The CakePHP core team is happy to announce the immediate availability of CakePHP 3.0.4. This is maintenance releases that contains security fixes and bugfixes.
### Security Fixes
There are two issues that can impact the security of a CakePHP application:
* CsrfComponent fails to invalidate requests that are missing both the CSRF token, and CSRF post data.
* When marshalling request data, empty entities could by bypass validation methods with carefully created JSON payloads. RulesChecker validations would not be bypassed by these empty entities.
We'd like to thank 'Hayato Araki' for contacting us through our [security issue](http://book.cakephp.org/3.0/en/contributing/tickets.html#reporting-security-issues) process about the CsrfComponent issue. We recommend that all users of CakePHP upgrade to 3.0.4 as soon as possible.
### Bugfixes
In addition to the security issues the following defects have been fixed:
* Cascading deletes on associations with custom aliases should no longer fail.
* XmlView now supports `_xmlOptions`. This matches the behavior of JsonView.
* `EntityTrait::extractOriginal()` now behaves consistently with `extract()`. Both methods now include all named properties, instead of just the unchanged properties. A new method `extractOriginalChanged()` can be used to extract only the original values of changed attributes.
* Query string parameters are now correctly supported in `IntegrationTestCase`.
* `Collection::isEmpty()` and `Cake\ORM\Query::isEmpty()` was added.
* Forms can now be created without the action attribute.
* Accessing entity data is now more efficient. Entities will cache the result of custom accessors, and invalidate the cache when properties are changed or removed.
### CakeFest 2015 Tickets
There is still time to get your tickets for [CakeFest 2015](http://cakefest.org/tickets) if you haven't already. May 28th and CakePHP's 10th anniversary are quickly approaching.
As always, a huge thanks to all the community members that helped make this release happen by reporting issues and sending pull requests.
Download a [packaged release on github](https://github.com/cakephp/cakephp/releases).
-- ### Security Fixes
There are two issues that can impact the security of a CakePHP application:
* CsrfComponent fails to invalidate requests that are missing both the CSRF token, and CSRF post data.
* When marshalling request data, empty entities could by bypass validation methods with carefully created JSON payloads. RulesChecker validations would not be bypassed by these empty entities.
We'd like to thank 'Hayato Araki' for contacting us through our [security issue](http://book.cakephp.org/3.0/en/contributing/tickets.html#reporting-security-issues) process about the CsrfComponent issue. We recommend that all users of CakePHP upgrade to 3.0.4 as soon as possible.
### Bugfixes
In addition to the security issues the following defects have been fixed:
* Cascading deletes on associations with custom aliases should no longer fail.
* XmlView now supports `_xmlOptions`. This matches the behavior of JsonView.
* `EntityTrait::extractOriginal()` now behaves consistently with `extract()`. Both methods now include all named properties, instead of just the unchanged properties. A new method `extractOriginalChanged()` can be used to extract only the original values of changed attributes.
* Query string parameters are now correctly supported in `IntegrationTestCase`.
* `Collection::isEmpty()` and `Cake\ORM\Query::isEmpty()` was added.
* Forms can now be created without the action attribute.
* Accessing entity data is now more efficient. Entities will cache the result of custom accessors, and invalidate the cache when properties are changed or removed.
### CakeFest 2015 Tickets
There is still time to get your tickets for [CakeFest 2015](http://cakefest.org/tickets) if you haven't already. May 28th and CakePHP's 10th anniversary are quickly approaching.
As always, a huge thanks to all the community members that helped make this release happen by reporting issues and sending pull requests.
Download a [packaged release on github](https://github.com/cakephp/cakephp/releases).
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment