Commit graph

7724 commits

Author SHA1 Message Date
chinpei215
fc397bd481 Pass MCRYPT_DEV_URANDOM to mcrypt_create_iv() explicitly 2018-01-20 00:25:35 +09:00
chinpei215
5289aae64e Change Security::randomBytes() to fallback to mcrypt_create_iv() 2018-01-19 23:54:58 +09:00
chinpei215
d7ed0339b1 Make mcrypt optional
Now Security::encrypt() and Security::decrypt() works with openssl
if the mcrypt extension is unavailable.
Note that Security::rijndael() doesn't work with openssl.
2018-01-19 23:54:53 +09:00
Mark Story
ab272b09c7
Merge pull request #11581 from bancer/issue-11131-long-cache-key
Hash group cache keys to prevent key overflows in some cache engines
2018-01-06 22:05:39 -05:00
Mark Story
83928f9d74
Merge pull request #11590 from cakephp/issue-11588
Buffer contents of HtmlReporter.
2017-12-31 21:13:28 -05:00
Koji Tanaka
400d45f56c fix code style 2017-12-31 17:05:26 +09:00
Koji Tanaka
74a8611eef [2.x]Fix can't load aliased component on ControllerTestCase 2017-12-31 15:44:05 +09:00
mark_story
d2c4bf2bb2 Buffer contents of HtmlReporter.
Collect HTML output into a buffer so we can provide compatibility across
PHPUnit 3.x and 4.x

Refs #11588
2017-12-30 23:47:11 -05:00
Val Bancer
0f51c75157
replaced vsprintf to implode 2017-12-28 16:15:14 +01:00
Val Bancer
7ae84e3d5d
Makes the cache key shorter by using md5() 2017-12-28 10:02:35 +01:00
mark_story
51206d7358 Update version number to 2.10.6 2017-12-18 21:15:48 -05:00
Mark Story
3bf93b7f76
Merge pull request #11526 from cakephp/post-conditions
Make postConditions() less permissive.
2017-12-15 14:36:38 -05:00
mark_story
340059be15 Check model names for bad characters as well. 2017-12-13 00:01:09 -05:00
mark_story
a9618f67f7 Use a permitted list instead of a ban list.
This should be safer as we are more confident on what is coming in.
2017-12-13 00:01:05 -05:00
Koji Tanaka
fba7f1c617
Fix Phpdoc for CakeObject::log() 2017-12-12 20:00:21 +09:00
mark_story
f66dec8a96 Make postConditions() less permissive.
We were notified by `ooooooo_q` that postConditions() is vulnerable to
SQL injection if used without SecurityComponent tampering prevention.

This change attempts to make postConditions() safer by exploding in
unsafe scenarios.
2017-12-10 21:44:47 -05:00
chinpei215
6ad30946d8 Fix CS 2017-12-04 23:31:32 +09:00
chinpei215
9f65402d2c Fix CakeRequest::referer(true) returning scheme-relative URLs
Backport of #11503 (and #8795)
2017-12-04 21:18:27 +09:00
dereuromark
eaf7454628 Clarify migration path to 3.x 2017-11-29 19:57:01 +01:00
Mark Story
abec95d3ea
Merge pull request #11469 from db-bogdan/issue11468
fixes #11468 sending user data on basic auth in API environment
2017-11-28 21:52:59 -05:00
chinpei215
4ae9f13dfd Fix 'order' not working with a single expressions 2017-11-29 00:17:57 +09:00
db-bogdan
e824346cca extra fix 2017-11-28 11:43:55 +02:00
db-bogdan
94e06dfeb3 add unit test 2017-11-28 11:31:46 +02:00
db-bogdan
5695fef46f fixes #11468 2017-11-27 11:59:34 +02:00
Mischa ter Smitten
d7b9e55e98 Fix indent 2017-11-23 14:12:13 +01:00
Mischa ter Smitten
05954ff405 Consistency changes 2017-11-23 10:09:25 +01:00
Mischa ter Smitten
4faac8e09a Improved readability 2017-11-23 10:06:14 +01:00
Mischa ter Smitten
bc1678cf2a Add option to make _validAgentAndTime 3.x compatible 2017-11-23 10:02:38 +01:00
Val Bancer
a2cc9843e4
added missing ob_end_flush() call 2017-11-21 15:20:14 +01:00
mark_story
10fcd7633d Update version number to 2.10.5 2017-11-20 21:09:55 -05:00
mark_story
f788c90b3c Fix typo 2017-11-05 22:34:47 -05:00
Mark Story
b175270f62
Merge pull request #11404 from ynaderi/2.x
- DigestAuthenticate modification for cakephp 2.X
2017-11-05 22:34:17 -05:00
Yaser Naderi
26a683f36f - DigestAuthenticate modification for cakephp 2.X 2017-11-03 14:53:54 -04:00
Milan van As
7de5ae4438 Force email domain lookups to work in fallback case. 2017-10-25 08:45:57 +02:00
saeideng
b59b64db29 replace tab with space 2017-10-21 22:44:15 +03:30
mark_story
549c181926 Update version number to 2.10.4 2017-10-18 21:54:49 -04:00
chinpei215
19bbb7da17 Simplify CookieComponent::read()
Also, this commit fixes an issue of when the second level key is empty.
Previously, read('foo.0') returned incorrect result.
2017-10-16 21:01:19 +09:00
chinpei215
bbea91090d Fix CookieComponent::delete() not working for deep children 2017-10-16 20:55:00 +09:00
mark_story
e85f489c1f Add test for #11284 2017-10-13 21:55:56 -04:00
Mark Story
d3a4ce1216 Merge pull request #11284 from kolorafa/patch-1
msSQL - also handle offset as string
2017-10-13 21:55:21 -04:00
Mark Story
fb44035177 Merge pull request #11299 from tenkoma/2.x-fix-cc-number-jcb-pattern
[2.x]Fix Credit card number pattern(JCB) is wrong
2017-10-08 10:09:19 -04:00
Koji Tanaka
7d2d902b57 [2.x]Fix Credit card number pattern(JCB) is wrong 2017-10-08 16:15:10 +09:00
Mark Story
e889535e41 Merge pull request #11288 from mensler/session-without-cookies-2.x
Check for session.use_trans_sid and session ID in URL when cookies are disabled (2.x)
2017-10-07 12:17:30 -04:00
Clemens Weiß
61eddc6bde Fixed formatting 2017-10-07 11:11:45 +02:00
Mark Story
a71cad0420 Merge pull request #11283 from chinpei215/2.x-cookie-component-1
[2.x] Fix fatal error thrown when replacing scalar with array
2017-10-06 16:45:38 -04:00
Clemens Weiß
7f64ea37f9 Restored formatting 2017-10-06 17:11:09 +02:00
Clemens Weiß
5d5e791a31 Check for session.use_trans_sid and session ID in URL in case cookies are disabled (backport of cakephp/cakephp#10828 for 2.x) 2017-10-06 17:04:53 +02:00
chinpei215
deac8f9109 Backport #7080, #8233 and #11060 2017-10-06 22:02:37 +09:00
chinpei215
ccf634e5f3 Docblock update 2017-10-06 21:59:48 +09:00
chinpei215
959f45a6c6 Fix fatal error thrown when replacing scalar with array
Refs #11280
2017-10-06 13:43:32 +09:00