Use `is_uploaded_file` to prevent crafty requests that contain bogus
files from getting through. A testing stub class was necessary to avoid
making significant changes to the test suite.
Clearing the router also removes routes which can cause assertions to
fail. By just removing the stored requests we avoid the error reported
in #8480 and not break as many tests.
When using array urls, internal state in the Router would cause requests
to be incorrectly handled causing multiple testAction calls in a single
test to fail. By reloading the router we start off with a clean slate
each time.
Refs #8480
When child inherits from a deny parent the '*' permission should reflect
permissions on all nodes not just the leaf node. Previously once a node
with all permissions set to inherit was found, the check would pass.
Instead it should cascade to the parent nodes and look for explicit
allow/deny.
Refs #8450
The client_ip header can easily be forged. In 'safe' modes we should
only trust the remote_addr which comes from the sapi. Remove support for
http_clientaddress as I can't seem to find where this ever came from in
PHP on the http specs.
This fixes a regression introduced in that change that we didn't
previously have tests for. The issue fixed in #8359 was related to
PHP7.0, whereas PHP5 didn't have an issue. Now both versions will work
the same.
Update number sniff to handle negative numbers. We need to do number
sniffing so we can maintain compatbility between write() and
increment()/decrement().
Refs #8364
exemple
i have to get the referrer url from any page if exists
```
class AppController extends Controller {
......
public function beforeRender() {
parent::beforeRender();
$this->params['referer'] = $this->referer(null, true);
}
..........
}
```
Update sample code to generate unique keys based on association
conditions as well. Because association conditions are not part of the
'query' they need to be handled separately.
Refs #8346
Replace the complex and somewhat unfixable regexp based parser for
a parser that handles each line individually. Normalize multi-line
headers to replace multiple spaces with a single one. Section 4.2 of the
HTTP1.1 standard states
> Any LWS that occurs between field-content MAY be replaced with
> a single SP before interpreting the field value or forwarding the
> message downstream.
This makes me somewhat confident that we can safely normalize
multi-line HTTP header values.
Refs #8330
I decided to leave the warning in. People who can't upgrade their
applications should at least be aware of the risks they are taking.
I'm flexible if people are strongly opposed to a warning, but I feel
that these kinds of warnings can be supressed in production if they
really are in a jam and don't care.
Refs #8282
When checking inherited permissions for '*' also copy inherited
permissions onto the inherited list. By copying the inherited values, we
get the union of explit allow and inherited permissions, which if all
things go well will match the permission key list.
Refs #8114
Not all webservers set CONTENT_TYPE. The built-in PHP webserver for
example sets HTTP_CONTENT_TYPE instead. Add a public method to the
request object to smooth over this difference.
Refs #6051, #8267
