Commit graph

952 commits

Author SHA1 Message Date
Marc Würth
17314baa15 Use HTTPS for the cakephp.org URL 2017-06-10 23:40:28 +02:00
Ikuo Degawa
655a5fe0ae Fix broken cookie issue #10724
This change makes Security::cipher() encoding and decoding same as 2.7 and below.
2017-06-10 15:20:25 +09:00
mark_story
cf679a3233 Merge branch '2.x' into 2.next 2017-05-27 21:47:22 -04:00
Joe
70ead28a1d Redo commits on 2.next branch 2017-05-12 02:02:36 -04:00
mark_story
9007a7fe58 Fix notBlank() to pass on -0.0
Copy the implementation from 3.x as it works with -0.0 already.

Refs #10521
2017-04-16 09:57:36 -04:00
mark_story
e698891d09 Hash::filter() should not exclude 0.0
Refs #10385
2017-03-09 21:29:44 -05:00
mark_story
84a15dc9df Fix short-array usage. 2017-02-14 14:12:38 -05:00
mark_story
3f10a0227a Allow false/true to be read as keys in Hash::get().
While these are not values within the documented types, there exist use
cases in CakeSession that necessitate these to be supported types.

Refs #10196
2017-02-13 21:50:51 -05:00
Mischa ter Smitten
043858d9e6 Fixed typo 2017-01-30 03:22:49 +09:00
Mischa ter Smitten
6818268a27 New Validation::(min|max)ByteLength() addition 2017-01-30 03:22:48 +09:00
mark_story
273a8a2d7d Add support for the parseHuge option.
Sometimes people need to load huge XML files. Add an option to enable
people to enable this flag.

Refs #10031
2017-01-13 21:26:54 -05:00
mark_story
99af4bba83 Merge branch 'domingues-2x' into 2.x
Refs #9870
2016-12-13 22:48:12 -05:00
domingues
4d77cb059d Fix a bug in Xml::fromArray()
When creating from an array with elements like this: `[ "a" => [ 0 ] ]` or `[ "a" => [ '0' ] ]` it fails and produces XML like this `<a/>` instant of `<a>0</a>`.

The problem is that in PHP `empty('0')` is true, so an exception to this case is needed.
2016-12-13 16:16:12 +00:00
mark_story
edfda47cf4 Fix missing HTML encoding in Debugger
Fix missing HTML encoding when error messages contain HTML. This can
happen when user data is used as an offset in an array in an unchecked
way.

Thanks to Teppei Fukuda for reporting this issue via the responsible
security disclosure process.
2016-12-10 08:47:13 -05:00
Marc Würth
5c184190c5 Improve doc block 2016-11-17 14:55:01 +01:00
mark_story
816801902e Allow '' to be a valid key for Hash, and Session
By removing a bunch of empty() guards we can make '' behave like all the
other key names. This does change the existing behavior/tests around ''
key, but I think that is ok given the need to manipulate ''.

Refs #9632
2016-10-21 10:54:39 -04:00
mark_story
e8d63725d8 Merge branch '2.x' into 2.next 2016-09-04 23:54:22 -04:00
Mark Story
51963ab8fc Merge pull request #9349 from cakephp/2.x-sort-locale
2.x sort locale backport
2016-08-26 11:13:21 -04:00
mscherer
dab4b85596 Backport Hash::sort() support for type locale. 2016-08-26 14:32:21 +02:00
ndm2
87d86aaed9 Fix/tighten Folder::inPath() checks.
The current checks are way too relaxed, and are more like testing
for a substring, which makes it easy for invalid paths to slip
trough, for example `/foo/var/www` is falsely tested to reside in
`/var/www`.

Passing an empty path never worked properly, it was triggering a
warning, didn't worked on Windows, and the behavior that the current
top level directory would be assumed for empty paths wasn't
documented.

Similar is true for relative paths. While they did match at one point,
this was incorrect behavior, and matching actual path fragments seems
out of scope for this method.

