Commit graph

18867 commits

Author SHA1 Message Date
mark_story
13b914917d Update version number to 2.8.3 2016-03-28 22:17:27 -04:00
mark_story
1926d40d40 Fix possibility for spoofed files to pass validation.
Use `is_uploaded_file` to prevent crafty requests that contain bogus
files from getting through. A testing stub class was necessary to avoid
making significant changes to the test suite.
2016-03-28 22:10:36 -04:00
Mark Story
96c9521802 Merge pull request #8518 from garethellis36/customize-logged-error-message
[2.x] Extracts error trace in ErrorHandler to a helper function to allow customization
2016-03-23 21:20:30 -04:00
mark_story
a0ea7a0f2a Fix PHP5.4+ syntax.
2.x must be compatible with PHP 5.3
2016-03-23 21:19:19 -04:00
Gareth Ellis
a6702b70d4 Extracts error trace in ErrorHandler to a helper function to allow customization 2016-03-23 19:05:23 +00:00
José Lorenzo Rodríguez
24df4ddf02 Merge pull request #8500 from cakephp/issue-8480-requests
Instead of wiping the Router, just clear requests.
2016-03-20 18:34:27 +01:00
mark_story
c6db76d044 Instead of wiping the Router, just clear requests.
Clearing the router also removes routes which can cause assertions to
fail. By just removing the stored requests we avoid the error reported
in #8480 and not break as many tests.
2016-03-20 11:10:34 -04:00
José Lorenzo Rodríguez
099369b94c Merge pull request #8497 from cakephp/issue-8480
Clear the router state after testAction().
2016-03-19 17:45:22 +01:00
mark_story
7ceb0993bf Clear the router state after testAction().
When using array urls, internal state in the Router would cause requests
to be incorrectly handled causing multiple testAction calls in a single
test to fail. By reloading the router we start off with a clean slate
each time.

Refs #8480
2016-03-19 12:16:21 -04:00
Mark Story
01d3c2f599 Merge pull request #8475 from cakephp/issue-8468
Fix boolean values in select widgets.
2016-03-18 22:20:31 -04:00
José Lorenzo Rodríguez
4d59cdbc84 Merge pull request #8478 from tharlinsmith/hasmany-perf-improvement
Replaced nested loop in merging hasMany children with one pass each t…
2016-03-17 21:21:29 +01:00
mark_story
f57f038c09 Fix for PHP 5.3 2016-03-16 21:17:42 -04:00
Thomas Smith
3e86de5bcd Replaced nested loop in merging hasMany children with one pass each through children and parents 2016-03-16 09:37:15 -07:00
mark_story
745f3a33e6 Fix boolean values in select widgets.
Boolean `false` should be treated like `0` when comparing option values.

Refs #8468
2016-03-15 22:59:03 -04:00
Mark Story
61b09024b0 Merge pull request #8470 from ravage84/patch-4
Add note about log levels on Wndows
2016-03-15 21:17:55 -04:00
Mark Story
896c6e3010 Merge pull request #8469 from ravage84/patch-3
Remove outdated statement about log auto config
2016-03-15 21:09:07 -04:00
Marc Würth
ca5e9c305f Add note about log levels on Wndows
This is a problem if a developer on Windows tries to separate those three levels into separate streams without customizing the CakePHP default levels.
2016-03-15 19:37:14 +01:00
Marc Würth
adc450d18b Remove outdated statement about log auto config 2016-03-15 19:33:14 +01:00
mark_story
c0a5d2b341 Merge branch '2.x' into 2.next 2016-03-13 23:02:24 -04:00
mark_story
22a2e93c4b Update version number to 2.8.2 2016-03-13 23:01:17 -04:00
mark_story
af046fc7d6 Merge branch 'request-ip' into 2.x 2016-03-13 23:00:47 -04:00
Mark Story
562d954eea Merge pull request #8453 from cakephp/issue-8450
Fix incorrectly inheriting permissions.
2016-03-12 21:11:12 -05:00
mark_story
fef3090717 Fix incorrectly inheriting permissions.
When child inherits from a deny parent the '*' permission should reflect
permissions on all nodes not just the leaf node. Previously once a node
with all permissions set to inherit was found, the check would pass.
Instead it should cascade to the parent nodes and look for explicit
allow/deny.

