March 28, 2016

CakePHP 2.8.3, 3.0.18, 3.1.13 and 3.2.6 Released

The CakePHP core team is happy to announce the immediate availability of CakePHP 2.8.3, 3.0.18, 3.1.13, and 3.2.6. These releases contain security fixes. 3.2.6 and 2.8.3 also contain bugfixes.

Security Fixes

These releases fix a weakness in Validation::uploadedFile() where file inputs could be manipulated to accept existing files on the server. This could potentially lead to an attacker being able to access sensitive system files. If you are using Validation::uploadedFile() and not checking mime-types or ensuring that the file was in-fact an uploaded file, you should upgrade. We’d like to thank Kurita Takashi for reporting this issue.

Bugfixes in 2.8.3

  • Improved API docs. (@ravage84)
  • Boolean false is now treated as 0 when creating selectboxes. This allows select widgets to be used for boolean columns. (@markstory)
  • Optimized nested association loading. (@tharlinsmith)
  • ControllerTestCase::testAction() now clears the request stack after each call. This fixes issues where multiple calls to testAction() could not be done in the same test method when using array URLs. (@markstory)

Bugfixes in 3.2.6

  • Improved API documentation (@Sethathi, @thinkingmedia)
  • Queries generated by the marshaller now correctly alias primary key columns. (@markstory)
  • Complex conditions in BelongsToMany associations now work correctly. (@markstory)
  • Select box widgets for boolean values now generate correctly. false is now treated as equivalent to 0. (@markstory)
  • Http\Client now supports ssl_verify_peer_name option correctly now. (@curtisgibby)
  • CakePHP can now be used from within a phar file. (@lorenzo)
  • Bound parameters in sub-queries now propagate to their parent query. (@markstory)
  • A regression in the Postgres schema reflection code has been corrected. (@markstory)
  • Accessing TitleCase properties from entities now works as expected. (@dakota)
  • Cells in sub-namespaces now work as one would expect. (@markstory)
  • ‘’ is now a valid value for time inputs. (@markstory)

New Features in 3.2.6

  • Cake\ORM\Marshaller::one() now supports a forceNew option that can be used to create ‘new’ belongsToMany association records when the primary key is not defined. (@Tzaoh)
  • SecurityComponent now emits helpful error messages when secure field comparisons fail and an application is in debug mode. (@steinkel)
  • Validation::localizedTime() was added. (@ypnos-web)
  • Error logs contain request URL and referrer URLs. (@mirko-paglial)

As always, a huge thanks to all the community members that helped make this release happen by reporting issues and sending pull requests.

Download a packaged release on github.

Posted by markstory
Filed under: release, news, security
Tags: release, security