This change makes the `$path` argument required, requires it to be an
absolute path, and throws an exception in case a non-absolute path is
being passed.
2016-08-26 13:45:45 +02:00
Kenya Yamaguchi
777e39531e fix php document of File::write() 2016-08-19 02:52:44 +09:00
mark_story
432eb9c432 Merge branch '2.x' into 2.next 2016-06-27 21:47:47 -04:00
Steampilot
723ed96fd6 Added sorting by modified time in Folder util 2016-05-12 16:28:04 +02:00
mark_story
efc2526600 Appease PHPCS. 2016-05-03 17:46:29 -04:00
mark_story
b6d631b987 Use strlen(). Comparing a string against a length will not do the right thing. 2016-05-03 17:27:16 -04:00
mark_story
12c6fd4e22 Merge branch '2.x' into 2.next 2016-05-02 21:58:41 -04:00
Philippe Saint-Just
cd07850337 Merge branch 'backport-8741-8690' into 2.x 2016-04-30 13:11:34 -04:00
mark_story
8b5023282e Randomly generate a salt when the salt is '' or null.
To prevent an issue where any value is accepted as a password when '' is
provided as the hashed password.

Refs #8650
2016-04-15 21:49:17 -04:00
mscherer
e84ff5e0d5 Fix doc block param types. 2016-04-08 15:12:48 +02:00
mscherer
dda9e83ab6 Refactor Object to CakeObject for future PHP7 comp. 2016-04-08 14:33:26 +02:00
mark_story
84fc9498b5 Allow N11 exchange numbers as valid.
The previous code and commit (fa3d4a0bb5)
were incorrect about invalid exchange numbers as 1-800-211-4511 is
a real phone number.

I've also removed a duplicate alternation pattern.

Refs #8567
2016-03-31 22:38:16 -04:00
mark_story
1926d40d40 Fix possibility for spoofed files to pass validation.
Use `is_uploaded_file` to prevent crafty requests that contain bogus
files from getting through. A testing stub class was necessary to avoid
making significant changes to the test suite.
2016-03-28 22:10:36 -04:00
Mark Story
31b3f39b67 Merge pull request #8310 from cakephp/secure-random
2.x - Secure random
2016-02-25 22:05:08 -05:00
Marc Würth
1258739411 Replace Set by Hash
References to the deprecated Set class don't make much sense.
2016-02-23 13:09:03 +01:00
mark_story
7e5f56362f Deprecate bad methods.
These methods are bad and should feel bad.
2016-02-22 00:16:15 -05:00
mark_story
7df99fff1f Backport Security::randomBytes() to 2.x
I decided to leave the warning in. People who can't upgrade their
applications should at least be aware of the risks they are taking.

I'm flexible if people are strongly opposed to a warning, but I feel
that these kinds of warnings can be supressed in production if they
really are in a jam and don't care.

Refs #8282
2016-02-22 00:14:44 -05:00
mark_story
e4b939bba0 Backport fix for Validation::uploadedFile to 2.x
Don't fail validation when the keys are not the expected order.

Refs #8201
2016-02-08 22:37:25 -05:00
Larry E. Masters
0aa8847762 Merge pull request #7840 from cakephp/2.8-PHP7
2.8 PHP7 compatibility
2015-12-29 00:27:33 -05:00
mark_story
b5e64bbad5 Merge branch '2.7' into 2.8 2015-12-24 16:20:27 -05:00
mark_story
7d052bdbc1 Backport 5714cf14a9ca4b439b872aaf3ad6e5bfddda46ad to 2.x
Fix file:// paths being mishandled on windows.

While I don't think its feasible to fix all the cases reported in #7275
as certain paths have different meaning in windows, we can fix file://
not working.

Refs #7275
2015-12-24 16:19:57 -05:00
mark_story
37fe25909f Merge branch '2.7' into 2.8 2015-12-20 21:59:43 -05:00
Larry E. Masters
6a68032e0b FIxing srand() expects parameter 1 to be integer, string given
Type casting to integer
2015-12-13 14:18:59 -06:00
Yasushi Ichikawa
bed76acea1 fixed coding standards error 2015-11-29 23:37:07 +09:00
Yasushi Ichikawa
5b098af240 remove extract function in the Validation::comparison 2015-11-29 22:42:55 +09:00
mark_story
48450e71fa Merge branch '2.7' into 2.8 2015-11-11 22:53:45 -05:00
mark_story
1a6f733286 Merge branch '27-pages-fix' into 2.7 2015-11-05 22:30:25 -05:00
Jose Lorenzo Rodriguez
18544c5aaa Fix validation allowing arrays.
Accepting arrays can cause a number of adverse effects. While this may
be a breaking change the alternatives are worse.
2015-11-04 21:35:05 -05:00
ADmad
90c9ead8cd Fix CS error 2015-10-30 09:28:03 +05:30
Mark Scherer
820fc2286f Correct doc block. 2015-10-27 21:17:10 +01:00
mark_story
c26b7bbffe Fix PHPCS errors and failing test.
Refs #7577
2015-10-20 21:08:57 -04:00
vanquang9387
13132cd113 Fix using php 5.4 array [ ] 2015-10-19 15:52:10 +07:00
vanquang9387
8b3bba3341 Reformat Validation class 2015-10-19 15:47:33 +07:00
vanquang9387
af8c992655 2.x uploadedFile validation (backported from #4524) 2015-10-19 15:15:28 +07:00
Ashley Pinner
83b904bc7b Remove censoring of schema and prefix from debug()
As per discussion in #cakephp the other day, `debug()` will automatically censor out a list of keys, including `prefix` and `schema`. These are useful to see in output for debugging prefix routing, and should not automatically be considered sensitive information.
2015-10-15 12:55:32 +01:00
mark_story
a6a699b4b9 Merge branch '2.7' into 2.8 2015-09-28 21:17:45 -04:00
mark_story
13f147940f Correct inflection of virus.
Instead of viri, it should be viruses.

