CakePHP 2.3.7 & 2.4.0-beta released

The CakePHP core team is proud to announce the immediate availability of CakePHP 2.3.7 & 2.4.0-beta. 2.3.7 is a bugfix release for the 2.3 branch, while 2.4.0-beta is the first release of the 2.4 branch

The CakePHP core team is proud to announce the immediate availability of CakePHP 2.3.7 & 2.4.0-beta[1]. 2.3.7 is a bugfix release for the 2.3 branch, while 2.4.0-beta is the first release of the 2.4 branch. A short list of the changes you can expect in 2.3.7 are:

  • Cached views now contain their Content-Type header. It is recommended that you flush your view caches when upgrading.
  • Return-Path is now excluded on emails delivered via SMTP.
  • The automatic created & modified times when saving records are now consistent. There used to be an edge case where they could differ by one second.
  • Undocumented, untested features around the IIS_SERVER constant have been removed.
  • FormHelper::dateTime() now selects the correct year when creating an input which has a maxYear earlier than the current year.
  • Email views now calculate the boundary later in the rendering process fixing issues where View callbacks could append inline images or attachments, resulting in incorrect boundary markers.
  • AuthComponent now correctly generates redirect URL’s when the application base path matches the controller name.
  • Errors generated from requests containing ‘index.php’ now render correctly.
  • Classnames containing ‘..’ are now rejected.

There was a security fix in this release that fixes an issue where controllers outside of the application could be loaded under certain conditions. This is an important upgrade for applications that accept uploaded PHP files where user data is used to determine the final file name. In these situations it would be possible for an attacker to upload a PHP file and remotely execute code. A big thanks to Adrian Ulrich for contacting us about the issue, and providing steps to reproduce it.


The 2.4.0-beta release contains several new features that improve CakePHP’s performance, security and ease of use. When done, this new version is intended to be a replacement for the 2.3.x branch. A migration guide is provided in the book [2] and we encourage you to read it if you are upgrading from an older version.

The current list of the new features & changes you can expect in 2.4.0:


  • Logged notice messages will now be colourized in terminals that support colours.


  • cake schema generate now supports the –exclude parameter.


  • cake bake model now supports baking $behaviors. Finding lft, rght and parent_id fields in your table it will add the Tree behavior, for example. You can also extend the ModelTask to support your own behaviors to be recognized.


  • cake bake fixture now supports a –schema parameter to allow baking all fixtures with noninteractive “all” while using schema import.


  • Object::log() had the $scope parameter added.



  • AuthComponent now supports proper stateless mode when using Basic or Digest authenticators. Starting of session can be prevented by setting AuthComponent::$sessionKey to false. Also now when using only Basic or Digest you are no longer redirected to login page. For more info check the AuthComponent page.
  • Property AuthComponent::$authError can be set to boolean false to suppress flash message from being displayed.


  • Authenticating objects now use new password hasher objects for password hash generation and checking.


  • Model::save(), Model::saveField(), Model::saveAll(), ` Model::saveAssociated()`, Model::saveMany() now take a new ` counterCache` option. You can set it to false to avoid updating counter cache values for the particular save operation.
  • Model::clear() was added.


  • Mysql, Postgres, and SQLserver now support a ‘settings’ array in the connection definition. This key => value pair will be issued as SET commands when the connection is created.



  • JSONP support has been added to :php:class: JsonView.


  • The API for HtmlHelper::css() has been changed.
  • New option escapeTitle added to HtmlHelper::link() to control escaping of only link title and not attributes.


  • TextHelper::autoParagraph() has been added. It allows to automatically convert text into HTML paragraphs.


  • PaginatorHelper::param() has been added.



  • CakeRequest::param() has been added.
  • CakeRequest::is() has been modified to support an array of types and will return true if the request matches any type.
  • CakeRequest::isAll() has been added to check that a request matches all the given types.


  • Logged email messages now have the scope of email by default. If you are not seeing email contents in your logs, be sure to add the email scope to your logging configuration.


  • HttpSocket::patch() has been added.


  • ell is now the default locale for Greek as specified by ISO 639-3 and gre its alias. The locale folders have to be adjusted accordingly (from /Locale/gre/ to /Locale/ell/).
  • fas is now the default locale for Farsi as specified by ISO 639-3 and per its alias. The locale folders have to be adjusted accordingly (from /Locale/per/ to /Locale/fas/).
  • sme is now the default locale for Sami as specified by ISO 639-3 and smi its alias. The locale folders have to be adjusted accordingly (from /Locale/smi/ to /Locale/sme/).
  • mkd replaces mk as default locale for Macedonian as specified by ISO 639-3. The corresponding locale folders have to be adjusted, as well.
  • Catalog code in has been dropped in favor of id (Indonesian), e has been dropped in favor of el (Greek), n has been dropped in favor of nl (Dutch), p has been dropped in favor of pl (Polish), sz has been dropped in favor of se (Sami).
  • Kazakh has been added with kaz as locale and kk as catalog code.
  • Kalaallisut has been added with kal as locale and kl as catalog code.


  • Log engines do not need the suffix Log anymore in their setup configuration. So for the FileLog engine it suffices to define ‘engine’=>’File’ now. This unifies the way engines are named in configuration (see Cache engines for example). Note: If you have a Log engine like DatabaseLogger that does not follow the convention of using the Log suffix, you will have to adjust your class name to ` DatabaseLog`. You should also avoid class names like SomeLogLog which include the suffix twice at the end.


  • Two new config options size and rotate have been added for FileLog engine.


  • The new logging engine SyslogLog was added to stream messages to syslog.


  • pr no longer outputs HTML when running in cli mode.


  • Validation::date() now supports the y and ym formats.
  • The country code of Validation::phone() for Canada has been changed from can to ca to unify the country codes for validation methods according to ISO 3166 (two letter codes).


  • The currencies AUD, CAD and JPY have been added.
  • The symbols for GBP and EUR are now UTF-8. If you upgrade a non-UTF-8 application, make sure that you update the static $_currencies attribute with the appropriate HTML entity symbols (£ and €) before you use those currencies.


  • CakeTime::isPast() and CakeTime::isFuture() were added.


  • New option pretty has been added to Xml::fromArray() to return nicely formatted Xml.



  • New configuration option skipLog has been added, to allow skipping certain Exception types to be logged. Configure::write(‘Exc eption.skipLog’,array(‘NotFoundException’,’ForbiddenException’)); will skip logging these exceptions and the ones extending them when ` ‘Exception.log’` config is true



  • Router::baseUrl() was added. This method replaces ` FULL_BASE_URL`. Which is now deprecated.

The API docs[3] and cookbook have been updated to reflect the changes and updates for 2.4.0.

A huge thanks to all involved in terms of both contributions through commits, tickets, documentation edits, and those whom have otherwise contributed to the framework. Without you there would be no CakePHP. Download a packaged release [4].