The CakePHP core team is happy to announce the immediate availability of CakePHP 5.1.4. This is a maintenance release with a security fix for the 5.1 branch that fixes several community reported issues and regressions. If you are having problems with the framework breaking your application when you upgrade from 5.0.11 to 5.1, please open an issue.
Bugfixes
You can expect the following changes in 5.1.4. See the changelog for every commit.
- Relaxed typehints to allow
callablewhere previously typehints wereClosure. aria-invalidis now be applied toselectelements.- Relaxed type hints that were
listto bearray. - Improved API documentation.
- Converted 5xx response codes to 4xx for externally invoked bad URLs.
Client\Requestno longer mangles theContent-Typeheader for JSON and XML requests with array data.Paginatorwill now trigger warnings when settings have not been applied.- Request URIs are now read from
REQUEST_URIinstead ofPATH_INFO. This resolves a potential security issue where paths with%2fwould be incorrectly handled as/by CakePHP. - Improved CSP compliance in
FormHelperby replacing inline style attributes with classnames, and inline JavaScript with script blocks whenCspMiddlewareis enabled. - Fixed off-by-one error on stackframe offests in
ErrorTrap::handleError().
Contributors to 5.1.4
Thank you to all the contributors that submitted a pull request:
- ADmad
- Kevin Pfeifer
- Marc Würth
- Mark Scherer
- Mark Story
As always, we would like to also thank all the contributors that opened issues, or updated the documentation.