Merge branch 'master' into 2.5

lib/Cake/Network/CakeResponse.php

@@ -1320,7 +1320,8 @@ class CakeResponse {
  * - name: Alternate download name
  * - download: If `true` sets download header and forces file to be downloaded rather than displayed in browser
  *
- * @param string $path Path to file
+ * @param string $path Path to file. If the path is not an absolute path that resolves
+ *   to a file, `APP` will be prepended to the path.
  * @param array $options Options See above.
  * @return void
  * @throws NotFoundException
@@ -1331,6 +1332,13 @@ class CakeResponse {
 			'download' => null
 		);
 
+		if (strpos($path, '..') !== false) {
+			throw new NotFoundException(__d(
+				'cake_dev',
+				'The requested file contains `..` and will not be read.'
+			));
+		}
+
 		if (!is_file($path)) {
 			$path = APP . $path;
 		}

lib/Cake/Test/Case/Network/CakeResponseTest.php

@@ -1166,6 +1166,17 @@ class CakeResponseTest extends CakeTestCase {
 		$response->file('/some/missing/folder/file.jpg');
 	}
 
+/**
+ * test file with ..
+ *
+ * @expectedException NotFoundException
+ * @return void
+ */
+	public function testFileWithPathTraversal() {
+		$response = new CakeResponse();
+		$response->file('my/../cat.gif');
+	}
+
 /**
  * testFile method
  *