Fix missing HTML encoding when error messages contain HTML. This can
happen when user data is used as an offset in an array in an unchecked
way.
Thanks to Teppei Fukuda for reporting this issue via the responsible
security disclosure process.
By removing a bunch of empty() guards we can make '' behave like all the
other key names. This does change the existing behavior/tests around ''
key, but I think that is ok given the need to manipulate ''.
Refs #9632
The current checks are way too relaxed, and are more like testing
for a substring, which makes it easy for invalid paths to slip
trough, for example `/foo/var/www` is falsely tested to reside in
`/var/www`.
Passing an empty path never worked properly, it was triggering a
warning, didn't worked on Windows, and the behavior that the current
top level directory would be assumed for empty paths wasn't
documented.
Similar is true for relative paths. While they did match at one point,
this was incorrect behavior, and matching actual path fragments seems
out of scope for this method.
This change makes the `$path` argument required, requires it to be an
absolute path, and throws an exception in case a non-absolute path is
being passed.
The previous code and commit (fa3d4a0bb5)
were incorrect about invalid exchange numbers as 1-800-211-4511 is
a real phone number.
I've also removed a duplicate alternation pattern.
Refs #8567
Use `is_uploaded_file` to prevent crafty requests that contain bogus
files from getting through. A testing stub class was necessary to avoid
making significant changes to the test suite.
I decided to leave the warning in. People who can't upgrade their
applications should at least be aware of the risks they are taking.
I'm flexible if people are strongly opposed to a warning, but I feel
that these kinds of warnings can be supressed in production if they
really are in a jam and don't care.
Refs #8282
Fix file:// paths being mishandled on windows.
While I don't think its feasible to fix all the cases reported in #7275
as certain paths have different meaning in windows, we can fix file://
not working.
Refs #7275
As per discussion in #cakephp the other day, `debug()` will automatically censor out a list of keys, including `prefix` and `schema`. These are useful to see in output for debugging prefix routing, and should not automatically be considered sensitive information.
Useful for countries that do not have many of its cities, even major ones,
listed. For eg: Indonesia, only have 4 cities listed.
For backward compatibility, abbreviations will not be shown.
Note: You might need to update timezonedb for PHP 5.3
Closes#7271
We were sometimes removing plugin prefixes (set, and some subclass
methods). But many other methods were missing the pluginSplit() feature.
This change makes all of the methods in ObjectCollection strip plugin
prefixes, which increases consistency across the framework.
Refs #7098
The current Hash::maxDimensions function calls Hash::dimensions to try
to get the maximum depth of the passed in array. However, this ends up
only getting the depth of the first element of each 1st dimension
element in the array passed to maxDimensions. The function needs to be
called recursively in order to get the depth of ALL of the elements in
all of the dimensions of the passed in array.
I made the maxDimensions function more closely resemble the deprecated
Set::countDim function in order to restore the correct functionality.
Use the mbstring shims we already provide to make Inflector more robust
than it currently is. This solves the invalid ID attribute generation in
a way that never varies between environments.
Refs #6635
Underscore separated words were not catched by the irregular regex,
tests however didn't fail as the default rules matched the tested words
too. The added test should ensure that this won't happen again.
Fixes the gap left by the previous #6538 fix.
This matcher will match anything and is useful when you just want to
traverse through data and you're not too picky.
I've also refactored the conditions to use a case as it is slightly more
readable and uses fewer lines of code.
Refs #6447
Sieves incorrectly singualrized as sief.
Adds sieve, sieves as an irregular case and test cases to
match for the Inflector class.
Closes Issue #6240 in CakePHP 2.6 Branch
Signed-off-by: Justin Yost <justin.yost@yostivanich.com>
This small change will allow some IDEs like NetBeans to work with returned object like with a instance of $class parameter.
I`m sure, this will help Cake users a lot!
In case the path passed to the File class doesn't exists, this will
cause File::$path to be set to a partial path, that is the filename
of the passed path with a slash prepended, ex with
$file = new File('/non/existent/file');
calling $file->pwd() will return/set /file, possibly causing that
file in the root to be accessed.