By including the URL in generated hash for secured forms we prevent
a class of abuse where a user uses one secured form to post into a
controller action the form was not originally intended for. These cross
action requests could potentially violate developer's mental model of
how SecurityComponent works and produce unexpected/undesirable outcomes.
Thanks to Kurita Takashi for pointing this issue out, and suggesting
a fix.
Paths containing `..` are generally up to no good. Throw an exception,
as developers can use realpath() if they really need to get relative
paths.
Fixes#3370
I get a load of these errors when running tests in the shell, this check stops the errors from happening
Warning: 2 :: fclose() expects parameter 1 to be resource, integer given on line 298 of CORE\Cake\Console\ConsoleOutput.php
Trace:
fclose - [internal], line ??
ConsoleOutput::__destruct() - CORE\Cake\Console\ConsoleOutput.php, line 298
ToolbarComponent::_saveState() - APP\Plugin\DebugKit\Controller\Component\ToolbarComponent.php, line 307
ToolbarComponent::beforeRedirect() - APP\Plugin\DebugKit\Controller\Component\ToolbarComponent.php, line 307
ObjectCollection::trigger() - CORE\Cake\Utility\ObjectCollection.php, line 132
call_user_func - [internal], line ??
CakeEventManager::dispatch() - CORE\Cake\Event\CakeEventManager.php, line 247
Controller::redirect() - CORE\Cake\Controller\Controller.php, line 765
AuthComponent::_unauthenticated() - CORE\Cake\Controller\Component\AuthComponent.php, line 364
AuthComponent::startup() - CORE\Cake\Controller\Component\AuthComponent.php, line 304
ObjectCollection::trigger() - CORE\Cake\Utility\ObjectCollection.php, line 132
call_user_func - [internal], line ??
CakeEventManager::dispatch() - CORE\Cake\Event\CakeEventManager.php, line 247
Controller::startupProcess() - CORE\Cake\Controller\Controller.php, line 675
Dispatcher::_invoke() - CORE\Cake\Routing\Dispatcher.php, line 182
Dispatcher::dispatch() - CORE\Cake\Routing\Dispatcher.php, line 160
While the had the potential to make 404s going through AssetDispatcher
much faster, they broke plugins + extension routing. While explicit
extensions could be fixed, routing all extensions could not. Because we
are trying to keep 2.x as API compatible as possible it makes sense to
revert the previous changes.
Fixes an error in #2750 where routed extensions would always return
404's for plugin requests. When a file extenion could be handled by
router, AssetDispatcher cannot 404 the request.
Refs #3305
When using comparison with a boolean, as the filter is a string, we have to convert the data boolean to "boolean string" to avoid type-casting troubles.
## Example
```php
$users = [
[
'id' => 2,
'username' => 'johndoe',
'active' => true
],
[ 'id' => 5,
'username' => 'kevin',
'active' => true
],
[
'id' => 9,
'username' => 'samantha',
'active' => false
],
];
$unactiveUsers = Hash::extract($users, '{n}[active=false]');
print_r($unactiveUsers);
```
This example returns the two unwanted active users because `"false"` is `true` but not `false` :)
I think this pull request will fix this issue by converting true/false boolean to string (to match with our filter).
Re-order query joins to make manually added joins be performed after
generated joins. This removes the need to workaround the current join
order, or redefine all association joins when you want to add an
additional join on a leaf table.
Refs #2179
Refs #2346
Generating the various permutations a priori is incredibly expensive
with sets of attributes. Using nested loops that look for matches is
more efficient.
Add replacments for `.*` and `.+` in preg:/ prefixed attribute matchers
so they do not greedily eat all content. This also requires that preg:/
based attribute matchers *must* be quoted.
Fixes#3072
Added test cases for changes to inflector which affected words ending -aves. Author acknowledges the homonym conflict with 'leaves' and 'leaves', but preferences the word whose singular avoids an exception to the inflection rule.
If inputs are placed outside of the form elements the form attribute
needs to be set on the hidden inputs. Without this attribute the empty
state does not submit correctly.
Fixes#3053
PDOStatement::getColumnMeta (in mysql.php) sometimes returns the actual
table name when using a MySQL view with the distinct select query, and not
the alias table name. By returning the actual table name the records
could not be removed.
By the way PDOStatement::getColumnMeta is an experimental function,
perhaps it's better to avoid it.
Facebook servers have now HTTP response without status string. The use
"HTTP/1.1 200 "
while CakePHP needs
"HTTP/1.1 200 Ok"
because preg_match() in code use + instead *
While I think typehints are generally a good idea, this one broke a few
plugins, notably CakeDC/search. I don't think it is wise for 2.X release
to break BC in that way. I think reverting this change is probably the
safest path right now.
Allow sub-directories for Test/Fixture folder (for app. and plugin.)
The directory separator is '/'.
A file ``MyClassFixture.php` in the folder `Fixture/MyFolder` will be included like this :
`'app.MyFolder/my_class'`
For convenience I think it might be valuable to allow addCrumb (and possibly other similar functions) to return $this to permit chained calls such as this:
$this->Html->addCrumb('Admin', '/admin')->addCrumb('Blogs', '/admin/users')->addCrumb('Add');
as opposed to the considerably more verbose version that needs to be used now:
$this->Html->addCrumb('Admin', '/admin');
$this->Html->addCrumb('Blogs', '/admin/users');
$this->Html->addCrumb('Add');
I'm not sure if this violates some API conventions for helpers but it does seem rather more convenient to work with to me.
Sorting the keys property by value sorts keys with the same prefix for
free. This does change the order of the keys, but I don't think that is
actually a large issue as it is just a list.
Refs #2991
