WordPress Release: 2.0.3

TL;DR

WordPress 2.0.3 is a security-focused maintenance release that introduces important security enhancements including nonces, improved cookie handling, and better data sanitization. This update addresses multiple vulnerabilities and fixes several bugs affecting text formatting, comment handling, and database operations. The release also includes performance improvements for permalink generation and entity conversion.

This release is critical for all WordPress 2.0.x users as it significantly improves the security posture of WordPress installations. Site administrators should update immediately to protect their sites from potential security threats.

Highlight of the Release

• Implementation of nonces for improved security against CSRF attacks
• Enhanced cookie handling with pluggable cookies
• Improved data sanitization throughout the system
• Performance improvements for permalink generation
• Fixed texturize issues affecting content formatting
• Added server secret for improved security
• Multiple bug fixes for comment handling

Migration Guide

Upgrading to WordPress 2.0.3

This is primarily a security and bug fix release that doesn't require any special migration steps. However, here are some recommendations for a smooth upgrade:

1. Backup your site: Always create a complete backup of your WordPress files and database before upgrading.

2. Plugin compatibility: If you've developed custom plugins that interact with WordPress cookies or form submissions, you may need to review them for compatibility with the new nonce system and pluggable cookies.

3. Update process:

   • Download the WordPress 2.0.3 package
   • Deactivate all plugins
   • Replace your existing WordPress files with the new ones
   • Run the WordPress upgrade script by visiting /wp-admin/upgrade.php
   • Reactivate your plugins one by one to ensure compatibility

4. After upgrading: Test your site thoroughly, especially any custom functionality related to comments, text formatting, or user authentication.

No database schema changes are included in this release, so the upgrade process should be relatively quick.

Upgrade Recommendations

Immediate upgrade strongly recommended for all WordPress 2.0.x users.

This release contains critical security enhancements that protect against potential vulnerabilities. The security improvements include:

• Protection against Cross-Site Request Forgery (CSRF) attacks through nonces
• Enhanced cookie handling
• Improved data sanitization
• Prevention of potential JavaScript injection

Given the security-focused nature of this release, all WordPress 2.0.x site administrators should update their installations immediately. The security benefits far outweigh any potential upgrade inconveniences.

For users on earlier versions of WordPress, this release provides additional motivation to upgrade to the 2.0.x branch to benefit from these important security enhancements.

Bug Fixes

Text Formatting Fixes

• Fixed texturize issues to prevent formatting problems on home page (fixes #2381)
• Fixed additional texturize issues (fixes #2634)
• Fixed entity conversion optimization in ent2ncr function (fixes #2548)
• Fixed excerpt handling (fixes #2686)

Comment Handling

• Improved comment author name handling with wp_specialchars
• Fixed security issue by removing comment author name from JavaScript confirmation dialogs (fixes #2744)
• Additional comment fixes (fixes #2748)
• Fixed comment filter functionality

Database and Query Fixes

• Fixed update_option() action handling (fixes #2553)
• Fixed backreferences in mysql2date() function (fixes #2564)
• Removed artificial limit that affected posting with seldom-used categories
• Fixed pagination for single page queries (fixes #2578)
• Added prophylactic integer casts and proper quoting for database queries

Other Fixes

• Fixed smilies sorting issue (fixes #2550)
• Fixed enclosure redirect (fixes #2551)
• Fixed sanitize_user regex (fixes #2729)
• Fixed cache flushing to only occur when the database is out-of-date
• Fixed string splitting to use '; ' instead of ';'
• Fixed backup plugin functionality
• Added dots fix to work around mod_mime problem

New Features

Security Enhancements

• Nonces Implementation: Added nonce functionality to protect against Cross-Site Request Forgery (CSRF) attacks
• Pluggable Cookies: Backported pluggable cookies for improved security and flexibility
• Server Secret: Added server secret functionality for enhanced security
• Hash Functions: Implemented wp_hash() and wp_salt() functions for improved security
• Base64 Cached Objects: Enhanced cache security by base64 encoding cached objects and storing within multi-line comment blocks to prevent CRLF injections

New Filters

• Added new category filters for improved customization
• Added new user filters for better control over user data

Security Updates

Critical Security Enhancements

• Nonces Implementation: Added nonce functionality to protect against Cross-Site Request Forgery (CSRF) attacks, with backported nonce fixes (#2678)
• Pluggable Cookies: Backported pluggable cookies for improved authentication security
• Data Sanitization: Enhanced sanitization of user input throughout the system
  • Added wp_specialchars for comment author names
  • Fixed sanitize_user regex (fixes #2729)
  • Improved handling of untrusted data in JavaScript contexts

Cache Security

• Base64 Encoding: Now base64 encoding cached objects and storing within multi-line comment blocks to prevent CRLF injections into the cache
• Server Secret: Implemented server secret functionality for enhanced security measures
• Hash Functions: Added wp_hash() and wp_salt() functions for improved cryptographic security

JavaScript Security

• Removed comment author name from JavaScript confirmation dialogs to avoid potential JavaScript injection issues with untrusted data (fixes #2744)
• Added js_escape() function to properly escape JavaScript strings

These security fixes address multiple potential vulnerabilities and significantly improve the overall security posture of WordPress installations.

Performance Improvements

Performance Enhancements

• Permalink Generation: Significant performance improvement in get_permalink() function (fixes #2463)
• Entity Conversion: Optimized ent2ncr function for better performance (fixes #2548)
• Cache Management: Improved cache handling to only flush when the database is out-of-date
• Query Optimization: Fixed pagination for single page queries to avoid unnecessary processing (fixes #2578)

The performance improvements in this release focus on optimizing common operations like permalink generation and entity conversion, which should result in faster page rendering and better overall site performance.

Impact Summary

WordPress 2.0.3 represents a significant security enhancement for the 2.0.x branch, introducing critical protections against common web vulnerabilities like CSRF attacks and potential JavaScript injections. The implementation of nonces, pluggable cookies, and improved data sanitization substantially improves WordPress's security posture.

Beyond security, this release addresses numerous bugs affecting core functionality like text formatting, comment handling, and database operations. Content creators will benefit from fixes to texturize functions and excerpt handling, while developers gain access to new filters and improved caching mechanisms.

Performance improvements to permalink generation and entity conversion should result in better overall site performance, particularly for sites with many posts or complex content.

This release demonstrates WordPress's commitment to security and stability in the 2.0.x branch, providing important protections while maintaining compatibility with existing sites and plugins. The security enhancements are particularly notable as they backport several important security features from development versions.