Deprecate serving files by relative paths.

Relative paths assume that cwd is 'safe'. Instead we should require people to be more explicit in their paths. Refs #11921 Refs #11926
cakephp · Apr 14, 2018 · e781e26 · e781e26
1 parent 6cde530
commit e781e26
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/src/Http/Response.php b/src/Http/Response.php
@@ -16,6 +16,7 @@
 
 use Cake\Core\Configure;
 use Cake\Filesystem\File;
+use Cake\Filesystem\Folder;
 use Cake\Http\Cookie\Cookie;
 use Cake\Http\Cookie\CookieCollection;
 use Cake\Http\Cookie\CookieInterface;
@@ -2587,9 +2588,18 @@ protected function validateFile($path)
             throw new NotFoundException(__d('cake', 'The requested file contains `..` and will not be read.'));
         }
         if (!is_file($path)) {
-            deprecationWarning('Using non-absolute paths with Response::file() and withFile() is deprecated.');
+            deprecationWarning(
+                'Automatic prefixing of paths with `APP` by `Response::file()` and `withFile()` is deprecated. ' .
+                'Use absolute paths instead.'
+            );
             $path = APP . $path;
         }
+        if (!Folder::isAbsolute($path)) {
+            deprecationWarning(
+                'Serving files via `file()` or `withFile()` using relative paths is deprecated.' .
+                'Use an absolute path instead.'
+            );
+        }
 
         $file = new File($path);
         if (!$file->exists() || !$file->readable()) {