codeigniter4 · ping-yee · Aug 5, 2022 · Aug 5, 2022 · Aug 5, 2022 · Jul 28, 2022
diff --git a/.github/workflows/test-userguide.yml b/.github/workflows/test-userguide.yml
@@ -25,3 +25,4 @@ jobs:
       - uses: ammaraskar/[email protected]
         with:
           docs-folder: user_guide_src
+          build-command: 'make html SPHINXOPTS="-W --keep-going -w /tmp/sphinx-log"'
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## [v4.2.3](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.3) (2022-08-06)
+[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.2...v4.2.3)
+
+* SECURITY: Improve CSRF protection (for Shield CSRF security fix)
+
 ## [v4.2.2](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.2) (2022-08-05)
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.1...v4.2.2)
 

diff --git a/admin/RELEASE.md b/admin/RELEASE.md
@@ -2,7 +2,7 @@
 
 > Documentation guide based on the releases of `4.0.5` and `4.1.0` on January 31, 2021.
 >
-> Updated for `4.1.6` on December 24, 2021.
+> Updated for `4.2.3` on August 6, 2022.
 >
 > -MGatner
 
@@ -29,8 +29,9 @@ git clone [email protected]:codeigniter4/CodeIgniter4.git
 git clone [email protected]:codeigniter4/userguide.git
 ```
 * Vet the **admin/** folders for any removed hidden files (Action deploy scripts *do not remove these*)
+* Merge any Security Advisory PRs in private forks
 
-## CodeIgniter4
+## Process
 
 > Note: Most changes that need noting in the User Guide and docs should have been included
 > with their PR, so this process assumes you will not be generating much new content.
@@ -75,6 +76,7 @@ composer create-project codeigniter4/appstarter release-test
 cd release-test
 composer test && composer info codeigniter4/framework
 ```
+* publish any Security Advisories that were resolved from private forks
 
 ## User Guide
 

diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php
@@ -47,7 +47,7 @@ class CodeIgniter
     /**
      * The current version of CodeIgniter Framework
      */
-    public const CI_VERSION = '4.2.2';
+    public const CI_VERSION = '4.2.3';
 
     /**
      * App startup time.

diff --git a/system/Email/Email.php b/system/Email/Email.php
@@ -288,6 +288,13 @@ class Email
      */
     protected $debugMessage = [];
 
+    /**
+     * Raw debug messages
+     *
+     * @var string[]
+     */
+    private array $debugMessageRaw = [];
+
     /**
      * Recipients
      *
@@ -434,16 +441,17 @@ public function initialize($config)
      */
     public function clear($clearAttachments = false)
     {
-        $this->subject      = '';
-        $this->body         = '';
-        $this->finalBody    = '';
-        $this->headerStr    = '';
-        $this->replyToFlag  = false;
-        $this->recipients   = [];
-        $this->CCArray      = [];
-        $this->BCCArray     = [];
-        $this->headers      = [];
-        $this->debugMessage = [];
+        $this->subject         = '';
+        $this->body            = '';
+        $this->finalBody       = '';
+        $this->headerStr       = '';
+        $this->replyToFlag     = false;
+        $this->recipients      = [];
+        $this->CCArray         = [];
+        $this->BCCArray        = [];
+        $this->headers         = [];
+        $this->debugMessage    = [];
+        $this->debugMessageRaw = [];
 
         $this->setHeader('Date', $this->setDate());
 
@@ -1658,7 +1666,12 @@ protected function spoolEmail()
         }
 
         if (! $success) {
-            $this->setErrorMessage(lang('Email.sendFailure' . ($protocol === 'mail' ? 'PHPMail' : ucfirst($protocol))));
+            $message = lang('Email.sendFailure' . ($protocol === 'mail' ? 'PHPMail' : ucfirst($protocol)));
+
+            log_message('error', 'Email: ' . $message);
+            log_message('error', $this->printDebuggerRaw());
+
+            $this->setErrorMessage($message);
 
             return false;
         }
@@ -1937,7 +1950,8 @@ protected function sendCommand($cmd, $data = '')
 
