-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Removing magic file handling from responses #11921
Comments
yes, cake uses Lines 2397 to 2414 in 40ec1f4
|
👍 |
We should add a deprecation warning for this scenario now. |
markstory
added a commit
that referenced
this issue
Apr 14, 2018
Files being used with Response::withFile() should be absolute. Prefixing with the application path is often seen as unwanted magic. Refs #11921
Closing as the deprecation has been added. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is a (multiple allowed):
bug
enhancement
feature-discussion (RFC)
CakePHP Version: 4.0.0
I've seen this over and over again, people try to send files and accidentally pass non-absolute paths (filenames only, relative paths, ...) to
Response::file()/withFile()
, thus having CakePHP do it's "magic", trying to look up the file inAPP
, which by default is thesrc
folder.Even if auto-resolving non-absolute paths would be deemed useful, who would actually want to serve files from the
src
folder? I would like to suggest to remove this behavior in 4.0, completely that is, ie. makewithFile()
require an absolute path, and fail hard for anything else.Even though the current behavior is documented in the API docs, it's IMHO an unnecessary boobytrap, and people seem to step in to it all the time.
The text was updated successfully, but these errors were encountered: