Releases: cakephp/cakephp
CakePHP 2.2.9
The CakePHP core team is happy to announce the immediate availability of 2.2.9. This release contains security fixes and is recommended for all CakePHP developers.
A security issue related to the AssetDispatcher was fixed. This upgrade is important for all applications serving assets out of themes or plugins using the built-in AssetDispatcher. A big thank you to Takeshi Terada of Mitsui Bussan Secure Directions for contacting us about the security issue and providing steps to reproduce it. We'll disclose more details about the vulnerability in the future once people have had the chance to upgrade.
CakePHP 2.4.0-beta
The 2.4.0-beta release contains several new features that improve CakePHP's performance, security and ease of use. When done, this new version is intended to be a replacement for the 2.3.x branch. A migration guide is provided in the book and we encourage you to read it if you are upgrading from an older version.
The current list of the new features & changes you can expect in 2.4.0:
Console
- Logged notice messages will now be colourized in terminals that support colours.
SchemaShell
cake schema generate
now supports the--exclude
parameter.
BakeShell
cake bake model
now supports baking$behaviors
. Findinglft
,rght
andparent_id
fields in your table it will add the Tree behavior, for example. You can also extend the ModelTask to support your own behaviors to be recognized.
FixtureTask
cake bake fixture
now supports a--schema
parameter to allow baking all fixtures with noninteractive "all" while using schema import.
Object
Object::log()
had the$scope
parameter added.
Components
AuthComponent
- AuthComponent now supports proper stateless mode when using
Basic
orDigest
authenticators. Starting of session can be prevented by settingAuthComponent::$sessionKey
to false. Also now when using onlyBasic
orDigest
you are no longer redirected to login page. For more info check theAuthComponent
page. - Property
AuthComponent::$authError
can be set to booleanfalse
to suppress flash message from being displayed.
PasswordHasher
- Authenticating objects now use new password hasher objects for password hash generation and checking.
Models
Model::save()
,Model::saveField()
,Model::saveAll()
,
Model::saveAssociated()
,Model::saveMany()
now take a newcounterCache
option. You can set it to false to avoid updating counter cache values for the particular save operation.Model::clear()
was added.
Datasource
- Mysql, Postgres, and SQLserver now support a 'settings' array in the connection definition. This key => value pair will be issued as
SET
commands when the connection is created.
View
JsonView
- JSONP support has been added to :php:class:
JsonView
.
HtmlHelper
- The API for
HtmlHelper::css()
has been changed. - New option
escapeTitle
added toHtmlHelper::link()
to control escaping of only link title and not attributes.
TextHelper
TextHelper::autoParagraph()
has been added. It allows to automatically convert text into HTML paragraphs.
PaginatorHelper
PaginatorHelper::param()
has been added.
Network
CakeRequest
CakeRequest::param()
has been added.CakeRequest::is()
has been modified to support an array of types and will return true if the request matches any type.CakeRequest::isAll()
has been added to check that a request matches all the given types.
CakeEmail
- Logged email messages now have the scope of
email
by default. If you are not seeing email contents in your logs, be sure to add theemail
scope to your logging configuration.
HttpSocket
HttpSocket::patch()
has been added.
L10n
ell
is now the default locale for Greek as specified by ISO 639-3 andgre
its alias.
The locale folders have to be adjusted accordingly (from/Locale/gre/
to/Locale/ell/
).fas
is now the default locale for Farsi as specified by ISO 639-3 andper
its alias.
The locale folders have to be adjusted accordingly (from/Locale/per/
to/Locale/fas/
).sme
is now the default locale for Sami as specified by ISO 639-3 andsmi
its alias.
The locale folders have to be adjusted accordingly (from/Locale/smi/
to/Locale/sme/
).mkd
replacesmk
as default locale for Macedonian as specified by ISO 639-3.
The corresponding locale folders have to be adjusted, as well.- Catalog code
in
has been dropped in favor ofid
(Indonesian),
e
has been dropped in favor ofel
(Greek),
n
has been dropped in favor ofnl
(Dutch),
p
has been dropped in favor ofpl
(Polish),
sz
has been dropped in favor ofse
(Sami). - Kazakh has been added with
kaz
as locale andkk
as catalog code. - Kalaallisut has been added with
kal
as locale andkl
as catalog code.
