Commit graph

3659 commits

Author SHA1 Message Date
Mark Sch
32cb25465f Make CS tests pass. 2016-05-02 10:42:42 +02:00
mark_story
ade9d8a811 Restore backwards compatibility with old 2.x in FormHelper.
Restore the behavior of the string 'action' option to its former glory.
While we've deprecated this it needs to continue working as it did
before.

Refs #8628
2016-05-01 22:21:23 -04:00
Philippe Saint-Just
c2f028ab49 Fix spacing 2016-04-30 13:13:14 -04:00
Philippe Saint-Just
cd07850337 Merge branch 'backport-8741-8690' into 2.x 2016-04-30 13:11:34 -04:00
mark_story
af953700b8 Fix short array usage.
Refs FIVESMX-8723
2016-04-29 09:28:05 -04:00
mark_story
cf55767fa0 Backport range parsing resiliancy fixes from 3.x
Refs #8723
2016-04-28 22:27:37 -04:00
mark_story
9536a10d6d Make schema import plugin friendly.
The changes in #8694 pointed out that schema importing doesn't play nice
with plugins. This corrects that.
2016-04-23 16:18:15 -04:00
mark_story
3a75e8aa72 Use import options when going through execute()
The `records` and `schema` options should work when using execute().
Previously they were not working. Furthermore, the records option did
a non-sensical thing where it both set import=>records and generated
static records from the live table. The `records` option now enables
the generation of static data from a live table, as I think this is
a more common scenario.

Refs #8693
2016-04-23 16:15:54 -04:00
mark_story
8b5023282e Randomly generate a salt when the salt is '' or null.
To prevent an issue where any value is accepted as a password when '' is
provided as the hashed password.

Refs #8650
2016-04-15 21:49:17 -04:00
mark_story
f451efa511 Attempt to fix tests in 2.x
Relying on tv.eurosport.com having a bad peer name is pretty fragile.
However, we can more easily rely on their cert coming from a CA we no
longer trust.
2016-04-14 15:28:34 -04:00
mark_story
79db545b69 Fix PHP 5.4 syntax. 2016-04-02 21:45:02 -04:00
mark_story
1333cc4b3e Merge branch 'postlink-token' into 2.x
Fix inline postLink() calls corrupting the containing form's tampering
token.

Refs #8387
2016-04-01 23:08:41 -04:00
mark_story
c551faad46 Add tests for changes in #8387
Add tests covering the new behavior.
2016-04-01 23:08:31 -04:00
mark_story
84fc9498b5 Allow N11 exchange numbers as valid.
The previous code and commit (fa3d4a0bb5)
were incorrect about invalid exchange numbers as 1-800-211-4511 is
a real phone number.

I've also removed a duplicate alternation pattern.

Refs #8567
2016-03-31 22:38:16 -04:00
mark_story
1926d40d40 Fix possibility for spoofed files to pass validation.
Use `is_uploaded_file` to prevent crafty requests that contain bogus
files from getting through. A testing stub class was necessary to avoid
making significant changes to the test suite.
2016-03-28 22:10:36 -04:00
mark_story
f57f038c09 Fix for PHP 5.3 2016-03-16 21:17:42 -04:00
mark_story
745f3a33e6 Fix boolean values in select widgets.
Boolean `false` should be treated like `0` when comparing option values.

Refs #8468
2016-03-15 22:59:03 -04:00
mark_story
af046fc7d6 Merge branch 'request-ip' into 2.x 2016-03-13 23:00:47 -04:00
mark_story
fef3090717 Fix incorrectly inheriting permissions.
When child inherits from a deny parent the '*' permission should reflect
permissions on all nodes not just the leaf node. Previously once a node
with all permissions set to inherit was found, the check would pass.
Instead it should cascade to the parent nodes and look for explicit
allow/deny.

Refs #8450
2016-03-11 23:18:50 -05:00
mark_story
48af49ddde Don't trust CLIENT_IP
The client_ip header can easily be forged. In 'safe' modes we should
only trust the remote_addr which comes from the sapi. Remove support for
http_clientaddress as I can't seem to find where this ever came from in
PHP on the http specs.
2016-03-10 22:04:13 -05:00
Mark Story
18b0334890 Merge pull request #8384 from garas/mailtransport-log-subject
Email log missing Subject and To headers when using MailTransport
2016-03-02 21:29:13 -05:00
mark_story
3ad68db5eb Tweak fix from #8359
This fixes a regression introduced in that change that we didn't
previously have tests for. The issue fixed in #8359 was related to
PHP7.0, whereas PHP5 didn't have an issue. Now both versions will work
the same.
2016-03-02 12:30:48 -05:00
Edgaras Janušauskas
2386a86adc Include Subject and To in email log when using MailTransport 2016-03-01 22:21:14 +02:00
mark_story
3ed321dff4 Handle negative numbers in Redis correctly.
Update number sniff to handle negative numbers. We need to do number
sniffing so we can maintain compatbility between write() and
increment()/decrement().

