WordPress Release: 2.0.4

TL;DR

WordPress 2.0.4 is a security and bug fix release that addresses numerous issues related to nonces, comment handling, and input validation. This update significantly improves the security posture of WordPress by fixing multiple potential vulnerabilities and enhancing data sanitization throughout the codebase. The release also includes various markup fixes for better HTML validation and several usability improvements.

Highlight of the Release

• Multiple security enhancements through improved nonce handling
• Better input validation and sanitization throughout the codebase
• Improved HTML validation in admin interfaces
• Enhanced comment handling with balanced HTML tags
• Updated KSES library to version 0.2.2
• New helper functions for developers

Migration Guide

This is primarily a security and bug fix release that doesn't require specific migration steps. Simply update to WordPress 2.0.4 using the standard WordPress update process.

If you've made customizations to your WordPress installation, particularly around:

• Custom nonce handling
• Comment processing
• File uploads
• Redirection

You should review your code to ensure compatibility with the enhanced security measures in this release.

Upgrade Recommendations

This release contains important security fixes and is highly recommended for all WordPress 2.0.x users. The security enhancements address multiple potential vulnerabilities related to nonce handling, input validation, and comment processing.

Priority: High
Timing: Immediate upgrade recommended

The update process should be straightforward with no known compatibility issues. As always, it's recommended to back up your database and files before upgrading.

Bug Fixes

Security and Input Validation

• Fixed multiple nonce-related security issues in admin actions
• Improved sanitization of user input throughout the codebase
• Enhanced URI sanitization in redirects
• Fixed comment nonce issues
• Added proper escaping for JavaScript in onclick events
• Updated KSES library to version 0.2.2 for better HTML filtering

Comment Handling

• Fixed comment deletion functionality
• Implemented balanced HTML tag enforcement in comments
• Fixed special character handling in comment titles
• Improved comment count updating

Admin Interface

• Fixed pagenow regex for better admin page handling
• Added proper feedback when username/password fields are empty
• Fixed markup issues in multiple admin screens
• Added proper bottoms to boxes on post screen
• Prevented negative values when paging

Other Fixes

• Fixed get_calendar() to prevent showing future dates
• Updated RBL site and turned off open proxy check by default
• Fixed custom field AJAX functionality
• Prevented deletion of default category
• Fixed Snoopy fread issues
• Improved handling of special characters in feed titles
• Implemented faster accent removal function

New Features

New Helper Functions

• Added wp_get_referer() and related functions for better referrer handling
• Introduced wp_get_current_commenter() to retrieve commenter information
• Added wp_explain_nonce() and wp_nonce_ays() for improved nonce handling
• Implemented wp_check_filetype() for better file upload security

Enhanced Functionality

• Updated to php-gettext 1.0.7+ for better internationalization support
• Added filter to get_category function
• Improved URI sanitization in wp_redirect()
• Enhanced wp_specialchars() with single/double quote support

Security Updates

Security Enhancements

• Fixed multiple nonce-related vulnerabilities throughout the admin interface
• Enhanced input validation and sanitization across the codebase
• Improved URI sanitization in wp_redirect() to prevent potential redirect attacks
• Added proper escaping for JavaScript in onclick events to prevent XSS
• Updated KSES HTML filtering library to version 0.2.2
• Implemented balanced HTML tag enforcement in comments
• Added better file upload security through improved type checking and filename sanitization
• Fixed potential security issues in comment handling
• Enhanced special character handling in post and comment titles
• Improved referrer handling with new helper functions

Performance Improvements

Performance Enhancements

• Implemented faster accent removal function through optimized character replacement
• Improved AJAX handling for custom fields
• Enhanced Snoopy HTTP client with better read handling
• Optimized HTML filtering through updated KSES library

Impact Summary

WordPress 2.0.4 is primarily a security-focused release that addresses multiple potential vulnerabilities and improves the overall security posture of WordPress installations. The release fixes numerous issues related to nonce handling, input validation, and comment processing.

The update includes significant improvements to how WordPress sanitizes and validates user input throughout the codebase, particularly in admin actions and comment handling. This helps protect sites against potential cross-site scripting (XSS) and other injection attacks.

For developers, the release adds several new helper functions that improve code quality and security, such as enhanced referrer handling and better file type checking. The update to KSES 0.2.2 provides improved HTML filtering capabilities.

Site administrators will benefit from improved HTML validation in admin screens and better error feedback. Content creators will experience more reliable handling of special characters in posts and comments.

This release represents an important step in WordPress's ongoing commitment to security and should be applied promptly to all WordPress 2.0.x installations.