CakePHP v4.0.6 Release Notes
Release Date: 2020-04-19 // about 4 years ago-
๐ The CakePHP core team is happy to announce the immediate availability of CakePHP 4.0.6. This is a maintenance release for the 4.0 branch that fixes several community reported issues and a low risk security issue in our CSRF protection middleware.
๐ Bugfixes
๐ You can expect the following changes in 4.0.6. See the changelog for every commit.
- ๐ Nirmal Kirubakaran contacted us via the security mailing list and disclosed a vulnerability in our CSRF token generation. If an attacker were to use an XSS vulnerabiity or physical access to fixate a CSRF token they could then exploit additional CSRF attacks. In this release tokens contain an HMAC signed with
Security.salt. This ensures the tokens were generated by the same application that receives them. - ๐ Improved session access in
IntegrationTestTraitthrough the newgetTestSession()method. - ๐ Fixed generation of pagination links on
/URLs. - ๐
cake plugin unloadandcake plugin loadnow handle vendor namespaced plugins. - โ
Validation::inList()no longer emits a warning on a non-scalar values. - ๐ง Schema reflection stored procedures in SQLServer now work in case sensitive configurations.
- Email message wrapping no longer emits errors when lines are the same length as the wrap length.
- ๐
App::path()now resolves locale files for plugins.
Contributors to 4.0.6
๐ Thank you to all the contributors that helped make this release happen:
- ADmad
- Corey Taylor
- Mark Scherer
- Mark Story
- Nicolas
๐ As always, we would like to thank all the contributors that opened issues, created pull requests or updated the documentation.
- ๐ Nirmal Kirubakaran contacted us via the security mailing list and disclosed a vulnerability in our CSRF token generation. If an attacker were to use an XSS vulnerabiity or physical access to fixate a CSRF token they could then exploit additional CSRF attacks. In this release tokens contain an HMAC signed with