Eg:
Actual Posted URL:
/admin/settings/settings/prefix/Access%20Control
$_GET value:
/admin/settings/settings/prefix/Access_Control
Since $unsetUrl differs, the $_GET value will get copied in to
CakeRequest::$query, causing CakeRequest::here() to return:
/admin/settings/settings/prefix/Access%20Control?%2Fadmin%2Fsettings%2Fsettings%2Fprefix%2FAccess_Control=
This confuses SecurityComponent in the following line:
f23d811ff5/lib/Cake/Controller/Component/SecurityComponent.php (L514)
Instead of turning on/off strict mode based on the user supplied input,
cast everything to strings and always use a strict check. This avoids
the potential issue of a bad user using hexadecimal when they should not
be allowed to do so. Thanks to 'Kurita Takashi' for pointing this out.
'Kurita Takashi' has let us know that the previous patterns could be
abused by an evil doer. One could potentially send a very large deeply
nested POST data structure. Matching that structure could overflow the
PCRE limits causing a segmentation fault. Adding an upper bound will
solve the problem and I doubt anyone is doing POST data structures with
more than 10 levels of nesting.
If a model class does not define a schemaName we should use the
datasource's schemaName. We can assume that people using schemaName want
to lock the model onto a specific schema given the changes in #3210Fixes#3720
Revert "No truncate when drop table."
Not truncating tables when they are created causes a number of
issues in ControllerTestCases as indicated by the comments in #3646 post merge.
While filter_var() allows a number of email addresses that
Validation::email() does not, it misses out of email address that
contain IDN host names, and unicode mailboxes. Both of these are
generally deliverable, and should be permitted. filter_var() also fails
on local mailboxes like `root@localhost` which is useful in the context
of cron jobs.
Fixes#3742
From php.net/exception.getcode
> Returns the exception code as integer in Exception but possibly as other type in Exception descendants (for example as string in PDOException).
