Security Release - CakePHP 1.2.12, 1.3.16, 2.2.8 and 2.3.4

by markstory
If you are using CakePHP's PaginatorComponent without whitelisted sort fields you should upgrade as soon as possible to prevent possible SQL injections.

CakePHP 1.2.12, 1.3.16, 2.2.8 and 2.3.4 have just been released to fix a critical issue with how pagination & PaginatorComponent handle sort criteria. When paginating without a sort column whitelist it was possible to execute arbitrary SQL by manipulating the sort conditions. In the following days we will offer a full description of the vulnerability and how it can be exploited, after some reasonable time has passed for our users to upgrade.

In addition to the security fix 2.3.4 contains fixes for the following issues:

  • Support for HTTP code 505 was added.
  • Router::currentRoute() returns false when there is no current route.
  • Writing to file cache after clearing a group now works as expected.
  • Asset URLS using fullBase are now generated correctly when not using URL re-writing.

There are no additional fixes outside the security fix in 2.2.8.

In addition to the security fix 1.3.16 contains fixes for the following issues:

  • Databases is now singularized correctly.
  • Saving translations with saveAll() now works better.
  • Oracle listSources() no longer reads from the global table namespace.
  • The cake console command now works on MacOS properly.
  • Mixing query[contain] and contain() now interact properly.

In addition to the security fix 1.2.12 contains fixes for the following issues:

  • umask is now set when creating cache files.
  • Boundaries for multipart email messages are now generated correctly.
  • Compatibility with PHP 5.4 has been improved.

We recommend all users of 1.2, 1.3, and 2.x release series upgrade as soon as possible to the new releases.

Links

Report

More on News

Advertising

Comments

  • markstory posted on 06/25/13 01:25:29 AM
    The file archives (.zip & .tar.gz) should be fine now.
  • jcsiegrist posted on 06/18/13 10:43:22 AM
    Thanks for still releasing security fixes for the 1.2 branch! However I wanted to apply the 1.2.12 release, but can't find it on the cakephp github. The entire 1.2 branch seems to be gone.

    • markstory posted on 06/25/13 01:29:22 AM
      Thanks for still releasing security fixes for the 1.2 branch! However I wanted to apply the 1.2.12 release, but can't find it on the cakephp github. The entire 1.2 branch seems to be gone.



      If you want to generate the commit log between the two releases you can use `git log 1.2.11..1.2.12`. You can generate the diff between the two branches using `git diff 1.2.11 1.2.12`.
  • posted on 04/29/13 04:02:11 PM
    Thanks for releasing the fix. The tar.gz link does not work, loads an empty file. Can you have a look into that? Thanks.
login to post a comment.