WordPress 2.9.2 Security Update Details

WordPress 2.9.2 Security Update

WordPress 2.9.2 Security Update

February 15, 2010 WordPress.org announced WordPress 2.9.2 release. WordPress development blog says about fixing the “…problem where logged in users can peek at trashed posts belonging to other authors. If you have untrusted users signed up on your blog and sensitive posts in the trash, you should upgrade to 2.9.2“. Upgrade procedure is simple as usual. You can use the upgrade link at the top of admin dashboard page to upgrade WordPress version automatically. Other way is to change all WordPress files manually. There are no any changes in the database structure comparing with 2.9.1 version, just a few changes in the PHP source code. Check the details below.
These 10 files are changed in the 2.9.2 WordPress version comparing to 2.9.1 one:

  • readme.html
  • wp-comments-post.php
  • wp-includes/version.php
  • wp-includes/query.php
  • wp-includes/http.php
  • wp-includes/functions.php
  • wp-admin/menu.php
  • wp-admin/edit-category-form.php
  • wp-admin/includes/update-core.php
  • wp-admin/includes/plugin.php

So, to make the manual update and do not touch accidentally some WordPress files changed by you earlier, you can change just 10 files listed above.
Let’s look inside of updated files and see what the changes WordPress team made to enhance our loving blog platform.

readme.html

Just the version number was changed from 2.9.1 to 2.9.2 at lines 23, 26.

wp-comments-post.php

version 2.9.1. from line # 30:

} elseif ( in_array($status->post_status, array('draft', 'pending') ) ) {
	do_action('comment_on_draft', $comment_post_ID);
	exit;
} elseif ( 'trash' == $status->post_status ) {
	do_action('comment_on_trash', $comment_post_ID);
	exit;

version 2.9.2 updated code:

} elseif ( in_array($status->post_status, array('draft', 'future', 'pending') ) ) {
	do_action('comment_on_draft', $comment_post_ID);
	exit;
} elseif ( 'trash' == $status->post_status ) {
	do_action('comment_on_trash', $comment_post_ID);
	exit;
} elseif ( post_password_required($comment_post_ID) ) {
	do_action('comment_on_password_protected', $comment_post_ID);
	exit;

Post status ‘future’ checking was added for comment_on_draft action. Additional checking was added for comment_on_password_protected action.

version.php

Just the version number was changed from 2.9.1 to 2.9.2 at line 11.

query.php

Version 2.9.1, line # 2283:

if  (in_array($status, array('draft', 'pending')) ) {
// User must have edit permissions on the draft to preview.
if (! current_user_can("edit_$post_type_cap", $this->posts[0]->ID)) {

Updated code in version 2.9.2:

if  (in_array($status, array('draft', 'pending', 'trash')) ) {
// User must have edit permissions on the draft to preview.
if (! current_user_can("edit_$post_type_cap", $this->posts[0]->ID)) {

Checking for “trash” status was added here. Post edit permission is checked now for the posts in trash too.

http.php

Function decompress() was updated in this file. Version 2.9.1 had

function decompress( $compressed, $length = null ) {
		$decompressed = WP_Http_Encoding::compatible_gzinflate( $compressed );
		if ( false !== $decompressed )
			return $decompressed;
		$decompressed = gzuncompress( $compressed );
		if ( false !== $decompressed )
			return $decompressed;
		if ( function_exists('gzdecode') ) {
			$decompressed = gzdecode( $compressed );
			if ( false !== $decompressed )
				return $decompressed;
		}
		return $compressed;
	}

Version 2.9.2 has

function decompress( $compressed, $length = null ) {
		if ( false !== ( $decompressed = @gzinflate( $compressed ) ) )
			return $decompressed;
		if ( false !== ( $decompressed = WP_Http_Encoding::compatible_gzinflate( $compressed ) ) )
			return $decompressed;
		if ( false !== ( $decompressed = @gzuncompress( $compressed ) ) )
			return $decompressed;
		if ( function_exists('gzdecode') ) {
			$decompressed = @gzdecode( $compressed );
			if ( false !== $decompressed )
				return $decompressed;
		}
		return $compressed;
	}

If you interested in more details for this fix, you can find a primary discussion on this issue at WordPress bug tracker.

functions.php

Function _search_terms_tidy() was updated. Version 2.9.1 was

function _search_terms_tidy($t) {
	return trim($t, "\"\'\n\r ");
}
?>

Version 2.9.2 became

function _search_terms_tidy($t) {
	return trim($t, "\"'\n\r ");
}
?>

Slash was removed before single quote inside the string. Ticket for this issue at WordPress bug tracker can be found here.

menu.php

Code from line 198 was updated to fix admin menu access issue. Version 2.9.1 had

// Remove menus that have no accessible submenus and require privs that the user does not have.
// Run re-parent loop again.
foreach ( $menu as $id => $data ) {
	// If submenu is empty...
	if ( empty($submenu[$data[2]]) ) {
		// And user doesn't have privs, remove menu.
		if ( ! current_user_can($data[1]) ) {
			$_wp_menu_nopriv[$data[2]] = true;
			unset($menu[$id]);
		}
	}
}

Version 2.9.2 has now

// Remove menus that have no accessible submenus and require privs that the user does not have.
// Run re-parent loop again.
foreach ( $menu as $id => $data ) {
	if ( ! current_user_can($data[1]) )
		$_wp_menu_nopriv[$data[2]] = true;
 
	// If submenu is empty...
	if ( empty($submenu[$data[2]]) ) {
		// And user doesn't have privs, remove menu.
		if ( isset( $_wp_menu_nopriv[$data[2]] ) ) {
			unset($menu[$id]);
		}
	}
}

Ticket for this issue at WordPress bug tracker can be found here.

edit-category-form.php

HTML typo was fixed at the end of line 59. Version 2.9.1 had

<td><input name="cat_name" id="cat_name" type="text" value="<?php echo esc_attr($category->name); ?>" size="40" aria-required="true" /><br />

Version 2.9.2 has

<td><input name="cat_name" id="cat_name" type="text" value="<?php echo esc_attr($category->name); ?>" size="40" aria-required="true" /></td>

Invalid <br/> was changed to the necessary closing </td> tag.

update-core.php

Just the version number was changed from 2.9.1 to 2.9.2 at line 226.

plugin.php

Admin menu access security fix was made at line #594. Version 2.9.1 had

if (!empty ( $function ) && !empty ( $hookname ))

Version 2.9.2 has now

if (!empty ( $function ) && !empty ( $hookname ) && current_user_can( $access_level ) )

That’s all changes for the 2.9.2 WordPress version.

Tags: ,