Activity

  • John Walker posted an update in the group Group logo of UpdatesUpdates 5 months, 3 weeks ago

    2020 June 12

    Updated WordPress to version 5.4.2.  This is a "security and
    maintenance release" with 23 "fixes and enhancements", mostly
    corrections to the cross-site scripting vulnerabilities which
    continue to plague WordPress even in new feature code because
    its developers are morons and there is no adequate code review
    or configuration management of what they scribble in crayon
    before it is shipped to millions of customers.  They're forever
    giving out "Props" to the third parties who scrutinised their
    shoddy product and found these flaws they couldn't be bothered
    to discover themselves.  Me, I'd like to throw those responsible
    into the "prop" of a P-51 Mustang revving for takeoff.
    
    A total of 44 files were modified and 4 added.  In integrating
    our local code, the following files contained both WordPress
    changes and our local code:
        wp-includes/class-walker-comment.php
        wp-includes/comment-template.php
    The following files containing local code but no WordPress
    changes have evil twin .min. files which I deleted from the
    update kit to avoid the peril of re-minimising them.
        wp-includes/css/media-views.css
        wp-includes/js/jquery/jquery-migrate.js
        wp-includes/js/plupload/moxie.js
    
    After integrating local code, I ran ../t/chk on all modified files
    and found no syntax errors.  A run of ../t/ratdiff reported all
    local code integrated and in the correct locations.  I made a
    ../t/mk_unkit.pl just in case we need to back out the changes.
    
    I applied the update kit.  It, of course, wrecked the setting of
    unused theme permissions to 700, so I immediately reset them to
    avoid the vulnerabililty that creates.  There were no immediate
    errors or things amiss, and the "Site Health" page reported only
    the usual bullshit due to our having secured the site against
    external twiddling by WordPress.
    
    Verified that the Themes page shows only our in-production
    theme and that the Plug-ins page shows none of the garbage
    bundled plug-ins that we disable.
    
    After three hours no problems have been manifest so I committed
    the WordPress 5.4.2 update (Build 476) and published the changes
    to GitHub.