Backport fixes to base path generation that prevent issue when a URL
contains // it can circumvent the base path generation, which results in
unwanted user data in the base/webroot paths. This creates an
opportunity for CSS manipulation in old versions of IE, and newer ones
via iframe inheritance.
Eg:
Actual Posted URL:
/admin/settings/settings/prefix/Access%20Control
$_GET value:
/admin/settings/settings/prefix/Access_Control
Since $unsetUrl differs, the $_GET value will get copied in to
CakeRequest::$query, causing CakeRequest::here() to return:
/admin/settings/settings/prefix/Access%20Control?%2Fadmin%2Fsettings%2Fsettings%2Fprefix%2FAccess_Control=
This confuses SecurityComponent in the following line:
f23d811ff5/lib/Cake/Controller/Component/SecurityComponent.php (L514)
HTTP_X_FORWARDED_HOST is supposed to be used by proxies to indicate the
original HTTP_HOST value. It has nothing to do with referer values.
Since the HTTP_X_FORWARDED_HOST is intended to replace the HOST header
in proxied setups, add a trustProxy parameter to host() and default it
to false. This maintains existing behavior and allows people to access
the proxied value.
Fixes#2537
This statement does not serve a purpose anymore.
In a long forgotten world it indicated the main version number of PHP which the code in the file was compatible to.
http://pear.php.net/manual/en/standards.sample.php
But since PHP 5.1 and later this is only marginally true.
Thus I propose to remove it from CakePHP.
Some browsers have invalid accept headers, we should ignore the invalid
extension data as assuming it will be a qualifier can result in
incorrect results.
Fixes#4105
Fixes https://cakephp.lighthouseapp.com/projects/42648-cakephp/tickets/3318
It seems fixing this in the htaccess file(s) isn't going to work even though a url rewriting based solution was more clean. On the plus side this works for any web server.
If a url is called with "index.php" in it then the CakeRequest swallows this part and fixes the path. Any linked url from the requested page will have a clean url. Thus after following one of these urls this problem is gone anyway.
Some code docblock improvements to CakeRequestTest.php
Added test case for fix
Also now you can call just index.php even if you have url rewriting enabled
