3.6.0

Improvements

• Fixed Remote Code Execution (RCE) vulnerability in ObjectType deserialization

  • Implemented whitelist-based deserialization to prevent object injection attacks
  • Now only allows safe classes (DateTime, DateTimeImmutable, and CakePHP I18n classes)
  • Impact: Prevents arbitrary code execution through malicious serialized data

• Fixed Path Traversal vulnerability in GoogleMapHelper::icon()

  • Added path validation to prevent directory traversal attacks
  • Image paths are now restricted to WWW_ROOT/img/ directory
  • Impact: Prevents unauthorized file system access

• Fixed SQL Injection vulnerability in GeocoderBehavior::distanceConditions()

  • Added input validation for table and field name parameters
  • Validates identifiers against alphanumeric pattern
  • Impact: Prevents SQL injection through field/table name manipulation

Full Changelog: 3.5.2...3.6.0

3.5.2

Fixed

• Removed deprecations

Full Changelog: 3.5.1...3.5.2

3.5.1

Fixes

• Fixed up BaseMigration file

3.5.0

Improvements

• More clear exception message for Geocoder fails around API key.

3.4.2

Fixes

• Removed deprecations.

Included commits: 3.4.1...3.4.2

3.4.1

Fixes

• Fixed up files bundled in release using gitattributes file.

Included commits: 3.4.0...3.4.1

3.4.0

Improvements

Added closure support for address elements in Geocoder lookup.

Sometimes, you need to have more logic for a specific address field.
In this case you can use a closure to make dynamic lookups where needed.

$this->addBehavior('Geo.Geocoder', [ 'address' => ['street', 'postal_code', 'city', function (Event $entity) {
    if ($entity->country && $entity->country->id && $entity->country_id === $entity->country->id) {
        return $entity->country->name;
    }
    if ($entity->get('country_name')) {
        return $entity->get('country_name');
    }

    if ($entity->country_id) {
        $country = $this->Countries->get($entity->country_id);
        return $country->name;
    }

    return null;
}]]);

3.3.0

Improvements

Added GeoCoordinate value object.

2.3.0

Improvements

Removed deprecated php-http/cakephp-adapter dependency and directly use CakePHP Client class.

Make sure to remove this dependency on your project level if you have it included. This is required for the update to work.

Note: This plugin is now PHP 8.1+ also for CakePHP 4 due to this change. Make sure you have the required min PHP version before updating.

3.2.0

Improvements

Removed deprecated php-http/cakephp-adapter dependency and directly use CakePHP Client class.

Make sure to remove this dependency on your project level if you have it included. This is required for the update to work.