The CakePHP core team is ready to announce the immediate availability of CakePHP 2.6.6 and 3.0.6. These are maintenance releases that contain important security fixes.
## Security Fixes Earlier this week we were notified that RequestHandlerComponent had a vulnerability that would allow well crafted requests to create a denial of service attack. RequestHandlerComponent leverages `Xml::build()` which allows reading local files. We recommend that all applications using RequestHandlerComponent upgrade, or disable parsing XML payloads. To disable XML payload parsing you can do the following ```php // In a controller's beforeFilter $this->RequestHandler->addInputType('xml', function() { return []; }); ``` The above code will replace the built-in XML parsing with a no-op function. We'd like to thank Takeshi Terada for notifying us of this security issue using our [Security Issue Process] (http://book.cakephp.org/3.0/en/contributing/tickets.html#reporting-security-issues>). ## Other Fixes in 2.6.6 * `FormHelper::radio()` now correctly generates ID attributes for radio buttons with multibyte values. * `Inflector::humanize()` and `Inflector::underscore()` work correctly with UTF8 characters now. ## Other Fixes in 3.0.6 * `FormHelper::radio()` now correctly generates ID attributes for radio buttons with multibyte values. * `Inflector::humanize()` and `Inflector::underscore()` work correctly with UTF8 characters now. * URLs in `FormHelper::postLink()` are no longer double encoded. * `PaginatorHelper::numbers()` now supports the `url` option. * Error.trace is now respected when logging exceptions. * The Entity accessors cache introduced in 3.0.3 has been removed. It caused a number of issues and didn't greatly improve performance. * `EntityTrait::getOriginal()` and `EntityTrait::extractOriginal()` now return values that were initially null. * Empty query expressions used in association query builders no longer cause invalid SQL to be generated. As always, a huge thanks to all the community members that helped make this release happen by reporting issues and sending pull requests. -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscr...@googlegroups.com. To post to this group, send email to cake-php@googlegroups.com. Visit this group at http://groups.google.com/group/cake-php. For more options, visit https://groups.google.com/d/optout.