Can you tell what release this problem was introduced, I think it was 1.2RC2, right?
On Sunday, April 28, 2013 4:37:05 PM UTC-4, mark_story wrote: > > If you are using CakePHP's PaginatorComponent without whitelisted sort > fields you should upgrade as soon as possible to prevent > possible SQL injections. > > CakePHP 1.2.12, 1.3.16, 2.2.8 and 2.3.4 have just been released to fix a > critical issue with how pagination & PaginatorComponent handle sort > criteria. When paginating without a sort column whitelist it was possible > to execute arbitrary SQL by manipulating the sort conditions. In the > following days we will offer a full description of the vulnerability and > how it can be exploited, after some reasonable time has passed for our > users to upgrade. > > In addition to the security fix 2.3.4 contains fixes for the following > issues: > > * Support for HTTP code 505 was added. > * Router::currentRoute() returns false when there is no current route. > * Writing to file cache after clearing a group now works as expected. > * Asset URLS using fullBase are now generated correctly when not using URL > re-writing. > > There are no additional fixes outside the security fix in 2.2.8. > > In addition to the security fix 1.3.16 contains fixes for the following > issues: > > * Databases is now singularized correctly. > * Saving translations with saveAll() now works better. > * Oracle listSources() no longer reads from the global table namespace. > * The cake console command now works on MacOS properly. > * Mixing query[contain] and contain() now interact properly. > > In addition to the security fix 1.2.12 contains fixes for the following > issues: > > * umask is now set when creating cache files. > * Boundaries for multipart email messages are now generated correctly. > * Compatibility with PHP 5.4 has been improved. > > We recommend all users of 1.2, 1.3, and 2.x release series upgrade as soon > as possible to the new releases. > > Links > ------ > > * Download a packaged release http://github.com/cakephp/cakephp/tags > * View the changelogs http://cakephp.org/changelogs > > -- Like Us on FaceBook https://www.facebook.com/CakePHP Find us on Twitter http://twitter.com/CakePHP --- You received this message because you are subscribed to the Google Groups "CakePHP" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/cake-php?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
