Thursday, May 28, 2015

CakePHP 2.6.6 and 3.0.6 Released (security fixes)

The CakePHP core team is ready to announce the immediate availability of CakePHP
2.6.6 and 3.0.6. These are maintenance releases that contain important security
fixes.

## Security Fixes

Earlier this week we were notified that RequestHandlerComponent had
a vulnerability that would allow well crafted requests to create a denial of
service attack. RequestHandlerComponent leverages `Xml::build()` which allows
reading local files. We recommend that all applications using
RequestHandlerComponent upgrade, or disable parsing XML payloads. To disable XML
payload parsing you can do the following

```php
// In a controller's beforeFilter
$this->RequestHandler->addInputType('xml', function() { return []; });
```

The above code will replace the built-in XML parsing with a no-op function. We'd
like to thank Takeshi Terada for notifying us of this security issue using our
[Security Issue Process]
(http://book.cakephp.org/3.0/en/contributing/tickets.html#reporting-security-issues>).

## Other Fixes in 2.6.6

* `FormHelper::radio()` now correctly generates ID attributes for radio
  buttons with multibyte values.
* `Inflector::humanize()` and `Inflector::underscore()` work correctly with
  UTF8 characters now.

## Other Fixes in 3.0.6

* `FormHelper::radio()` now correctly generates ID attributes for radio
  buttons with multibyte values.
* `Inflector::humanize()` and `Inflector::underscore()` work correctly with
  UTF8 characters now.
* URLs in `FormHelper::postLink()` are no longer double encoded.
* `PaginatorHelper::numbers()` now supports the `url` option.
* Error.trace is now respected when logging exceptions.
* The Entity accessors cache introduced in 3.0.3 has been removed. It caused
  a number of issues and didn't greatly improve performance.
* `EntityTrait::getOriginal()`  and `EntityTrait::extractOriginal()` now
  return values that were initially null.
* Empty query expressions used in association query builders no longer cause
  invalid SQL to be generated.

As always, a huge thanks to all the community members that helped make this
release happen by reporting issues and sending pull requests.

--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.

No comments: