The previous code and commit (fa3d4a0bb5)
were incorrect about invalid exchange numbers as 1-800-211-4511 is
a real phone number.
I've also removed a duplicate alternation pattern.
Refs #8567
Use `is_uploaded_file` to prevent crafty requests that contain bogus
files from getting through. A testing stub class was necessary to avoid
making significant changes to the test suite.
When child inherits from a deny parent the '*' permission should reflect
permissions on all nodes not just the leaf node. Previously once a node
with all permissions set to inherit was found, the check would pass.
Instead it should cascade to the parent nodes and look for explicit
allow/deny.
Refs #8450
The client_ip header can easily be forged. In 'safe' modes we should
only trust the remote_addr which comes from the sapi. Remove support for
http_clientaddress as I can't seem to find where this ever came from in
PHP on the http specs.
This fixes a regression introduced in that change that we didn't
previously have tests for. The issue fixed in #8359 was related to
PHP7.0, whereas PHP5 didn't have an issue. Now both versions will work
the same.
Update number sniff to handle negative numbers. We need to do number
sniffing so we can maintain compatbility between write() and
increment()/decrement().
Refs #8364
Replace the complex and somewhat unfixable regexp based parser for
a parser that handles each line individually. Normalize multi-line
headers to replace multiple spaces with a single one. Section 4.2 of the
HTTP1.1 standard states
> Any LWS that occurs between field-content MAY be replaced with
> a single SP before interpreting the field value or forwarding the
> message downstream.
This makes me somewhat confident that we can safely normalize
multi-line HTTP header values.
Refs #8330
I decided to leave the warning in. People who can't upgrade their
applications should at least be aware of the risks they are taking.
I'm flexible if people are strongly opposed to a warning, but I feel
that these kinds of warnings can be supressed in production if they
really are in a jam and don't care.
Refs #8282
When checking inherited permissions for '*' also copy inherited
permissions onto the inherited list. By copying the inherited values, we
get the union of explit allow and inherited permissions, which if all
things go well will match the permission key list.
Refs #8114
Not all webservers set CONTENT_TYPE. The built-in PHP webserver for
example sets HTTP_CONTENT_TYPE instead. Add a public method to the
request object to smooth over this difference.
Refs #6051, #8267
If the request manages to have data set outside of post/put we should
still validate the request body. This expands SecurityComponent to cover
PATCH and DELETE methods, as well as request methods that should be
safe, but somehow end up not safe.
This test creates a numeric key of 0 in $_SESSION which is not a valid session key. This causes error - session_write_close(): Skipping numeric key 0 error.
Since php 7 expects write to return true or false this needed to change, previous implementation would return the values sent to write on success and false on failure. Similar change to read method test CakeSession::read() now returns results or ''.
Backport the intent of #7845 into 2.x. The implementation differs a bit
from 3.x but paginator helper internals are pretty different in both
branches.
Refs #7092
Fix file:// paths being mishandled on windows.
While I don't think its feasible to fix all the cases reported in #7275
as certain paths have different meaning in windows, we can fix file://
not working.
Refs #7275
Remove the ability to specify completely arbitrary view files. This is
possibly a breaking change. However, I feel the risks out weigh the
benefits in this situation. Now absolute paths must be located *within*
a configured view path.
Adds ssl_ context options to SmtpTransport via CakeSocket. Both
CakeSocket and SmtpTransport can now use all the SSL context options
with the same syntax as HttpSocket.
Having all the options consolidated in one places enables all the SSL
context options to be used in the SmtpTransport instead of just allowing
self_signed as proposed in #7496
Numeric types in postgres are treated like decimals, except they can
have no length, precision or scale components defined.
IE does not accept 1.00000 as a valid step attribute so we'll default to
any when we encounter decimal types with no length.
Refs #7497
When a fieldList is used, and updated is not in the fieldList, the
column should continue to be updated even if the column has a value from
the user. Because the field is not in the fieldList, we must assume that
the intent is for the field to update automatically, as it would have if
the updated column was not present in the save data.
Refs #7076
If a visible input is created *after* a hidden input was created, the
form would always blackhole unless the visible input had the same value
as the hidden input.
Refs #7274
Useful for countries that do not have many of its cities, even major ones,
listed. For eg: Indonesia, only have 4 cities listed.
For backward compatibility, abbreviations will not be shown.
Note: You might need to update timezonedb for PHP 5.3
Closes#7271
On Windows based systems, both, backward as well as forward
slashes are supported as path separators, thus checking for `DS`
only, would allow to slip in `../` fragments.
refs #5905, cad57dcc28
