Skip to content

@markstory markstory released this May 28, 2015 · 15630 commits to master since this release

The CakePHP core team is ready to announce the immediate availability of CakePHP 3.0.6. These are maintenance releases that contain important security fixes.

Security Fixes

Earlier this week we were notified that RequestHandlerComponent had a vulnerability that would allow well crafted requests to create a denial of service attack. RequestHandlerComponent leverages Xml::build() which allows reading local files. We recommend that all applications using RequestHandlerComponent upgrade, or disable parsing XML payloads. To disable XML payload parsing you can do the following

// In a controller's beforeFilter
$this->RequestHandler->addInputType('xml', function() { return []; });

The above code will replace the built-in XML parsing with a no-op function. We'd like to thank Takeshi Terada for notifying us of this security issue using our Security Issue Process.

Other Fixes in 3.0.6

  • FormHelper::radio() now correctly generates ID attributes for radio buttons with multibyte values.
  • Inflector::humanize() and Inflector::underscore() work correctly with UTF8 characters now.
  • URLs in FormHelper::postLink() are no longer double encoded.
  • PaginatorHelper::numbers() now supports the url option.
  • Error.trace is now respected when logging exceptions.
  • The Entity accessors cache introduced in 3.0.3 has been removed. It caused a number of issues and didn't greatly improve performance.
  • EntityTrait::getOriginal() and EntityTrait::extractOriginal() not return values that were initially null.
  • Empty query expressions used in association query builders no longer cause invalid SQL to be generated.

As always, a huge thanks to all the community members that helped make this release happen by reporting issues and sending pull requests.

Assets 3