CakePHP 4.5.9
The CakePHP core team is happy to announce the immediate availability of CakePHP 4.5.9. This is a maintenance release for the 4.4 branch that fixes a few community reported issues and a security fix.
Bugfixes
You can expect the following changes in 4.5.9. See the changelog for every commit.
- Requests now read the uri from REQUEST_URI instead of PATH_INFO. PATH_INFO has urlescaping applied which enables requests with %2f to be routed when they should not. This could create a security risk for applications that use CDN or loadbalancer rules with paths to be bypassed.
- Fix ORM queries not being able to set read role.
Contributors to 4.5.9
Thank you to all the contributors that helped make this release happen:
- Jeppe Bonde Weikop for reporting the PATH_INFO issue.
- Kevin Pfeifer
- Mark Story
As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.
Download a packaged release on github.