Commit graph

920 commits

Author SHA1 Message Date
chinpei215
a6b0271560 Remove Security::engine()
We disscussed and decided to avoid auto selecting which extension to use.
Instead, call Configure::write('Security.useOpenSsl', true) manually.
2018-02-24 12:17:51 +09:00
chinpei215
fc397bd481 Pass MCRYPT_DEV_URANDOM to mcrypt_create_iv() explicitly 2018-01-20 00:25:35 +09:00
chinpei215
5289aae64e Change Security::randomBytes() to fallback to mcrypt_create_iv() 2018-01-19 23:54:58 +09:00
chinpei215
d7ed0339b1 Make mcrypt optional
Now Security::encrypt() and Security::decrypt() works with openssl
if the mcrypt extension is unavailable.
Note that Security::rijndael() doesn't work with openssl.
2018-01-19 23:54:53 +09:00
Milan van As
7de5ae4438 Force email domain lookups to work in fallback case. 2017-10-25 08:45:57 +02:00
Mark Story
fb44035177 Merge pull request #11299 from tenkoma/2.x-fix-cc-number-jcb-pattern
[2.x]Fix Credit card number pattern(JCB) is wrong
2017-10-08 10:09:19 -04:00
Koji Tanaka
7d2d902b57 [2.x]Fix Credit card number pattern(JCB) is wrong 2017-10-08 16:15:10 +09:00
chinpei215
deac8f9109 Backport #7080, #8233 and #11060 2017-10-06 22:02:37 +09:00
chinpei215
ccf634e5f3 Docblock update 2017-10-06 21:59:48 +09:00
LustyRain
e1e5a292f2 Fix: revert return 2017-10-05 00:09:51 +09:00
LustyRain
1f09318724 Fix delete space, restored return 2017-10-04 20:40:57 +09:00
LustyRain
8bb07c0fd7 Fix called twice 2017-10-04 11:39:31 +09:00
LustyRain
31b13edf8a Fix: phpdoc miss
## did
- void unReturn
- miss return void
- add return type
- type miss typing
- add param type and return type
  - string → string|array
- change ClassName
2017-10-04 00:22:42 +09:00
mark_story
aaa37fa809 Merge branch '2.next' of github.com:cakephp/cakephp into 2.next 2017-06-26 21:51:55 -04:00
mark_story
2032fef772 Merge branch '2.x' into 2.next 2017-06-26 21:51:41 -04:00
Marc Würth
da8414e13b Use HTTPS for the opensource.org MIT license URL 2017-06-11 00:23:22 +02:00
Marc Würth
04efc7ba50 Use HTTPS for the book.cakephp.org URL 2017-06-11 00:15:36 +02:00
Marc Würth
10b89b51a9 Use HTTPS for the cakefoundation.org URL 2017-06-11 00:10:59 +02:00
Marc Würth
17314baa15 Use HTTPS for the cakephp.org URL 2017-06-10 23:40:28 +02:00
Ikuo Degawa
655a5fe0ae Fix broken cookie issue #10724
This change makes Security::cipher() encoding and decoding same as 2.7 and below.
2017-06-10 15:20:25 +09:00
mark_story
cf679a3233 Merge branch '2.x' into 2.next 2017-05-27 21:47:22 -04:00
Joe
70ead28a1d Redo commits on 2.next branch 2017-05-12 02:02:36 -04:00
mark_story
9007a7fe58 Fix notBlank() to pass on -0.0
Copy the implementation from 3.x as it works with -0.0 already.

Refs #10521
2017-04-16 09:57:36 -04:00
mark_story
e698891d09 Hash::filter() should not exclude 0.0
Refs #10385
2017-03-09 21:29:44 -05:00
mark_story
84a15dc9df Fix short-array usage. 2017-02-14 14:12:38 -05:00
mark_story
3f10a0227a Allow false/true to be read as keys in Hash::get().
While these are not values within the documented types, there exist use
cases in CakeSession that necessitate these to be supported types.

Refs #10196
2017-02-13 21:50:51 -05:00
Mischa ter Smitten
043858d9e6 Fixed typo 2017-01-30 03:22:49 +09:00
Mischa ter Smitten
6818268a27 New Validation::(min|max)ByteLength() addition 2017-01-30 03:22:48 +09:00
mark_story
273a8a2d7d Add support for the parseHuge option.
Sometimes people need to load huge XML files. Add an option to enable
people to enable this flag.

