Earlier today, we announced the release of 2.6.6. This version contained
a syntax error in PHP < 5.4. This error has been corrected in 2.6.7. If
you are running PHP < 5.4.0 you should upgrade to 2.6.7 instead of 2.6.6.
In doing the security release, I did not follow our normal process of
ensuring
that there is a passing build on all supported PHP versions before doing the
release. This was a mistake and will not happen again.
On Thursday, 28 May 2015 11:57:53 UTC-4, mark_story wrote:
>
> The CakePHP core team is ready to announce the immediate availability of
> CakePHP
> 2.6.6 and 3.0.6. These are maintenance releases that contain important
> security
> fixes.
>
> ## Security Fixes
>
> Earlier this week we were notified that RequestHandlerComponent had
> a vulnerability that would allow well crafted requests to create a denial
> of
> service attack. RequestHandlerComponent leverages `Xml::build()` which
> allows
> reading local files. We recommend that all applications using
> RequestHandlerComponent upgrade, or disable parsing XML payloads. To
> disable XML
> payload parsing you can do the following
>
> ```php
> // In a controller's beforeFilter
> $this->RequestHandler->addInputType('xml', function() { return []; });
> ```
>
> The above code will replace the built-in XML parsing with a no-op
> function. We'd
> like to thank Takeshi Terada for notifying us of this security issue using
> our
> [Security Issue Process]
> (
> http://book.cakephp.org/3.0/en/contributing/tickets.html#reporting-security-issues
> >).
>
> ## Other Fixes in 2.6.6
>
> * `FormHelper::radio()` now correctly generates ID attributes for radio
> buttons with multibyte values.
> * `Inflector::humanize()` and `Inflector::underscore()` work correctly with
> UTF8 characters now.
>
> ## Other Fixes in 3.0.6
>
> * `FormHelper::radio()` now correctly generates ID attributes for radio
> buttons with multibyte values.
> * `Inflector::humanize()` and `Inflector::underscore()` work correctly with
> UTF8 characters now.
> * URLs in `FormHelper::postLink()` are no longer double encoded.
> * `PaginatorHelper::numbers()` now supports the `url` option.
> * Error.trace is now respected when logging exceptions.
> * The Entity accessors cache introduced in 3.0.3 has been removed. It
> caused
> a number of issues and didn't greatly improve performance.
> * `EntityTrait::getOriginal()` and `EntityTrait::extractOriginal()` now
> return values that were initially null.
> * Empty query expressions used in association query builders no longer
> cause
> invalid SQL to be generated.
>
> As always, a huge thanks to all the community members that helped make this
> release happen by reporting issues and sending pull requests.
>
--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to cake-php+unsubscr...@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.