Refs #7466
2015-09-28 21:04:23 -04:00
mark_story
8a57d78dba Merge branch '2.7' into 2.8 2015-09-27 11:12:55 -04:00
Mark Story
12f5aee5a2 Merge pull request #7447 from ravage84/2.7-lib-improvements
Various improvements to the CakePHP lib files
2015-09-25 12:14:00 -04:00
Marc Würth
e690662f0e Various improvments to the CakePH Plib files
Mostly CS, doc blocks and explicit returning nulls.
2015-09-25 17:11:20 +02:00
mark_story
77f2c8cb42 Use mb_strtolower in case-insensitive sorting.
We should try to support unicode everywhere people might use it.
2015-08-25 21:49:10 -04:00
mark_story
9b910dff31 Merge branch '2.8-hash-sort-ignore-case' into 2.8
Refs #7217
2015-08-25 21:46:08 -04:00
mark_story
a9ef1f8aea Simplify branching and add default options.
Use fewer conditionals by merging defaults and avoid exceptions
by setting defaults as well.

Refs #7217
2015-08-25 21:39:02 -04:00
Mark Scherer
3cfc46db38 Fix merge to + operator. 2015-08-24 06:33:04 +02:00
Rachman Chavik
e6acacac03 CakeTime::listTimezones(): Add option to Display timezone abbreviations
Useful for countries that do not have many of its cities, even major ones,
listed. For eg: Indonesia, only have 4 cities listed.

For backward compatibility, abbreviations will not be shown.

Note: You might need to update timezonedb for PHP 5.3

Closes #7271
2015-08-21 10:54:33 +07:00
Adrian Gunawan
12e5719aad Remove whitespace at end of line 2015-08-14 17:05:59 +10:00
Adrian Gunawan
80f6a97d93 Check === 'natural' was inadvertently removed 2015-08-14 15:32:23 +10:00
Adrian Gunawan
b89d8d5efa Use array() instead of the short notation [] 2015-08-14 14:15:00 +10:00
Adrian Gunawan
f23e6589d0 Overload $type parameter instead of adding another parameter for case insensitive sort 2015-08-13 11:16:32 +10:00
Adrian Gunawan
a217556c13 Ability for Hash::sort to sort case-insensitively 2015-08-12 14:35:11 +10:00
mark_story
b7c9ac913d Backport fixes for comparison() and range() to 2.x
These fixes were released as a security update for 3.x, they also belong
in 2.x
2015-08-06 21:36:39 -04:00
José Lorenzo Rodríguez
355eb1859c Merge pull request #7106 from cakephp/issue-7098
Consistently remove plugin names in object collections.
2015-07-28 15:58:41 +02:00
Mark Story
de4b44a37b Merge pull request #7077 from dereuromark/2.7-static
Replacing self with static due to PHP5.3+. Following #7040.
2015-07-23 22:27:37 -04:00
mark_story
418dcfd7f8 Consistently remove plugin names in object collections.
We were sometimes removing plugin prefixes (set, and some subclass
methods). But many other methods were missing the pluginSplit() feature.
This change makes all of the methods in ObjectCollection strip plugin
prefixes, which increases consistency across the framework.

Refs #7098
2015-07-23 21:46:21 -04:00
mark_story
e4b2428735 Fix PHPCS errors. 2015-07-21 16:28:17 -04:00
Mark Scherer
52e79987a2 Replacing self with static due to PHP5.3+. Following #7040. 2015-07-21 10:22:53 +02:00
mark_story
bd23fdeebf Simplify code and reduce test redundancy.
We don't need the additional parameter, and some of the tests weren't
covering unique scenarios.