         $reply = $this->getSMTPData();
 
-        $this->debugMessage[] = '<pre>' . $cmd . ': ' . $reply . '</pre>';
+        $this->debugMessage[]    = '<pre>' . $cmd . ': ' . $reply . '</pre>';
+        $this->debugMessageRaw[] = $cmd . ': ' . $reply;
 
         if ($resp === null || ((int) static::substr($reply, 0, 3) !== $resp)) {
             $this->setErrorMessage(lang('Email.SMTPError', [$reply]));
@@ -2090,8 +2104,8 @@ protected function getHostname()
     }
 
     /**
-     * @param array $include List of raw data chunks to include in the output
-     *                       Valid options are: 'headers', 'subject', 'body'
+     * @param array|string $include List of raw data chunks to include in the output
+     *                              Valid options are: 'headers', 'subject', 'body'
      *
      * @return string
      */
@@ -2119,12 +2133,21 @@ public function printDebugger($include = ['headers', 'subject', 'body'])
         return $msg . ($rawData === '' ? '' : '<pre>' . $rawData . '</pre>');
     }
 
+    /**
+     * Returns raw debug messages
+     */
+    private function printDebuggerRaw(): string
+    {
+        return implode("\n", $this->debugMessageRaw);
+    }
+
     /**
      * @param string $msg
      */
     protected function setErrorMessage($msg)
     {
-        $this->debugMessage[] = $msg . '<br />';
+        $this->debugMessage[]    = $msg . '<br />';
+        $this->debugMessageRaw[] = $msg;
     }
 
     /**

diff --git a/system/Security/Security.php b/system/Security/Security.php
@@ -528,9 +528,9 @@ private function restoreHash(): void
     }
 
     /**
-     * Generates (Regenerate) the CSRF Hash.
+     * Generates (Regenerates) the CSRF Hash.
      */
-    protected function generateHash(): string
+    public function generateHash(): string
     {
         $this->hash = bin2hex(random_bytes(static::CSRF_HASH_BYTES));
 

diff --git a/system/Session/Session.php b/system/Session/Session.php
@@ -25,6 +25,8 @@
  *
  * Session configuration is done through session variables and cookie related
  * variables in app/config/App.php
+ *
+ * @property string $session_id
  */
 class Session implements SessionInterface
 {

diff --git a/system/Validation/Validation.php b/system/Validation/Validation.php
@@ -168,7 +168,7 @@ public function run(?array $data = null, ?string $group = null, ?string $dbGroup
             if (strpos($field, '*') !== false) {
                 // Process multiple fields
                 foreach ($values as $dotField => $value) {
-                    $this->processRules($dotField, $setup['label'] ?? $field, $value, $rules, $data);
+                    $this->processRules($dotField, $setup['label'] ?? $field, $value, $rules, $data, $field);
                 }
             } else {
                 // Process single field
@@ -201,10 +201,17 @@ public function check($value, string $rule, array $errors = []): bool
      *
      * @param array|string $value
      * @param array|null   $rules
-     * @param array        $data
+     * @param array        $data          The array of data to validate, with `DBGroup`.
+     * @param string|null  $originalField The original asterisk field name like "foo.*.bar".
      */
-    protected function processRules(string $field, ?string $label, $value, $rules = null, ?array $data = null): bool
-    {
+    protected function processRules(
+        string $field,
+        ?string $label,
+        $value,
+        $rules = null,
+        ?array $data = null,
+        ?string $originalField = null
+    ): bool {
         if ($data === null) {
             throw new InvalidArgumentException('You must supply the parameter: data.');
         }
@@ -333,7 +340,8 @@ protected function processRules(string $field, ?string $label, $value, $rules =
                     $field,
                     $label,
                     $param,
-                    (string) $value
+                    (string) $value,
+                    $originalField
                 );
 
                 return false;
@@ -706,13 +714,21 @@ public function setError(string $field, string $error): ValidationInterface
      *
      * @param string|null $value The value that caused the validation to fail.
      */
-    protected function getErrorMessage(string $rule, string $field, ?string $label = null, ?string $param = null, ?string $value = null): string
-    {
+    protected function getErrorMessage(
+        string $rule,
+        string $field,
+        ?string $label = null,
+        ?string $param = null,
+        ?string $value = null,
+        ?string $originalField = null
+    ): string {
         $param ??= '';
 
