This is a (multiple allowed):

• bug

• enhancement

• feature-discussion (RFC)

• CakePHP Version: 4.0.0

I've seen this over and over again, people try to send files and accidentally pass non-absolute paths (filenames only, relative paths, ...) to Response::file()/withFile(), thus having CakePHP do it's "magic", trying to look up the file in APP, which by default is the src folder.

Even if auto-resolving non-absolute paths would be deemed useful, who would actually want to serve files from the src folder? I would like to suggest to remove this behavior in 4.0, completely that is, ie. make withFile() require an absolute path, and fail hard for anything else.

Even though the current behavior is documented in the API docs, it's IMHO an unnecessary boobytrap, and people seem to step in to it all the time.