WordPress Release: 3.7.8

TL;DR

WordPress 3.7.8 is a security and maintenance release that focuses on database handling improvements and security fixes. It addresses potential issues with database character encoding, improves handling of long strings in the database, removes suspicious comments during upgrades, and fixes a security vulnerability in Genericons. This release is particularly important for sites using non-ASCII characters in database tables and those concerned about security.

Highlight of the Release

• Improved database handling for non-ASCII characters and table names
• Enhanced security by removing suspicious comments during upgrades
• Fixed security vulnerability in Genericons by removing example.html files
• Optimized UTF-8 regex handling for low memory machines
• Added sanity checks to prevent data loss from unintelligible DB schemas

Migration Guide

No specific migration steps are required for this update. WordPress 3.7.8 is a maintenance and security release that should be applied automatically for sites on the 3.7 branch. If you're managing updates manually, it's recommended to update to this version as soon as possible to benefit from the security improvements.

Upgrade Recommendations

It is strongly recommended to upgrade to WordPress 3.7.8 as soon as possible due to the security fixes included in this release. The update addresses potential vulnerabilities in Genericons and improves database handling security. While WordPress 3.7 includes automatic background updates for security releases, site administrators should verify that their sites have been updated to 3.7.8.

For users on older versions of WordPress, consider upgrading to the latest major version for access to all current features and security improvements.

Bug Fixes

Database Handling Improvements

• Fixed issues with character encoding conversion by removing dependency on mb_convert_encoding() which behaves differently from MySQL's character encoding conversion
• Added proper sanity checks to ensure strings being stored in the database aren't too long to store correctly
• Improved handling of database queries that reference tables in the dbname.tablename format
• Enhanced support for table names containing any valid character, not just ASCII
• Fixed issues with UTF-8 regex that could fail on very low memory machines by reducing memory usage
• Added optimization to skip character set checks for queries that don't return user data
• Implemented safeguards to prevent content loss from unintelligible DB schemas during upgrades
• Added sanity check in $wpdb->get_col_length() to bail on unexpected return values

New Features

WordPress 3.7.8 doesn't introduce new features as it's primarily a security and maintenance release. The changes focus on improving existing functionality rather than adding new capabilities.

Security Updates

Security Enhancements

• Removed Genericons example.html files during WordPress upgrades to address a potential security vulnerability
• Added functionality to remove suspicious comments during the upgrade process
• Improved database handling to prevent potential security issues related to character encoding
• Enhanced validation of database strings to prevent potential injection vulnerabilities

Performance Improvements

Performance Enhancements

• Reduced memory usage for UTF-8 regex processing, improving performance on low memory machines
• Optimized database queries by skipping unnecessary character set checks for queries that don't return user data
• Improved efficiency of database operations with better handling of character encoding

Impact Summary

WordPress 3.7.8 significantly improves database handling security and compatibility, particularly for sites using non-ASCII characters in their database. The release fixes potential security vulnerabilities, enhances database string validation, and optimizes performance on low memory machines.

The most notable security improvement is the removal of Genericons example.html files during upgrades, addressing a known vulnerability. Additionally, the release improves how WordPress handles database character encoding, ensuring better compatibility with various character sets and preventing potential data loss during operations involving non-ASCII characters.

For multilingual sites and those using non-standard table names, this update provides important compatibility improvements. The performance optimizations for UTF-8 handling on low memory machines will benefit sites running on limited resources.

Overall, this is an important security and maintenance release that all WordPress 3.7 users should apply.