Open jeffpamer opened 2 weeks ago
Hey @jeffpamer Thanks for reporting this.
I'm not aware of this issue. Could you share more details? I guess the problem was discovered after last official security patch from cakephp for version 2.10.
How _method
can be exploited to bypass CSRF? I'd like to understand problem and plan the fix implementation.
Here is the patch for 3.x: https://github.com/cakephp/cakephp/commit/0f818a23a876c01429196bf7623e1e94a50230f0
It needs to be back-ported to the fork.
After pulling in this fork to our project, we've received dependabot alerts regarding a couple CakePHP2 vulnerabilities, notably:
I realize the scope of this project is to provide the minimal set of patches to meet compatibility with PHP8. But I wanted to inquire if there was any potential roadmap for patching issues like this, or if perhaps this has already been done? Thanks.