HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

WordPress

>

Releases

>

4.3.6

WordPress Release: 4.3.6

Tag Name: 4.3.6

Release Date: 9/7/2016

View Release
WordPress LogoWordPress

World's most popular open-source content management system powering over 40% of all websites. Offers extensive plugin ecosystem, themes, and robust community support for blogs, e-commerce, and corporate websites. Highly customizable and scalable platform suitable for beginners and advanced developers.

Open SourceBloggingWebsite Builder

TL;DR

WordPress 4.3.6: Security and Database Maintenance Release

What's New: WordPress 4.3.6 addresses important security vulnerabilities in file uploads and fixes a database handling issue with TEXT and BLOB columns during UTF-8 character encoding upgrades.

Why it Matters: This maintenance release prevents potential security exploits through unsanitized file uploads and resolves a database issue that could cause data truncation during upgrades.

Who Should Care: All WordPress site owners should update immediately to protect their sites from security vulnerabilities. Database administrators and developers working with custom database schemas should be aware of the changes to dbDelta() behavior.

Highlight of the Release

    • Security fixes for file upload sanitization
    • Improved database handling for TEXT and BLOB columns during UTF-8mb4 upgrades
    • Prevention of potential data truncation in database fields
    • Fixed dbDelta() behavior to maintain larger column sizes after UTF-8mb4 conversion

Migration Guide

No specific migration steps are required for this update. Standard WordPress update procedures apply:

  1. Back up your WordPress site (files and database) before updating
  2. Update through the WordPress dashboard or via manual update
  3. Verify your site functionality after the update is complete

No database schema changes are introduced that would require manual intervention.

Upgrade Recommendations

Immediate Update Recommended

This release contains important security fixes that protect your site from potential vulnerabilities in file uploads. All WordPress site owners should update to version 4.3.6 immediately.

The database handling improvements also prevent potential data loss during UTF-8mb4 character encoding upgrades, making this an important update for sites that may undergo such upgrades in the future.

As with any WordPress update, it's recommended to:

  • Create a complete backup of your site before updating
  • Test the update on a staging environment if possible
  • Update all sites as soon as possible to maintain security

Bug Fixes

Database Handling Improvements

  • Fixed an issue in dbDelta() where it would attempt to downgrade the size of TEXT and BLOB columns after they had been upgraded for UTF-8mb4 compatibility
  • When upgrading to utf8mb4, TEXT fields are upgraded to MEDIUMTEXT (and similarly for other *TEXT and *BLOB fields) to accommodate the additional space requirements
  • Previously, subsequent upgrades would attempt to downgrade these fields back to their original size, potentially causing data truncation
  • The fix ensures that once fields are upgraded to larger sizes, they remain at those sizes during future database operations
  • Fixed a typo in the dbDelta() tests

New Features

No new features were introduced in this maintenance release. WordPress 4.3.6 focuses on security fixes and database handling improvements.

Security Updates

File Upload Security Improvements

  • Added proper filename sanitization in File_Upload_Upgrader to prevent potential security vulnerabilities
  • Implemented sanitization for upload filenames in the Media library
  • These fixes prevent potential security exploits that could occur through maliciously crafted filenames during the upload process
  • The sanitization ensures that uploaded files have safe filenames that cannot be used for code execution or other attacks

Performance Improvements

This release does not contain specific performance improvements. The focus was on security fixes and database handling improvements.

Impact Summary

WordPress 4.3.6 is primarily a security and maintenance release that addresses two key areas:

  1. Security Improvements: The release fixes vulnerabilities in file upload handling by properly sanitizing filenames in both the upgrader and media upload processes. This prevents potential security exploits through maliciously crafted filenames.

  2. Database Handling: The update modifies how dbDelta() handles TEXT and BLOB columns during and after UTF-8mb4 character encoding upgrades. Previously, after upgrading these columns to larger sizes (e.g., TEXT to MEDIUMTEXT) to accommodate UTF-8mb4's space requirements, subsequent operations would attempt to downgrade them back to their original size. This could potentially truncate data. The fix ensures that once columns are upgraded to larger sizes, they remain at those sizes.

These changes improve the security posture of WordPress installations and prevent potential data loss during database operations, particularly for sites using or migrating to UTF-8mb4 character encoding. The impact is positive for all WordPress users, with no known negative side effects or breaking changes.

Statistics:

File Changed8
Line Additions138
Line Deletions14
Line Changes152
Total Commits5

User Affected:

  • Need to update their WordPress installations to 4.3.6 immediately to protect against security vulnerabilities
  • Will benefit from improved database handling during character encoding upgrades
  • No longer at risk of data truncation in TEXT and BLOB fields during database upgrades

Contributors:

pentoswissspidyjeremyfelt