Refs #8450
2016-03-11 23:18:50 -05:00
mark_story
48af49ddde Don't trust CLIENT_IP
The client_ip header can easily be forged. In 'safe' modes we should
only trust the remote_addr which comes from the sapi. Remove support for
http_clientaddress as I can't seem to find where this ever came from in
PHP on the http specs.
2016-03-10 22:04:13 -05:00
Mark Story
18b0334890 Merge pull request #8384 from garas/mailtransport-log-subject
Email log missing Subject and To headers when using MailTransport
2016-03-02 21:29:13 -05:00
mark_story
3ad68db5eb Tweak fix from #8359
This fixes a regression introduced in that change that we didn't
previously have tests for. The issue fixed in #8359 was related to
PHP7.0, whereas PHP5 didn't have an issue. Now both versions will work
the same.
2016-03-02 12:30:48 -05:00
Mark Story
63de5ca4ea Merge pull request #8359 from phlyper/patch-1
verify exists index 0 in $ref
2016-03-02 12:27:49 -05:00
Markus Bauer
95558d0bba Data passed through FormHelper::postLink is excluded from CSRF creation of an outer form. Subsequent fix for #8387. 2016-03-02 03:02:43 +01:00
Markus Bauer
7df96b3912 Creating correct CSRF tokens when using FormHelper::postLink within another form. Fixes #8387 2016-03-02 02:51:06 +01:00
Mark Story
bafcba3c71 Merge pull request #8383 from xhs345/patch-1
Updated deprecated doc for flash method
2016-03-01 18:19:39 -05:00
Alex
862397325d fixed typo 2016-03-01 12:41:29 -08:00
Edgaras Janušauskas
2386a86adc Include Subject and To in email log when using MailTransport 2016-03-01 22:21:14 +02:00
Alex
e5e4317217 Updated deprecated doc for flash method 2016-03-01 12:17:39 -08:00
mark_story
78f199f8a0 Update version number to 2.8.1 2016-02-27 22:31:18 -05:00
José Lorenzo Rodríguez
da15674a2c Merge pull request #8365 from cakephp/issue-8364
2.x - Handle negative numbers in Redis correctly.
2016-02-27 16:42:08 +01:00
mark_story
3ed321dff4 Handle negative numbers in Redis correctly.
Update number sniff to handle negative numbers. We need to do number
sniffing so we can maintain compatbility between write() and
increment()/decrement().

Refs #8364
2016-02-27 00:07:58 -05:00
Mark Story
eae7a8926b Merge pull request #8345 from cakephp/issue-8330
Fix parsing empty header values.
2016-02-26 23:01:59 -05:00
phlyper
7b9ff1c11b verify exists index 0 in $ref
exemple

i have to get the referrer url from any page if exists

```
class AppController extends Controller {
......
    public function beforeRender() {
        parent::beforeRender();
        $this->params['referer'] = $this->referer(null, true);
    }
..........
}
```
2016-02-26 22:39:48 +01:00
mark_story
1709f54e38 Update documentation for Model::_readDataSource()
Update sample code to generate unique keys based on association
conditions as well. Because association conditions are not part of the
'query' they need to be handled separately.

Refs #8346
2016-02-26 12:39:29 -05:00
Mark Story
31b3f39b67 Merge pull request #8310 from cakephp/secure-random
2.x - Secure random
2016-02-25 22:05:08 -05:00
mark_story
1a170e1eec Fix parsing empty header values.
Replace the complex and somewhat unfixable regexp based parser for
a parser that handles each line individually. Normalize multi-line
headers to replace multiple spaces with a single one. Section 4.2 of the
HTTP1.1 standard states

> Any LWS that occurs between field-content MAY be replaced with
> a single SP before interpreting the field value or forwarding the
> message downstream.

This makes me somewhat confident that we can safely normalize
multi-line HTTP header values.

Refs #8330
2016-02-24 22:25:58 -05:00
mark_story
9c0da41858 Skip test on PHP7 as the warning is not consistent. 2016-02-23 20:54:16 -05:00
Mark Story
fc714a6451 Merge pull request #8321 from ravage84/patch-2
Replace Set by Hash
2016-02-23 12:42:49 -05:00
Marc Würth
1258739411 Replace Set by Hash
References to the deprecated Set class don't make much sense.
2016-02-23 13:09:03 +01:00
Mark Story
ff6cdd4b73 Merge pull request #8279 from cakephp/issue-8114
Fix inherited permissions when checking the '*' permission.
2016-02-22 14:48:58 -05:00
mark_story
7e5f56362f Deprecate bad methods.
These methods are bad and should feel bad.
2016-02-22 00:16:15 -05:00
mark_story
7df99fff1f Backport Security::randomBytes() to 2.x
I decided to leave the warning in. People who can't upgrade their
applications should at least be aware of the risks they are taking.

I'm flexible if people are strongly opposed to a warning, but I feel
that these kinds of warnings can be supressed in production if they
really are in a jam and don't care.

Refs #8282
2016-02-22 00:14:44 -05:00
mark_story
ee2d222b85 Correct API docs for find().
Fixes #8308
2016-02-21 22:42:24 -05:00
Mark Story
f25af64c81 Merge pull request #8292 from ravage84/2.next-mime-type-backport
Back port mime types from 3.next
2016-02-19 14:41:44 -05:00
Marc Würth
cd62c89994 Back port mime types from 3.next 2016-02-19 14:26:53 +01:00