Refs #8364
2016-02-27 00:07:58 -05:00
Mark Story
eae7a8926b Merge pull request #8345 from cakephp/issue-8330
Fix parsing empty header values.
2016-02-26 23:01:59 -05:00
Mark Story
31b3f39b67 Merge pull request #8310 from cakephp/secure-random
2.x - Secure random
2016-02-25 22:05:08 -05:00
mark_story
1a170e1eec Fix parsing empty header values.
Replace the complex and somewhat unfixable regexp based parser for
a parser that handles each line individually. Normalize multi-line
headers to replace multiple spaces with a single one. Section 4.2 of the
HTTP1.1 standard states

> Any LWS that occurs between field-content MAY be replaced with
> a single SP before interpreting the field value or forwarding the
> message downstream.

This makes me somewhat confident that we can safely normalize
multi-line HTTP header values.

Refs #8330
2016-02-24 22:25:58 -05:00
mark_story
9c0da41858 Skip test on PHP7 as the warning is not consistent. 2016-02-23 20:54:16 -05:00
Mark Story
ff6cdd4b73 Merge pull request #8279 from cakephp/issue-8114
Fix inherited permissions when checking the '*' permission.
2016-02-22 14:48:58 -05:00
mark_story
7df99fff1f Backport Security::randomBytes() to 2.x
I decided to leave the warning in. People who can't upgrade their
applications should at least be aware of the risks they are taking.

I'm flexible if people are strongly opposed to a warning, but I feel
that these kinds of warnings can be supressed in production if they
really are in a jam and don't care.

Refs #8282
2016-02-22 00:14:44 -05:00
mark_story
4389c79442 Update tests.
The old tests were relying on the fixed inherit bug. Instead check
a specific permission which will result in a deny.

Refs #8114
2016-02-18 21:24:52 -05:00
mark_story
8f3df8b13e Make tests not fail when extensions are installed
If the extensions are installed but memcached/redis are not running
errors should not be emitted.
2016-02-18 21:14:55 -05:00
mark_story
b2509ea13d Fix inherited permissions when checking the '*' permission.
When checking inherited permissions for '*' also copy inherited
permissions onto the inherited list. By copying the inherited values, we
get the union of explit allow and inherited permissions, which if all
things go well will match the permission key list.

Refs #8114
2016-02-16 22:30:19 -05:00
Mark Story
68082fad02 Merge pull request #8207 from CakeDC/feature/uuid
Add support for Postgres native uuid datatype
2016-02-16 21:53:08 -05:00
Chris Hallgren
bf22e84d65 CS fixes 2016-02-15 20:44:27 -06:00
Chris Hallgren
849abab6a4 Fixing test case 2016-02-15 19:34:05 -06:00
Chris Hallgren
0c183b9b8e Read content type in a more compatible way.
Not all webservers set CONTENT_TYPE. The built-in PHP webserver for
example sets HTTP_CONTENT_TYPE instead. Add a public method to the
request object to smooth over this difference.

Refs #6051, #8267
2016-02-15 19:31:24 -06:00
Marc Würth
b5655d63ff Remove lighthouse references 2016-02-10 12:27:34 +01:00
mark_story
e4b939bba0 Backport fix for Validation::uploadedFile to 2.x
Don't fail validation when the keys are not the expected order.

Refs #8201
2016-02-08 22:37:25 -05:00
mark_story
c0d897b45c Merge branch '2.x' into 2.8 2016-02-06 20:55:08 -05:00
Mark Story
41a12e9aa2 Merge pull request #8067 from cakephp/issue-7906
Make the session cacheLimiter a configuration option.
2016-02-06 20:30:48 -05:00
Edgaras Janušauskas
f389231058 Improve ExtractTask when CakePHP installed via Composer 2016-02-03 14:52:15 +02:00
Jorge M. González Martín
3ca3ffeeee fix phpcs 2016-01-29 08:56:36 +00:00
mark_story
3b5a71df37 Merge branch '2.7' into 2.8 2016-01-28 21:51:59 -05:00
mark_story
fc57dee72f Fix error in PHP 5.3 2016-01-28 21:50:56 -05:00
Mark Story
aa449b194d Merge pull request #8125 from CakeDC/issue/7978
Add support for NOT IN in Model::find() conditions.

Refs #7978 fixing regex to take in account IN operator
2016-01-28 21:48:04 -05:00
Yevgeny Tomenko
70c4e40532 Fix value check and formatting. 2016-01-28 23:36:07 +03:00
Pedro Fernandes Steimbruch
bf8e6ce576 Refs #7978 fixing code standard 2016-01-28 17:55:19 -02:00
Pedro Fernandes Steimbruch
eaeb7cea9e Refs #7978 fixing regex to take in account IN operator 2016-01-28 17:34:08 -02:00
Yevgeny Tomenko
e83a532af0 Fixed array syntax. 2016-01-28 22:12:24 +03:00