CakePHP v4.0.6 Release Notes
Release Date: 2020-04-19 // about 4 years ago-
๐ The CakePHP core team is happy to announce the immediate availability of CakePHP 4.0.6. This is a maintenance release for the 4.0 branch that fixes several community reported issues and a low risk security issue in our CSRF protection middleware.
๐ Bugfixes
๐ You can expect the following changes in 4.0.6. See the changelog for every commit.
- ๐ Nirmal Kirubakaran contacted us via the security mailing list and disclosed a vulnerability in our CSRF token generation. If an attacker were to use an XSS vulnerabiity or physical access to fixate a CSRF token they could then exploit additional CSRF attacks. In this release tokens contain an HMAC signed with
Security.salt
. This ensures the tokens were generated by the same application that receives them. - ๐ Improved session access in
IntegrationTestTrait
through the newgetTestSession()
method. - ๐ Fixed generation of pagination links on
/
URLs. - ๐
cake plugin unload
andcake plugin load
now handle vendor namespaced plugins. - โ
Validation::inList()
no longer emits a warning on a non-scalar values. - ๐ง Schema reflection stored procedures in SQLServer now work in case sensitive configurations.
- Email message wrapping no longer emits errors when lines are the same length as the wrap length.
- ๐
App::path()
now resolves locale files for plugins.
Contributors to 4.0.6
๐ Thank you to all the contributors that helped make this release happen:
- ADmad
- Corey Taylor
- Mark Scherer
- Mark Story
- Nicolas
๐ As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.
- ๐ Nirmal Kirubakaran contacted us via the security mailing list and disclosed a vulnerability in our CSRF token generation. If an attacker were to use an XSS vulnerabiity or physical access to fixate a CSRF token they could then exploit additional CSRF attacks. In this release tokens contain an HMAC signed with