Logging
- Log engines do not need the suffix
Log
anymore in their setup configuration. So for the FileLog engine it suffices to define'engine' => 'File'
now. This unifies the way engines are named in configuration (see Cache engines for example). Note: If you have a Log engine likeDatabaseLogger
that does not follow the convention of using theLog
suffix, you will have to adjust your class name toDatabaseLog
. You should also avoid class names likeSomeLogLog
which include the suffix twice at the end.
FileLog
- Two new config options
size
androtate
have been added forFileLog
engine.
SyslogLog
- The new logging engine
SyslogLog
was added to stream messages to syslog.
Utility
pr
no longer outputs HTML when running in cli mode.
Validation
Validation::date()
now supports they
andym
formats.- The country code of
Validation::phone()
for Canada has been changed fromcan
toca
to unify the country codes for validation methods according to ISO 3166 (two letter codes).
CakeNumber
- The currencies
AUD
,CAD
andJPY
have been added. - The symbols for
GBP
andEUR
are now UTF-8. If you upgrade a non-UTF-8 application, make sure that you update the static$_currencies
attribute with the appropriate HTML entity symbols (£
and€
) before you use those currencies.
CakeTime
CakeTime::isPast()
andCakeTime::isFuture()
were added.
Xml
- New option
pretty
has been added toXml::fromArray()
to return nicely formatted Xml.
Error
ErrorHandler
- New configuration option
skipLog
has been added, to allow skipping certain Exception types to be logged.Configure::write('Exception.skipLog', array('NotFoundException', 'ForbiddenException'));
will skip logging these exceptions and the ones extending them when'Exception.log'
config istrue
Routing
Router
Router::baseUrl()
was added. This method replacesFULL_BASE_URL
. Which is now deprecated.
The API docs and cookbook have been updated to reflect the changes and updates for 2.4.0.
A huge thanks to all involved in terms of both contributions through commits, tickets, documentation edits, and those whom have otherwise contributed to the framework. Without you there would be no CakePHP.
CakePHP 2.3.7
2.3.7 is a bugfix release for the 2.3 branch, while 2.4.0-beta is the first release of the 2.4 branch. A short list of the changes you can expect in 2.3.7 are:
- Cached views now contain their Content-Type header. It is recommended that you flush your view caches when upgrading.
- Return-Path is now excluded on emails delivered via SMTP.
- The automatic created & modified times when saving records are now consistent. There used to be an edge case where they could differ by one second.
- Undocumented, untested features around the IIS_SERVER constant have been removed.
- FormHelper::dateTime() now selects the correct year when creating an input which has a maxYear earlier than the current year.
- Email views now calculate the boundary later in the rendering process fixing issues where View callbacks could append inline images or attachments, resulting in incorrect boundary markers.
- AuthComponent now correctly generates redirect URL's when the application base path matches the controller name.
- Errors generated from requests containing 'index.php' now render correctly.
- Classnames containing '..' are now rejected.
There was a security fix in this release that fixes an issue where controllers outside of the application could be loaded under certain conditions. This is an important upgrade for applications that accept uploaded PHP files where user data is used to determine the final file name. In these situations it would be possible for an attacker to upload a PHP file and remotely execute code. A big thanks to Adrian Ulrich for contacting us about the issue, and providing steps to reproduce it.
A huge thanks to all involved in terms of both contributions through commits, tickets, documentation edits, and those whom have otherwise contributed to the framework. Without you there would be no CakePHP.
Important upgrade for 1.3
This is an important update for all users of 1.3. It is recommended that all users of 1.3 should upgrade as soon as possible.
In the previous release for 1.3.16 a mistake was made when creating the 1.3.16 tag. An important fix was missed from the packaged release. We recommend that all applications using 1.3 upgrade to 1.3.17 immediately safeguard against the SQL injection issue that 1.3.16 was intended to fix.
How did this happen?
When creating the package for 1.3.16, a git clone was not correctly updated before generating the new tag. To prevent this issue in the future, we'll be updating the automated build script used to package CakePHP to always update the local clone. This should prevent similar errors in the future.
links
- Download a packaged release http://github.com/cakephp/cakephp/tags
- View the changelogs http://cakephp.org/changelogs