A new release of Textpattern (news) is available. This version has a focus primarily on security and introduces a number of new changes to the way passwords are handled as well as general security fixes.
Some excerpts from the release announcement:
- If you are running an Apache web server, rename the
.htaccess-distfile in the
.htaccessto prohibit direct URL access to your files.
- Previously, people with privileges set to ‘None’ could log in and just not see anything — Restricted area — for every tab. Now they are not even permitted entry.
- We have relied on MySQL’s
passwordfunction for a long time now. MySQL themselves do not recommend this and, moving forward to TXP 5, our goal is to open up the avenue for using other databases, so to rely on MySQL is counter to this philosophy. We have therefore taken the step of implementing phpass from this point forward.
This has the implication that passwords are now case sensitive.
This release also mops up some bits and pieces that snuck into 4.3.0. Namely:
- a few places that still used deprecated attributes, mostly in the tag builder
- some Textile security fixes
- a bug in
<txp:variable />when dealing with empty values
- search engines shouldn’t index ‘Nice try’ messages any more
- messy mode context and
jQuery has also been upgraded to 1.5.1.
For the full announcement, or to download, visit: http://textpattern.com