Skip to content
Browse files

Deprecate serving files by relative paths.

Relative paths assume that cwd is 'safe'. Instead we should require
people to be more explicit in their paths.

Refs #11921
Refs #11926
  • Loading branch information...
markstory committed Apr 14, 2018
1 parent 6cde530 commit e781e2615045b10fc19cd2e68f69bebc6311a962
Showing with 11 additions and 1 deletion.
  1. +11 −1 src/Http/Response.php
@@ -16,6 +16,7 @@
use Cake\Core\Configure;
use Cake\Filesystem\File;
use Cake\Filesystem\Folder;
use Cake\Http\Cookie\Cookie;
use Cake\Http\Cookie\CookieCollection;
use Cake\Http\Cookie\CookieInterface;
@@ -2587,9 +2588,18 @@ protected function validateFile($path)
throw new NotFoundException(__d('cake', 'The requested file contains `..` and will not be read.'));
if (!is_file($path)) {
deprecationWarning('Using non-absolute paths with Response::file() and withFile() is deprecated.');
'Automatic prefixing of paths with `APP` by `Response::file()` and `withFile()` is deprecated. ' .
'Use absolute paths instead.'
$path = APP . $path;
if (!Folder::isAbsolute($path)) {
'Serving files via `file()` or `withFile()` using relative paths is deprecated.' .
'Use an absolute path instead.'
$file = new File($path);
if (!$file->exists() || !$file->readable()) {

0 comments on commit e781e26

Please sign in to comment.
You can’t perform that action at this time.