By including the URL in generated hash for secured forms we prevent
a class of abuse where a user uses one secured form to post into a
controller action the form was not originally intended for. These cross
action requests could potentially violate developer's mental model of
how SecurityComponent works and produce unexpected/undesirable outcomes.
Thanks to Kurita Takashi for pointing this issue out, and suggesting
a fix.
Paths containing `..` are generally up to no good. Throw an exception,
as developers can use realpath() if they really need to get relative
paths.
Fixes#3370
While the had the potential to make 404s going through AssetDispatcher
much faster, they broke plugins + extension routing. While explicit
extensions could be fixed, routing all extensions could not. Because we
are trying to keep 2.x as API compatible as possible it makes sense to
revert the previous changes.
Fixes an error in #2750 where routed extensions would always return
404's for plugin requests. When a file extenion could be handled by
router, AssetDispatcher cannot 404 the request.
Refs #3305
Re-order query joins to make manually added joins be performed after
generated joins. This removes the need to workaround the current join
order, or redefine all association joins when you want to add an
additional join on a leaf table.
Refs #2179
Refs #2346
Generating the various permutations a priori is incredibly expensive
with sets of attributes. Using nested loops that look for matches is
more efficient.
Add replacments for `.*` and `.+` in preg:/ prefixed attribute matchers
so they do not greedily eat all content. This also requires that preg:/
based attribute matchers *must* be quoted.
Fixes#3072
Added test cases for changes to inflector which affected words ending -aves. Author acknowledges the homonym conflict with 'leaves' and 'leaves', but preferences the word whose singular avoids an exception to the inflection rule.
