CakePHP v4.0.10

Version Release Notes from December 08, 2020 (over 3 years ago)

« Changelog History

CakePHP v4.0.10 Release Notes

Release Date: 2020-12-08 // over 3 years ago

🚀 The CakePHP core team is happy to announce the immediate availability of CakePHP 4.0.10. This release contains security fixes and is a recommended upgrade for all applications still using 4.0.x.

🔒 The security fixes address a vulnerability in the CsrfProtectionMiddleware that allowed method override parameters to bypass CSRF checks for requests with no additional POST data. The fixes validate that the HTTP method override is a valid HTTP method name. We'd like to thank Xhelal Likaj for reporting this issue to us via our security mailing list.

🚀 The versions impacted by this issue are >4.0.0, <=4.0.9 and >4.1.0, <=4.1.3. Releases after 4.1.3 are not vulnerable as they already validated the HTTP method names.

🛠 Bugfixes

👀 You can expect the following changes in 4.0.10. See the changelog for every commit.
- 🛠 Fixed validation of HTTP methods defined in _method parameters.
Contributors to 4.0.10

🚀 Thank you to all the contributors that helped make this release happen:
- Mark Story
- Xhelal Likaj
📚 As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.

Awesome PHP is part of the LibHunt network. Terms. Privacy Policy.