By including the URL in generated hash for secured forms we prevent
a class of abuse where a user uses one secured form to post into a
controller action the form was not originally intended for. These cross
action requests could potentially violate developer's mental model of
how SecurityComponent works and produce unexpected/undesirable outcomes.
Thanks to Kurita Takashi for pointing this issue out, and suggesting
a fix.
Paths containing `..` are generally up to no good. Throw an exception,
as developers can use realpath() if they really need to get relative
paths.
Fixes#3370
I get a load of these errors when running tests in the shell, this check stops the errors from happening
Warning: 2 :: fclose() expects parameter 1 to be resource, integer given on line 298 of CORE\Cake\Console\ConsoleOutput.php
Trace:
fclose - [internal], line ??
ConsoleOutput::__destruct() - CORE\Cake\Console\ConsoleOutput.php, line 298
ToolbarComponent::_saveState() - APP\Plugin\DebugKit\Controller\Component\ToolbarComponent.php, line 307
ToolbarComponent::beforeRedirect() - APP\Plugin\DebugKit\Controller\Component\ToolbarComponent.php, line 307
ObjectCollection::trigger() - CORE\Cake\Utility\ObjectCollection.php, line 132
call_user_func - [internal], line ??
CakeEventManager::dispatch() - CORE\Cake\Event\CakeEventManager.php, line 247
Controller::redirect() - CORE\Cake\Controller\Controller.php, line 765
AuthComponent::_unauthenticated() - CORE\Cake\Controller\Component\AuthComponent.php, line 364
AuthComponent::startup() - CORE\Cake\Controller\Component\AuthComponent.php, line 304
ObjectCollection::trigger() - CORE\Cake\Utility\ObjectCollection.php, line 132
call_user_func - [internal], line ??
CakeEventManager::dispatch() - CORE\Cake\Event\CakeEventManager.php, line 247
Controller::startupProcess() - CORE\Cake\Controller\Controller.php, line 675
Dispatcher::_invoke() - CORE\Cake\Routing\Dispatcher.php, line 182
Dispatcher::dispatch() - CORE\Cake\Routing\Dispatcher.php, line 160
While the had the potential to make 404s going through AssetDispatcher
much faster, they broke plugins + extension routing. While explicit
extensions could be fixed, routing all extensions could not. Because we
are trying to keep 2.x as API compatible as possible it makes sense to
revert the previous changes.
Fixes an error in #2750 where routed extensions would always return
404's for plugin requests. When a file extenion could be handled by
router, AssetDispatcher cannot 404 the request.
Refs #3305
When using comparison with a boolean, as the filter is a string, we have to convert the data boolean to "boolean string" to avoid type-casting troubles.
## Example
```php
$users = [
[
'id' => 2,
'username' => 'johndoe',
'active' => true
],
[ 'id' => 5,
'username' => 'kevin',
'active' => true
],
[
'id' => 9,
'username' => 'samantha',
'active' => false
],
];
$unactiveUsers = Hash::extract($users, '{n}[active=false]');
print_r($unactiveUsers);
```
This example returns the two unwanted active users because `"false"` is `true` but not `false` :)
I think this pull request will fix this issue by converting true/false boolean to string (to match with our filter).
