Thursday, May 28, 2015

Re: CakePHP 2.6.6 and 3.0.6 Released (security fixes)

Earlier today, we announced the release of 2.6.6. This version contained
a syntax error in PHP < 5.4. This error has been corrected in 2.6.7. If
you are running PHP < 5.4.0 you should upgrade to 2.6.7 instead of 2.6.6.

In doing the security release, I did not follow our normal process of ensuring
that there is a passing build on all supported PHP versions before doing the
release. This was a mistake and will not happen again.


On Thursday, 28 May 2015 11:57:53 UTC-4, mark_story wrote:
The CakePHP core team is ready to announce the immediate availability of CakePHP
2.6.6 and 3.0.6. These are maintenance releases that contain important security
fixes.

## Security Fixes

Earlier this week we were notified that RequestHandlerComponent had
a vulnerability that would allow well crafted requests to create a denial of
service attack. RequestHandlerComponent leverages `Xml::build()` which allows
reading local files. We recommend that all applications using
RequestHandlerComponent upgrade, or disable parsing XML payloads. To disable XML
payload parsing you can do the following

```php
// In a controller's beforeFilter
$this->RequestHandler->addInputType('xml', function() { return []; });
```

The above code will replace the built-in XML parsing with a no-op function. We'd
like to thank Takeshi Terada for notifying us of this security issue using our
[Security Issue Process]
(http://book.cakephp.org/3.0/en/contributing/tickets.html#reporting-security-issues>).

## Other Fixes in 2.6.6

* `FormHelper::radio()` now correctly generates ID attributes for radio
  buttons with multibyte values.
* `Inflector::humanize()` and `Inflector::underscore()` work correctly with
  UTF8 characters now.

## Other Fixes in 3.0.6

* `FormHelper::radio()` now correctly generates ID attributes for radio
  buttons with multibyte values.
* `Inflector::humanize()` and `Inflector::underscore()` work correctly with
  UTF8 characters now.
* URLs in `FormHelper::postLink()` are no longer double encoded.
* `PaginatorHelper::numbers()` now supports the `url` option.
* Error.trace is now respected when logging exceptions.
* The Entity accessors cache introduced in 3.0.3 has been removed. It caused
  a number of issues and didn't greatly improve performance.
* `EntityTrait::getOriginal()`  and `EntityTrait::extractOriginal()` now
  return values that were initially null.
* Empty query expressions used in association query builders no longer cause
  invalid SQL to be generated.

As always, a huge thanks to all the community members that helped make this
release happen by reporting issues and sending pull requests.

--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.

No comments: