New Year Gift for Bloggers - WordPress 2.3.2
As always, I lag at the very end of the WP movement, this is me about the speed of reaction to the release announcements)
Already managed to lay out two different versions of Russian Wordpress 2.3.2, which just left the assembly line ( from Maxim and from mywordpress.ru ), but, nevertheless, I still dare to be non-original and unsubscribe changes with my own again comments.
And so, the data are taken from the official announcement .
Improved performance when processing posts before displaying to the user.
I hope that I understood correctly what is written in this ticket .
When displaying a post, or any other page, a multiple call to the get_post function is made , through which such functions as the_title , get_permalink , etc. work. Moreover, although the data received from get_posts is cached, but the filtering / selection of data occurs after the receipt of ALL data, and not before, which naturally affects the performance. In 2.3.2 this is fixed.
Improved is_admin () function. Now there is no possibility to get access to the "Drafts" of administrators to the ordinary user.
')
I already wrote about the “hole” with access to drafts; now it’s not a hole at all.
Database errors are now shown only with WP_DEBUG enabled.
Another reinsurance from “hell-sly-hackers”, so that they could not find out the names of the tables of your WordPress installation, when trying to sql-injection.
During the installation of WordPress, with a lack of rights to the database user, an error will be issued.
And, therefore, the “curve” of the config will not be created.
A template for displaying errors when connecting to the database has appeared.
Now any user can make changes to the wp-content / db-error.php file, which will be shown when it is impossible to connect to the database (for example, if the number of simultaneous connections is exceeded).
Added additional verification during text processing, which is converted into a link.
There is an event when you insert the text with http: //, and it is automatically converted into a similar link. Improved performance due to the fact that the conversion function now distinguishes between regular links, ftp and mailboxes. It should be noted that, apparently, such links (except for the boxes) will automatically be displayed with rel = "nofollow", in any case, everything indicates this.
Changes have been made to the work of sending mail via POP3 in order to avoid possible XSS attacks .
Another bug is closed.
A password request for the record will be issued only to those users who have the right to change this particular record. All this applies only to third-party client programs that work through XML-RPC.
Another change in XML-RPC, which is associated with the display of user data, when calling wp.getAuthors .
The data is now displayed in a more limited format, as well as checking that the user has minimal rights (editing posts) to limit the distribution of information, such as user name, username, and so on.
And a whole bunch of checks in XML-RPC and App methods to improve security.
And very small additions when checking file paths on win servers.
That's all. It seems to be not much, but not enough. I think it’s worth putting, but ... only after the head and hands act actively and correctly, after the celebration of NG, otherwise it can be done)
Original article "New Year's Gift to Bloggers - WordPress 2.3.2"
Already managed to lay out two different versions of Russian Wordpress 2.3.2, which just left the assembly line ( from Maxim and from mywordpress.ru ), but, nevertheless, I still dare to be non-original and unsubscribe changes with my own again comments.
And so, the data are taken from the official announcement .
Improved performance when processing posts before displaying to the user.
I hope that I understood correctly what is written in this ticket .
When displaying a post, or any other page, a multiple call to the get_post function is made , through which such functions as the_title , get_permalink , etc. work. Moreover, although the data received from get_posts is cached, but the filtering / selection of data occurs after the receipt of ALL data, and not before, which naturally affects the performance. In 2.3.2 this is fixed.
Improved is_admin () function. Now there is no possibility to get access to the "Drafts" of administrators to the ordinary user.
')
I already wrote about the “hole” with access to drafts; now it’s not a hole at all.
Database errors are now shown only with WP_DEBUG enabled.
Another reinsurance from “hell-sly-hackers”, so that they could not find out the names of the tables of your WordPress installation, when trying to sql-injection.
During the installation of WordPress, with a lack of rights to the database user, an error will be issued.
And, therefore, the “curve” of the config will not be created.
A template for displaying errors when connecting to the database has appeared.
Now any user can make changes to the wp-content / db-error.php file, which will be shown when it is impossible to connect to the database (for example, if the number of simultaneous connections is exceeded).
Added additional verification during text processing, which is converted into a link.
There is an event when you insert the text with http: //, and it is automatically converted into a similar link. Improved performance due to the fact that the conversion function now distinguishes between regular links, ftp and mailboxes. It should be noted that, apparently, such links (except for the boxes) will automatically be displayed with rel = "nofollow", in any case, everything indicates this.
Changes have been made to the work of sending mail via POP3 in order to avoid possible XSS attacks .
Another bug is closed.
A password request for the record will be issued only to those users who have the right to change this particular record. All this applies only to third-party client programs that work through XML-RPC.
Another change in XML-RPC, which is associated with the display of user data, when calling wp.getAuthors .
The data is now displayed in a more limited format, as well as checking that the user has minimal rights (editing posts) to limit the distribution of information, such as user name, username, and so on.
And a whole bunch of checks in XML-RPC and App methods to improve security.
And very small additions when checking file paths on win servers.
That's all. It seems to be not much, but not enough. I think it’s worth putting, but ... only after the head and hands act actively and correctly, after the celebration of NG, otherwise it can be done)
Original article "New Year's Gift to Bloggers - WordPress 2.3.2"
Source: https://habr.com/ru/post/18284/
All Articles