The HTTP specs seem to indicate that the Location header should contain
an 'absoluteURI' which includes encoded data. In order to avoid
a regression with the issue fixed in b9ee4fc9f1
we'll continue to replace `%2F` and no longer decode the entire URI.
Fixes#5076
Eg:
Actual Posted URL:
/admin/settings/settings/prefix/Access%20Control
$_GET value:
/admin/settings/settings/prefix/Access_Control
Since $unsetUrl differs, the $_GET value will get copied in to
CakeRequest::$query, causing CakeRequest::here() to return:
/admin/settings/settings/prefix/Access%20Control?%2Fadmin%2Fsettings%2Fsettings%2Fprefix%2FAccess_Control=
This confuses SecurityComponent in the following line:
f23d811ff5/lib/Cake/Controller/Component/SecurityComponent.php (L514)
While filter_var() allows a number of email addresses that
Validation::email() does not, it misses out of email address that
contain IDN host names, and unicode mailboxes. Both of these are
generally deliverable, and should be permitted. filter_var() also fails
on local mailboxes like `root@localhost` which is useful in the context
of cron jobs.
Fixes#3742
When sending multi-part emails with no attachments we shouldn't include
the outer multipart/mixed header as it confuses Outlook and causes it to
show the email as having attachments even though there are none.
A bunch of tests need to be adjusted as the empty multipart/mixed
container has been removed.
Fixes#3474
Paths containing `..` are generally up to no good. Throw an exception,
as developers can use realpath() if they really need to get relative
paths.
Fixes#3370
HTTP_X_FORWARDED_HOST is supposed to be used by proxies to indicate the
original HTTP_HOST value. It has nothing to do with referer values.
Since the HTTP_X_FORWARDED_HOST is intended to replace the HOST header
in proxied setups, add a trustProxy parameter to host() and default it
to false. This maintains existing behavior and allows people to access
the proxied value.
Fixes#2537
