single-site install version, Zip format.
File size: 480 kB | Last modified:
File download

Multi-site install version, Gzip format.
File size: 425 kB | Last modified:

Bouncer at the door

If you are running an Apache web server, rename the .htaccess-dist file in the /files directory to .htaccess to prohibit direct URL access to your files. Thus the only route to these files becomes through /file_download. We recommend you consider employing this feature or—if you are running a non-Apache web host or simply want to be extra cautious—that you move your /files directory out of a web-accessible location. Once moved, you can tell Textpattern of your new directory location from Advanced preferences.

If your name’s not down you’re not coming in

Previously, people with privileges set to ‘None’ could log in and just not see anything—Restricted area—for every tab. Now they are not even permitted entry.

One of Textpattern’s functions was susceptible to being called without enforcing proper user permissions. There were also a few places in the code where the user name and some page names were not properly escaped so obscure names with odd characters in them could cause errors. These issues have all now been closed.

Even though we have tightened security in this release, we do urge you to review your user accounts and make sure that current and future users are only granted sufficient privileges to perform their assigned administration role(s). Every account is a potential entry point for any system, and Textpattern is no different: reduce your attack surface by granting lower permissions first and only elevating them after rigorous consideration.

In other words: traffic might need to flow both ways on ‘Trust Street’, but there’s no harm in giving Textpattern priority over oncoming vehicles!

What’s the password?

We have relied on MySQL’s password function for a long time now. MySQL themselves do not recommend this and, moving forward to Textpattern 5, our goal is to open up the avenue for using other databases, so to rely on MySQL is counter to this philosophy. We have therefore taken the step of implementing phpass from this point forward.

This has the implication that passwords are now case sensitive. Your existing passwords will be upgraded to phpass automatically on first login. Again, we strongly recommend that you are fully logged out of Textpattern before commencing the upgrade so that your account is treated to the upgrade when you log back in.

After upgrade, remember that existing accounts will only be migrated to phpass on that user’s successful login so, until then, they will still be using MySQL passwords. Please advise your less frequent users to log in as soon as possible.

One other password-related improvement: programmers may now call txp_validate() with an extra parameter signifying if you are ‘just testing’ the password or ‘actually logging in’. This allows you to write code to check passwords using the built-in function without triggering a login.

On guard

This release also mops up some bits and pieces that snuck into 4.3.0. Namely:

  • a few places that still used deprecated attributes, mostly in the tag builder
  • some Textile security fixes
  • a bug in <txp:variable /> when dealing with empty values
  • search engines shouldn’t index “Nice try” messages any more
  • messy mode context and get_pref() bugs squashed

jQuery has also been upgraded to 1.5.1.

We are indebted to Neal Poole for highlighting the security implications in the previous release; without his well-presented advice and hard work we wouldn’t have been able to improve things so quickly. Thank you!

So without any further ado, please take the time to upgrade your sites to Textpattern CMS 4.4.0 and enjoy another fine release in the Textpattern family.

Comments

  1. Tanks lot Decs :)

  2. Wonderful, thanks for this release.

  3. Thanks~

  4. Thank you!

  5. Nice list of fixes! Still waiting for new TXP5!

  6. Great! With the help of old school wget, unzip and ‘cp * -r’ the successful update from 4.3.0 only took about two minutes.

    I also took the chance to push the ‘extension DB Backup path’ to a not web accessible location which worked without trouble.

    For a better overview I would simply recommend to change the /htdocs/website_root/files to /htdocs/website_root-files if running the site on apache.

  7. “the only route to these files becomes through /file_download”

    How to deal with media players? How to save respected authors’ copyrights and still let public visitors to listen audio, video clips and playlists without media file download?

  8. Waiting for new TXP5 too!

  9. Thank you!

  10. Thanks Stef!

  11. Upgraded! Thanks, Team Textpattern. :)

  12. Thank you :)

  13. Good work, team – thank you from Abingdon, UK!

  14. Upgraded ! Nice work !

  15. Cheese !

  16. Good work, thank you!
    The security of Textpattern always lets me sleep well.

  17. Well. Thank you!

    Un bel progredire!

  18. Passwords were not case sensitive before 4.4.0? What the heck? That was an unpleasant surprise for me.

  19. Awesome work, thanks, I’ll give it a whirl…

  20. something wrong with the download link

    <li><a href=“https://textpattern.com/file_download/66/textpattern-4.4.0.tar.gz&#38;”>textpattern-4.4.0.tar.gz</a></li>

    …..&#38….

  21. I was thinking that this update would have fixed this when saving an article:

    Deprecated: Function split() is deprecated in /mywebroot/textpattern/lib/classTextile.php on line 617

    We’re running PHP 5.3 and now Textpattern 4.4

  22. Keep up the good work! Thank you very much for the release. : )

  23. THANK you to all devs and contributors. I really MUST look at my RSS feeds more often, didn’t even know 4.4.0 was out!

    Brilliant!

  24. Thanks for the great work!

    But hey, fox_code plugin seem to stop working after upgrade.

    Not sure if anyone else has the same problem

Commenting has expired for this article.