Textpattern CMS 4.4.0 released: focus on security

A new release of Textpattern (news) is available. This version has a focus primarily on security and introduces a number of new changes to the way passwords are handled as well as general security fixes.

Some excerpts from the release announcement:

  • If you are running an Apache web server, rename the .htaccess-dist file in the /files directory to .htaccess to prohibit direct URL access to your files.
  • Previously, people with privileges set to ‘None’ could log in and just not see anything — Restricted area — for every tab. Now they are not even permitted entry.
  • We have relied on MySQL’s password function for a long time now. MySQL themselves do not recommend this and, moving forward to TXP 5, our goal is to open up the avenue for using other databases, so to rely on MySQL is counter to this philosophy. We have therefore taken the step of implementing phpass from this point forward.This has the implication that passwords are now case-sensitive.

This release also mops up some bits and pieces that snuck into 4.3.0. Namely:

  • a few places that still used deprecated attributes, mostly in the tag builder
  • some Textile security fixes
  • a bug in <txp:variable /> when dealing with empty values
  • search engines shouldn’t index ‘Nice try’ messages anymore
  • messy mode context and get_pref() bugs squashed

jQuery has also been upgraded to 1.5.1.

For the full announcement, or to download, visit: http://textpattern.com