Merge remote-tracking branch 'origin/2.6' into 3.0

Conflicts:
	composer.json
	src/Network/Email/Email.php
	tests/TestCase/Utility/DebuggerTest.php

composer.json

@@ -1,39 +1,38 @@
 {
-    "name": "cakephp/cakephp",
-    "description": "The CakePHP framework",
-    "type": "library",
-    "keywords": ["framework"],
-    "homepage": "http://cakephp.org",
-    "license": "MIT",
-    "authors": [
-        {
-            "name": "CakePHP Community",
-            "homepage": "https://github.com/cakephp/cakephp/graphs/contributors"
-        }
-    ],
-    "support": {
-        "issues": "https://github.com/cakephp/cakephp/issues",
-        "forum": "http://stackoverflow.com/tags/cakephp",
-        "irc": "irc://irc.freenode.org/cakephp",
-        "source": "https://github.com/cakephp/cakephp"
-    },
-    "require": {
-        "php": ">=5.4.19",
-        "ext-intl": "*",
-        "ext-mcrypt": "*",
-        "ext-mbstring": "*",
-        "nesbot/Carbon": "1.8.*"
-    },
-    "require-dev": {
-        "phpunit/phpunit": "3.7.33"
-    },
-    "autoload": {
-        "psr-4": {
-            "Cake\\": "src",
-            "Cake\\Test\\": "tests"
-        }
-    },
-    "bin": [
-        "src/Console/cake"
-    ]
+	"name": "cakephp/cakephp",
+	"description": "The CakePHP framework",
+	"type": "library",
+	"keywords": ["framework"],
+	"homepage": "http://cakephp.org",
+	"license": "MIT",
+	"authors": [
+		{
+			"name": "CakePHP Community",
+			"homepage": "https://github.com/cakephp/cakephp/graphs/contributors"
+		}
+	],
+	"support": {
+		"issues": "https://github.com/cakephp/cakephp/issues",
+		"forum": "http://stackoverflow.com/tags/cakephp",
+		"irc": "irc://irc.freenode.org/cakephp",
+		"source": "https://github.com/cakephp/cakephp"
+	},
+	"require": {
+		"php": ">=5.4.19",
+		"ext-mcrypt": "*",
+		"ext-mbstring": "*",
+		"nesbot/Carbon": "1.8.*"
+	},
+	"require-dev": {
+		"phpunit/phpunit": "3.7.33"
+	},
+	"autoload": {
+		"psr-4": {
+			"Cake\\": "src",
+			"Cake\\Test\\": "tests"
+		}
+	},
+	"bin": [
+		"src/Console/cake"
+	]
 }

src/Network/Email/Email.php

@@ -1293,14 +1293,12 @@ class Email {
 			$this->setHeaders($config['headers']);
 			unset($config['headers']);
 		}
+
 		if (array_key_exists('template', $config)) {
-			$layout = false;
-			if (array_key_exists('layout', $config)) {
-				$layout = $config['layout'];
-				unset($config['layout']);
-			}
-			$this->template($config['template'], $layout);
-			unset($config['template']);
+			$this->_template = $config['template'];
+		}
+		if (array_key_exists('layout', $config)) {
+			$this->_layout = $config['layout'];
 		}
 	}
 

src/Network/Response.php

@@ -1322,7 +1322,8 @@ class Response {
  * - name: Alternate download name
  * - download: If `true` sets download header and forces file to be downloaded rather than displayed in browser
  *
- * @param string $path Path to file
+ * @param string $path Path to file. If the path is not an absolute path that resolves
+ *   to a file, `APP` will be prepended to the path.
  * @param array $options Options See above.
  * @return void
  * @throws \Cake\Error\NotFoundException
@@ -1333,6 +1334,13 @@ class Response {
 			'download' => null
 		);
 
+		if (strpos($path, '..') !== false) {
+			throw new Error\NotFoundException(__d(
+				'cake_dev',
+				'The requested file contains `..` and will not be read.'
+			));
+		}
+
 		if (!is_file($path)) {
 			$path = APP . $path;
 		}

src/View/View.php

@@ -273,6 +273,13 @@ class View {
 	protected $_paths = array();
 
 /**
+ * Holds an array of plugin paths.
+ *
+ * @var array
+ */
+	protected $_pathsForPlugin = array();
+
+/**
  * The names of views and their parents used with View::extend();
  *
  * @var array
@@ -1085,8 +1092,13 @@ class View {
  * @return array paths
  */
 	protected function _paths($plugin = null, $cached = true) {
-		if ($plugin === null && $cached === true && !empty($this->_paths)) {
-			return $this->_paths;
+		if ($cached === true) {
+			if ($plugin === null && !empty($this->_paths)) {
+				return $this->_paths;
+			}
+			if ($plugin !== null && isset($this->_pathsForPlugin[$plugin])) {
+				return $this->_pathsForPlugin[$plugin];
+			}
 		}
 		$paths = array();
 		$viewPaths = App::path('Template');
@@ -1118,7 +1130,7 @@ class View {
 		}
 		$paths = array_merge($paths, $corePaths);
 		if ($plugin !== null) {
-			return $paths;
+			return $this->_pathsForPlugin[$plugin] = $paths;
 		}
 		return $this->_paths = $paths;
 	}

tests/TestCase/Network/Email/EmailTest.php

@@ -1,7 +1,5 @@
 <?php
 /**
- * CakeEmailTest file
- *
  * CakePHP(tm) Tests <http://book.cakephp.org/2.0/en/development/testing.html>
  * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
  *
@@ -27,7 +25,7 @@ use Cake\Utility\File;
 use Cake\View\Error\MissingViewException;
 
 /**
- * Help to test CakeEmail
+ * Help to test Email
  *
  */
 class TestEmail extends Email {
@@ -1869,6 +1867,26 @@ class EmailTest extends TestCase {
 	}
 
 /**
+ * testConfigArrayWithLayoutWithoutTemplate method
+ *
+ * @return void
+ */
+	public function testConfigArrayWithLayoutWithoutTemplate() {
+		$configs = array(
+			'from' => array('some@example.com' => 'My website'),
+			'to' => 'test@example.com',
+			'subject' => 'Test mail subject',
+			'transport' => 'debug',
+			'layout' => 'custom'
+		);
+		$this->CakeEmail = new Email($configs);
+
+		$result = $this->CakeEmail->template();
+		$this->assertEquals('', $result['template']);
+		$this->assertEquals($configs['layout'], $result['layout']);
+	}
+
+/**
  * testConstructWithConfigString method
  *
  * @return void

tests/TestCase/Network/ResponseTest.php

@@ -1167,6 +1167,17 @@ class ResponseTest extends TestCase {
 	}
 
 /**
+ * test file with ..
+ *
+ * @expectedException Cake\Error\NotFoundException
+ * @return void
+ */
+	public function testFileWithPathTraversal() {
+		$response = new Response();
+		$response->file('my/../cat.gif');
+	}
+
+/**
  * testFile method
  *
  * @return void

tests/TestCase/Utility/DebuggerTest.php

@@ -365,6 +365,7 @@ object(Cake\View\View) {
 	]
 	[protected] _scripts => []
 	[protected] _paths => []
+	[protected] _pathsForPlugin => []
 	[protected] _parents => []
 	[protected] _current => null
 	[protected] _currentType => ''