CakePHP 2.x - Community Maintained Fork

This is a community-maintained fork of CakePHP 2.x that provides compatibility with PHP 8.0 and newer versions. The original CakePHP 2.x branch reached End of Life in June 2021.

Important

This fork is based on CakePHP 2.10.24. Earlier versions are not supported.

Warning

Do not use CakePHP 2.x for new projects! This fork is only for maintaining existing legacy applications. For new projects, please use CakePHP 5.x which has modern PHP support, better performance, and active development.

CakePHP 2.x Documentation | CHANGELOG

Requirements & Compatibility

PHP Versions

• PHP 8.0, 8.1, 8.2, 8.3, 8.4, 8.5

Database Support

• MySQL 5.6, 5.7, 8.0+ (with pdo_mysql extension)
• PostgreSQL 9.4+ (with pdo_pgsql extension)
• SQLite 3 (with pdo_sqlite extension)
• Microsoft SQL Server 2022+ (with pdo_sqlsrv extension)

Required PHP Extensions

• mbstring - Multi-byte string support (strongly recommended, uses Symfony polyfill as fallback)
  • Important: The mb_encode_mimeheader() function is not available in the Symfony polyfill
  • If mbstring extension is not loaded, CakePHP will automatically use Multibyte::mimeEncode() as a fallback for email header encoding
  • However, we strongly recommend installing the mbstring extension for better compatibility and performance
  • To install on Debian/Ubuntu: sudo apt-get install php-mbstring
  • To install on macOS (Homebrew): Already included in PHP installations
  • To install on Windows: Uncomment ;extension=mbstring in php.ini
• intl - Internationalization support (optional, uses Symfony polyfill as fallback)
• openssl - OpenSSL support (optional, required for SSL/TLS connections and encryption)
• mcrypt - Mcrypt support (optional, deprecated in PHP 7.1+, only for legacy AES encryption)

Testing

• All tests pass with PHPUnit 9.6 across all supported PHP versions and databases

Installation

Important

This fork requires Composer for installation. Manual installation is not supported.

Install via Composer:

{
    "require": {
        "pieceofcake2/cakephp": "^2.10"
    }
}

Then run:

composer update

After installation, copy dispatcher files from the package to your application:

# Copy web dispatcher files
cp plugins/Bake/Console/Templates/skel/webroot/index.php app/webroot/index.php
cp plugins/Bake/Console/Templates/skel/webroot/test.php app/webroot/test.php

# Copy console dispatcher
cp plugins/Bake/Console/Templates/skel/Console/cake app/Console/cake
chmod +x app/Console/cake

Note

• This package uses Composer's replace directive to replace cakephp/cakephp.
• This ensures that all plugins and packages that depend on cakephp/cakephp:^2.x will continue to work correctly with this fork.
• Dispatcher files provide better error messages and simplified autoload handling.

Application Skeleton

The application skeleton has been extracted to a separate package: pieceofcake2/app

Planning to migrate to CakePHP 5.x?

If you're planning to upgrade to CakePHP 5.x in the future, you can prepare now by adopting the modern directory structure while still on CakePHP 2.x:

Traditional migration approach (harder):

CakePHP 2.x → CakePHP 5.x
(change everything at once: code + folder structure + APIs)

New gradual migration approach (easier):

Step 1: CakePHP 2.x with traditional structure
        ↓ (modernize folder structure only)
Step 2: CakePHP 2.x with CakePHP 5.x-style structure ← You can stop here
        ↓ (upgrade code only)
Step 3: CakePHP 5.x with CakePHP 5.x-style structure

Benefits:

• ✅ Smaller, manageable changes: Separate folder restructuring from code changes
• ✅ Test incrementally: Verify each step works before moving to the next
• ✅ Reduced risk: You can stay on Step 2 indefinitely if needed
• ✅ Team-friendly: Easier for teams to understand and review smaller changes

See pieceofcake2/app for the modern directory structure compatible with both CakePHP 2.x and 5.x.

Security

SSL/TLS Certificate Validation

This fork uses composer/ca-bundle for SSL/TLS certificate validation (PR #15):

• System CA certificates: Uses OpenSSL's default certificate bundle when available (openssl.cafile or openssl.capath)
• Fallback bundle: Falls back to Mozilla's CA certificate bundle maintained by composer/ca-bundle
• Automatic updates: CA certificates are kept up-to-date through Composer ecosystem
• No manual maintenance: Removed the outdated static lib/Cake/Config/cacert.pem file (last updated in 2016)

This approach ensures that HTTPS connections made by CakeSocket (e.g., for external API calls) properly validate SSL/TLS certificates using current, trusted root certificates.

Known Vulnerabilities in Original CakePHP 2.10.24

The following security vulnerabilities have been reported in the original CakePHP 2.10.24:

CVE	Description	Status in this Fork
CVE-2015-8379	CSRF protection bypass via _method parameter	✅ Fixed in c0fb45e, tests in PR #6
CVE-2020-15400	CSRF token fixation (exploitable with XSS)	✅ Fixed in PR #5

Note

• CVE-2015-8379: The fix has been fully applied with comprehensive test coverage for _method parameter handling and custom HTTP methods.
• CVE-2020-15400: Fixed by implementing HMAC-signed CSRF tokens that are cryptographically bound to the application. Tokens are now signed with the application's Security.salt, preventing token fixation attacks while maintaining backward compatibility with existing tokens.

Migration Guide

Prerequisites

Before migrating to this fork, ensure:

• Your application is running on PHP 7.4
• You're using CakePHP 2.10.24 (earlier versions are not supported)
• Your application uses Composer for dependency management

From Original CakePHP 2.x

1. Update to CakePHP 2.10.24 first: If you're using an earlier version, update to cakephp/cakephp:2.10.24 on PHP 7.4 first
2. Ensure PHP 7.4 Compatibility: Your application must be fully working on PHP 7.4 before migrating to PHP 8.x
3. Update Composer: Replace cakephp/cakephp with pieceofcake2/cakephp in your composer.json
4. Upgrade PHP: Update your PHP version to 8.0 or newer
5. Test Thoroughly: Run your application's test suite to ensure compatibility

Breaking Changes

1. Bake Plugin Extraction (PR #17)

Breaking Change:

• Bake functionality has been extracted to a separate plugin (pieceofcake2/bake)
• BakeShell and all Bake tasks removed from core (BakeTask, ModelTask, ControllerTask, ViewTask, FixtureTask, TestTask, TemplateTask, ProjectTask, PluginTask, DbConfigTask, CommandTask)
• Application skeleton templates moved from lib/Cake/Console/Templates/skel/ to Bake plugin
• Dispatcher files (index.php, test.php, cake) now located in Bake plugin
• Console bake commands no longer available without installing the Bake plugin

Migration:

1. Install the Bake plugin separately: composer require --dev pieceofcake2/bake
2. Load the plugin in your app/Config/bootstrap.php:

   CakePlugin::load('Bake', ['bootstrap' => true]);

3. Copy dispatcher files from Bake plugin if needed (for new projects)

Why this change:

• Allows independent development and versioning of Bake functionality
• Reduces core framework size
• Most production applications don't need Bake in production

2. Composer-Only Installation Required (PR #14)

Breaking Change:

• Non-Composer installation is no longer supported
• Dispatcher files (app/webroot/index.php, app/webroot/test.php, app/Console/cake) require Composer autoload
• Removed manual CAKE_CORE_INCLUDE_PATH detection from dispatcher files
• Removed include_path manipulation logic
• Removed legacy app/Vendor/cakephp/cakephp path detection
• Removed app/Console/cake.bat and app/Console/cake.php (Windows batch file and PHP wrapper no longer needed)

Migration:

1. Ensure you're using Composer for dependency management
2. Install the Bake plugin: composer require --dev pieceofcake2/bake
3. Copy updated dispatcher files from plugins/Bake/Console/Templates/skel/ to your application:

   cp plugins/Bake/Console/Templates/skel/webroot/index.php app/webroot/index.php
   cp plugins/Bake/Console/Templates/skel/webroot/test.php app/webroot/test.php
   cp plugins/Bake/Console/Templates/skel/Console/cake app/Console/cake

4. Remove old dispatcher files if present:

   rm -f app/Console/cake.bat app/Console/cake.php

5. Run composer install to ensure all dependencies are properly loaded

3. Cache Engines Removed (PR #4)

Breaking Change:

• Xcache support has been removed (not compatible with PHP 7.0+)
• Wincache support has been removed (not actively maintained for PHP 8.x)

Migration:

• If using these cache engines, migrate to Redis, Memcached, or APCu

4. Database Driver Methods Added (PR #3)

Breaking Change:

• New methods added to database drivers (may cause issues if you have custom driver implementations)

MySQL Driver (Mysql.php):

• getVersion(): string - Returns MySQL/MariaDB/Aurora MySQL version
• getServerType(): string - Returns 'MySQL', 'MariaDB', or 'Aurora MySQL'
• utf8mb4Supported(): bool - Checks utf8mb4 character set support
• integerDisplayWidthDeprecated(): bool - Checks if integer display width is deprecated (MySQL 8.0.17+)

PostgreSQL Driver (Postgres.php):

• getVersion(): string - Returns PostgreSQL version

Migration:

• If you have custom database drivers extending these classes, implement these methods

5. Database Charset Configuration Changes (PR #11)

Breaking Change:

• Character set configuration moved from SET NAMES to DSN connection options
• MySQL: Charset now in DSN (e.g., mysql:...;charset=utf8)
• PostgreSQL: Client encoding in DSN options (e.g., pgsql:...;options='--client_encoding=UTF8')
• PostgreSQL: sslmode parameter is now optional in DSN

Migration:

• No action required - changes are backward compatible
• setEncoding() methods still work for runtime changes
• More efficient connection setup with charset in DSN

6. SQL Server Driver Updates (PR #9)

Breaking Changes:

6.1 Configuration Format

• Schema-based configuration: Use schema mapping instead of multiple databases

  // Old approach (still works)
  'database' => 'cakephp_test2'
  
  // New recommended approach
  'database' => 'cakephp_test',
  'schema' => [
      'default' => 'dbo',
      'test2' => 'test2',
      'test_database_three' => 'test3',
  ]

• Connection options: SSL/TLS options now in options array

  'options' => [
      'TrustServerCertificate' => 'yes',
      'Encrypt' => 'no',
  ]

• Port configuration: Specify port separately (automatically appended to server)

6.2 Method Signature Changes

• describe($model): array - Now has explicit return type
• insertMulti() - Now returns bool instead of void

Migration:

• Update SQL Server configuration to use schema mapping (optional but recommended)
• Move SSL/TLS options to options array if using inline DSN
• If extending Sqlserver class, update method signatures to match

7. Mail Function Updates (PR #10)

Breaking Change:

• MailTransport::_mail() method signature changed with strict types
• Old: protected function _mail($to, $subject, $message, $headers, $params = null)
• New: protected function _mail(string $to, string $subject, string $message, array|string $headers = [], string $params = ''): void

Migration:

• No action required unless you've extended MailTransport class
• If extending, update method signature to match strict types

8. CSRF Token Security Enhancement (PR #5)

Breaking Change:

• New CSRF tokens use HMAC-SHA1 signatures (prevents CVE-2020-15400)
• Token format changed to base64-encoded (16-byte value + 20-byte HMAC)

Migration:

• No action required - automatic and backward compatible
• Existing tokens continue to work
• New tokens generated with enhanced security

9. strftime() Replacement

Breaking Change:

