1.1.15 release.

Author: qiangxue

CHANGELOG

@@ -1,6 +1,10 @@
                    Yii Framework Change Log
                    ========================
 
+Version 1.1.15 June 29, 2014
+----------------------------
+- Bug (CVE-2014-4672): CDetailView may be exploited to allow executing arbitrary PHP script on the server (cebe, qiangxue)
+
 Version 1.1.14 August 11, 2013
 ------------------------------
 - Bug: There was unnecessary echo in CRUD views generated by Gii (samdark)

UPGRADE

@@ -1,4 +1,4 @@
-         Upgrading Instructions for Yii Framework v1.1.14
+         Upgrading Instructions for Yii Framework v1.1.15
          ================================================
 
 !!!IMPORTANT!!!
@@ -17,6 +17,11 @@ General upgrade instructions
 - Check if everything is OK, if not — revert from backup and post
   issues to Yii issue tracker.
 
+
+Upgrading from v1.1.14
+----------------------
+
+
 Upgrading from v1.1.13
 ----------------------
 

framework/YiiBase.php

@@ -80,7 +80,7 @@ class YiiBase
 	 */
 	public static function getVersion()
 	{
-		return '1.1.14';
+		return '1.1.15';
 	}
 
 	/**

framework/yiilite.php

@@ -40,7 +40,7 @@ class YiiBase
 	private static $_logger;
 	public static function getVersion()
 	{
-		return '1.1.14';
+		return '1.1.15';
 	}
 	public static function createWebApplication($config=null)
 	{

framework/zii/widgets/CDetailView.php

@@ -209,7 +209,7 @@ public function run()
 			if(!isset($attribute['type']))
 				$attribute['type']='text';
 			if(isset($attribute['value']))
-				$value=is_callable($attribute['value']) ? call_user_func($attribute['value'],$this->data) : $attribute['value'];
+				$value=is_object($attribute['value']) && get_class($attribute['value']) === 'Closure' ? call_user_func($attribute['value'],$this->data) : $attribute['value'];
 			elseif(isset($attribute['name']))
 				$value=CHtml::value($this->data,$attribute['name']);
 			else