Refs #7040
2015-07-20 22:16:50 -04:00
Chris Valliere
64f0ca0028 Fix Hash::maxDimensions
The current Hash::maxDimensions function calls Hash::dimensions to try
to get the maximum depth of the passed in array.  However, this ends up
only getting the depth of the first element of each 1st dimension
element in the array passed to maxDimensions.  The function needs to be
called recursively in order to get the depth of ALL of the elements in
all of the dimensions of the passed in array.

I made the maxDimensions function more closely resemble the deprecated
Set::countDim function in order to restore the correct functionality.
2015-07-20 22:07:58 -04:00
Mark Scherer
2eea245491 Backport utf fix for CakeText::tokenize(). 2015-07-13 08:23:05 +02:00
mark_story
47378427e3 Merge branch '2.6' into 2.7 2015-07-11 21:25:26 -04:00
Marc Würth
4a131bdcbf Capitalize Windows, the OS 2015-07-09 15:54:03 +02:00
mark_story
26b3713bd6 Merge branch '2.7' of github.com:cakephp/cakephp into 2.7 2015-06-20 10:03:24 -04:00
mark_story
664ba53c89 Merge branch '2.6' into 2.7 2015-06-20 10:03:14 -04:00
Mark Scherer
4025f2fb22 add cast for clarification and to allow int 0. 2015-06-17 12:38:06 +02:00
Mark Scherer
1b81323462 Use strict check 2015-06-17 12:06:56 +02:00
Mark Scherer
86c358f3f9 Fix Validation::multiple() regarding 0 value. 2015-06-15 16:35:27 +02:00
mark_story
c47196fe08 Merge branch '2.6' into 2.7 2015-06-07 15:45:26 -04:00
mark_story
239c83938f Fix regression in camelize().
The input should not be lowercased before camelizing, as this can cause
inputs that were previously camelized to create incorrect results.

Refs #6735
2015-06-05 10:20:51 -04:00
mark_story
df0f2295c3 Fix issue with overlapping irregular inflections.
When irregular inflections overlap we should choose the longest match,
not the shortest.

Refs #6659
2015-06-02 23:09:29 -04:00
Mark Scherer
2a5cbb8037 Add missing static keyword. 2015-05-31 13:40:22 +02:00
mark_story
d7d8b90986 Merge branch '2.6' into 2.7 2015-05-28 19:34:59 -04:00
mark_story
995d8d22c6 Disable reading XML files and URLs when handling user data.
Allowing users to load arbitrary files/URLs with Xml is not desirable
when handing user input.
2015-05-27 09:45:53 -04:00
mark_story
733ddc7ff4 Use mb* functions in Inflector humanize/underscore.
Use the mbstring shims we already provide to make Inflector more robust
than it currently is. This solves the invalid ID attribute generation in
a way that never varies between environments.

Refs #6635
2015-05-26 22:51:00 -04:00
nojimage
c6e4208bda refs #6635 Inflector::underscore, humanize support multibyte string inputs 2015-05-26 13:29:05 +09:00
nojimage
8ebc9cdd87 refs #6635 FormHelper::radio() return collect id attributes with multibyte 2015-05-25 22:10:50 +09:00
Mark Scherer
866242643f Deprecate notEmpty in favor of notBlank. 2015-05-17 22:13:04 +02:00
ndm2
323e8d8d76 Add underscore support for multi word irregulars.
Underscore separated words were not catched by the irregular regex,
tests however didn't fail as the default rules matched the tested words
too. The added test should ensure that this won't happen again.

Fixes the gap left by the previous #6538 fix.
2015-05-12 14:33:15 +02:00
mark_story
d4740c9c09 Fix incorrect handling of irregular values.
When inflecting irregular values, both plural and singular forms were
generated incorrectly.

Fixes #6538
2015-05-11 21:35:08 -04:00
Mark Scherer
8e618ed9e6 Fix documentation regarding attributes 2015-05-02 14:31:38 +02:00
mark_story
5e9d4893a8 Add the {*} matcher to Hash::extract()
This matcher will match anything and is useful when you just want to
traverse through data and you're not too picky.

I've also refactored the conditions to use a case as it is slightly more
readable and uses fewer lines of code.

Refs #6447
2015-05-01 22:03:40 -04:00
mark_story
096a2ebb72 Merge branch '2.6' into 2.7
Conflicts:
	lib/Cake/Test/Case/TestSuite/ControllerTestCaseTest.php
	lib/Cake/VERSION.txt
2015-04-20 15:42:54 -04:00