kamilwylegala
commented
2 weeks ago Hey @jeffpamer Thanks for reporting this.
I'm not aware of this issue. Could you share more details? I guess the problem was discovered after last official security patch from cakephp for version 2.10.
How _method can be exploited to bypass CSRF? I'd like to understand problem and plan the fix implementation.
After pulling in this fork to our project, we've received dependabot alerts regarding a couple CakePHP2 vulnerabilities, notably:
I realize the scope of this project is to provide the minimal set of patches to meet compatibility with PHP8. But I wanted to inquire if there was any potential roadmap for patching issues like this, or if perhaps this has already been done? Thanks.