• strftime() deprecated in PHP 8.1, removed in PHP 8.2
• Now uses IntlDateFormatter via Symfony's ICU Polyfill
• Fallback to PHP81_BC\strftime for compatibility

Migration:

• Most date formatting works identically
• Edge cases may produce slightly different output
• Test date formatting in your application

10. Development Tools Updates

10.1 PHP CodeSniffer (PR #8)

• Updated from 1.0.0 to 5.3
• Applied automatic formatting fixes

Migration:

• Development-time change only
• Update phpcs.xml if you have custom coding standards

10.2 PHPUnit Compatibility

• Framework tests migrated to PHPUnit 9.6
• All deprecated PHPUnit features fixed

Migration:

• Update your tests if using deprecated PHPUnit features

11. PHP 8 Syntax Modernization (PR #7)

Breaking Change:

• Codebase modernized to PHP 8 syntax

Changes:

• array() → []
• get_class() → ::class
• list() → [] for array destructuring
• dirname(__FILE__) → __DIR__
• Added null coalescing operators
• Native str_contains(), str_starts_with(), str_ends_with()

Migration:

• No action required - syntax changes only, no functionality changes

12. CookieComponent 'cipher' Type - Insecure and Should Be Replaced

Breaking Change:

• The default CookieComponent encryption type 'cipher' is horribly insecure

Warning

As stated in the CakePHP source code comments:

"Cipher is horribly insecure and only the default because of backwards compatibility. In new applications you should always change this to 'aes' or 'rijndael'."

Why 'cipher' is insecure:

• Uses Security::cipher() with XOR encryption (cryptographically weak)
• Uses Security.cipherSeed with undefined float-to-int casting behavior
• The seed value: mt_srand((int)(float)Configure::read('Security.cipherSeed')) has no guaranteed consistency
• Not suitable for protecting sensitive data

Migration:

// OLD (insecure - DO NOT USE)
public $components = [
    'Cookie' => [
        'type' => 'cipher'  // Default, horribly insecure
    ]
];

// NEW (recommended)
public $components = [
    'Cookie' => [
        'type' => 'rijndael'  // or 'aes'
    ]
];

Important: Changing encryption type will invalidate existing cookies. Plan your migration strategy accordingly (e.g., support both types during transition period).

Running Tests

Using Docker (Recommended)

# Copy test database configuration
cp lib/Cake/Test/Config/database.php app/Config/database.php

# Start services
docker-compose up -d

# Install dependencies
docker-compose exec web composer install

# Run tests with specific database
DB=mysql docker-compose exec web ./vendor/bin/phpunit
DB=mysql80 docker-compose exec web ./vendor/bin/phpunit
DB=pgsql docker-compose exec web ./vendor/bin/phpunit
DB=sqlite docker-compose exec web ./vendor/bin/phpunit
DB=sqlsrv docker-compose exec web ./vendor/bin/phpunit

Local Installation

# Install dependencies
composer install

# Set up database configuration
cp app/Config/database.php.default app/Config/database.php
# Edit database.php with your database credentials

# Run tests
./vendor/bin/phpunit

Contributing

We welcome contributions! Please:

1. Fork the repository
2. Create a feature branch
3. Ensure all tests pass
4. Submit a pull request

Reporting Issues

If you find any PHP 8.x compatibility issues, please:

• Create an issue with a clear description
• Include PHP version and error messages
• Provide minimal code to reproduce the issue (if possible)

Project Goals

This fork aims to:

• ✅ Maintain PHP 8.x compatibility
• ✅ Fix critical bugs and security issues
• ✅ Keep tests passing on all supported platforms
• ✅ Support gradual migration path to CakePHP 5.x
• ❌ Add new features (focus is on compatibility and migration only)

License

This project maintains the original MIT License from CakePHP. See LICENSE for details.

Acknowledgments

• Original CakePHP 2.x framework by cakephp/cakephp
• Initial PHP 8 compatibility work by kamilwylegala/cakephp2-php8
• All contributors who help maintain this fork