Refs #10031
2017-01-13 21:26:54 -05:00
mark_story
99af4bba83 Merge branch 'domingues-2x' into 2.x
Refs #9870
2016-12-13 22:48:12 -05:00
domingues
4d77cb059d Fix a bug in Xml::fromArray()
When creating from an array with elements like this: `[ "a" => [ 0 ] ]` or `[ "a" => [ '0' ] ]` it fails and produces XML like this `<a/>` instant of `<a>0</a>`.

The problem is that in PHP `empty('0')` is true, so an exception to this case is needed.
2016-12-13 16:16:12 +00:00
mark_story
edfda47cf4 Fix missing HTML encoding in Debugger
Fix missing HTML encoding when error messages contain HTML. This can
happen when user data is used as an offset in an array in an unchecked
way.

Thanks to Teppei Fukuda for reporting this issue via the responsible
security disclosure process.
2016-12-10 08:47:13 -05:00
Marc Würth
5c184190c5 Improve doc block 2016-11-17 14:55:01 +01:00
mark_story
816801902e Allow '' to be a valid key for Hash, and Session
By removing a bunch of empty() guards we can make '' behave like all the
other key names. This does change the existing behavior/tests around ''
key, but I think that is ok given the need to manipulate ''.

Refs #9632
2016-10-21 10:54:39 -04:00
mark_story
e8d63725d8 Merge branch '2.x' into 2.next 2016-09-04 23:54:22 -04:00
Mark Story
51963ab8fc Merge pull request #9349 from cakephp/2.x-sort-locale
2.x sort locale backport
2016-08-26 11:13:21 -04:00
mscherer
dab4b85596 Backport Hash::sort() support for type locale. 2016-08-26 14:32:21 +02:00
ndm2
87d86aaed9 Fix/tighten Folder::inPath() checks.
The current checks are way too relaxed, and are more like testing
for a substring, which makes it easy for invalid paths to slip
trough, for example `/foo/var/www` is falsely tested to reside in
`/var/www`.

Passing an empty path never worked properly, it was triggering a
warning, didn't worked on Windows, and the behavior that the current
top level directory would be assumed for empty paths wasn't
documented.

Similar is true for relative paths. While they did match at one point,
this was incorrect behavior, and matching actual path fragments seems
out of scope for this method.

This change makes the `$path` argument required, requires it to be an
absolute path, and throws an exception in case a non-absolute path is
being passed.
2016-08-26 13:45:45 +02:00
Kenya Yamaguchi
777e39531e fix php document of File::write() 2016-08-19 02:52:44 +09:00
mark_story
432eb9c432 Merge branch '2.x' into 2.next 2016-06-27 21:47:47 -04:00
Steampilot
723ed96fd6 Added sorting by modified time in Folder util 2016-05-12 16:28:04 +02:00
mark_story
efc2526600 Appease PHPCS. 2016-05-03 17:46:29 -04:00
mark_story
b6d631b987 Use strlen(). Comparing a string against a length will not do the right thing. 2016-05-03 17:27:16 -04:00
mark_story
12c6fd4e22 Merge branch '2.x' into 2.next 2016-05-02 21:58:41 -04:00
Philippe Saint-Just
cd07850337 Merge branch 'backport-8741-8690' into 2.x 2016-04-30 13:11:34 -04:00
mark_story
8b5023282e Randomly generate a salt when the salt is '' or null.
To prevent an issue where any value is accepted as a password when '' is
provided as the hashed password.

Refs #8650
2016-04-15 21:49:17 -04:00
mscherer
e84ff5e0d5 Fix doc block param types. 2016-04-08 15:12:48 +02:00
mscherer
dda9e83ab6 Refactor Object to CakeObject for future PHP7 comp. 2016-04-08 14:33:26 +02:00
mark_story
84fc9498b5 Allow N11 exchange numbers as valid.
The previous code and commit (fa3d4a0bb5)
were incorrect about invalid exchange numbers as 1-800-211-4511 is
a real phone number.

I've also removed a duplicate alternation pattern.

Refs #8567
2016-03-31 22:38:16 -04:00
mark_story
1926d40d40 Fix possibility for spoofed files to pass validation.
Use `is_uploaded_file` to prevent crafty requests that contain bogus
files from getting through. A testing stub class was necessary to avoid
making significant changes to the test suite.
2016-03-28 22:10:36 -04:00