CakePHP 2.1.5 and 2.2.1 have just been released. If you are using CakePHP's
`Xml` class, you should upgrade as soon as possible.
The security issue was recently reported by Paweł Wyleciał. When accepting
user provided XML it is possible to read arbitrary files using external
entities. This is particularily dangerous for applications accepting XML
data as part of a webservice. A possible exploit example would be:
curl -X POST -H 'Content-Type: application/xml' http://locahost/posts -d
'<!DOCTYPE cakephp [
<!ENTITY payload SYSTEM "file:///etc/passwd" >]>
Once the XML has been processed `$this->request->data['Post']['body']` will
contain the contents of `/etc/passwd`. This issue was
and packaged releases for 2.1 and 2.2 have been created. This issue does
not affect the 1.3 or 1.2 release series. If you are unable to upgrade,
you should apply the
as soon as possible.
### Other fixes in 2.2.1
In addition to the security fix 2.2.1 contains fixes for the following
* Fixed missing urlencode on nested named parameters.
* Fixed ANSI codes being output on windows terminals.
* Fixed HtmlHelper::image() including the base directory twice when the
fullBase option is used.
* Console logging now respects the quiet flag for shells.
* TranslateBehavior now saves records with only some translated fields
* afterValidate() was made available on behaviors. This was an omission in
View the complete changelog for 2.2.1 and 2.1.5. Download a packaged
CakeFest 2012 is around the corner and we already expect awesome talks and
workshops during the best PHP conference out there. If you haven't booked
[your tickets](http://cakefest.org/ticket-info) yet, it's about time you do.
As always, thanks to the friendly CakePHP community for the patches,
documentation changes and new tickets. Without you there would be no