         // Check if custom message has been defined by user
         if (isset($this->customErrors[$field][$rule])) {
             $message = lang($this->customErrors[$field][$rule]);
+        } elseif (null !== $originalField && isset($this->customErrors[$originalField][$rule])) {
+            $message = lang($this->customErrors[$originalField][$rule]);
         } else {
             // Try to grab a localized version of the message...
             // lang() will return the rule name back if not found,

diff --git a/tests/system/Security/SecurityTest.php b/tests/system/Security/SecurityTest.php
@@ -243,6 +243,32 @@ public function testRegenerateWithFalseSecurityRegenerateProperty()
         $this->assertSame($oldHash, $newHash);
     }
 
+    public function testRegenerateWithFalseSecurityRegeneratePropertyManually()
+    {
+        $_SERVER['REQUEST_METHOD']   = 'POST';
+        $_POST['csrf_test_name']     = '8b9218a55906f9dcc1dc263dce7f005a';
+        $_COOKIE['csrf_cookie_name'] = '8b9218a55906f9dcc1dc263dce7f005a';
+
+        $config             = new SecurityConfig();
+        $config->regenerate = false;
+        Factories::injectMock('config', 'Security', $config);
+
+        $security = new MockSecurity(new MockAppConfig());
+        $request  = new IncomingRequest(
+            new MockAppConfig(),
+            new URI('http://badurl.com'),
+            null,
+            new UserAgent()
+        );
+
+        $oldHash = $security->getHash();
+        $security->verify($request);
+        $security->generateHash();
+        $newHash = $security->getHash();
+
+        $this->assertNotSame($oldHash, $newHash);
+    }
+
     public function testRegenerateWithTrueSecurityRegenerateProperty()
     {
         $_SERVER['REQUEST_METHOD']   = 'POST';

diff --git a/tests/system/Validation/StrictRules/ValidationTest.php b/tests/system/Validation/StrictRules/ValidationTest.php
@@ -359,6 +359,28 @@ public function testRunGroupWithCustomErrorMessage(): void
         ], $this->validation->getErrors());
     }
 
+    /**
+     * @see https://github.com/codeigniter4/CodeIgniter4/issues/6245
+     */
+    public function testRunWithCustomErrorsAndAsteriskField(): void
+    {
+        $data = [
+            'foo' => [
+                ['bar' => null],
+                ['bar' => null],
+            ],
+        ];
+        $this->validation->setRules(
+            ['foo.*.bar' => ['label' => 'foo bar', 'rules' => 'required']],
+            ['foo.*.bar' => ['required' => 'Required']]
+        );
+        $this->validation->run($data);
+        $this->assertSame([
+            'foo.0.bar' => 'Required',
+            'foo.1.bar' => 'Required',
+        ], $this->validation->getErrors());
+    }
+
     /**
      * @dataProvider rulesSetupProvider
      *

diff --git a/user_guide_src/source/changelogs/index.rst b/user_guide_src/source/changelogs/index.rst
@@ -12,6 +12,7 @@ See all the changes.
 .. toctree::
     :titlesonly:
 
+    v4.2.4
     v4.2.3
     v4.2.2
     v4.2.1

diff --git a/user_guide_src/source/changelogs/v4.2.2.rst b/user_guide_src/source/changelogs/v4.2.2.rst
@@ -18,11 +18,6 @@ BREAKING
 - A bug that caused pages to be cached before after filters were executed when using page caching has been fixed. Adding response headers or changing the response body in after filters now caches them correctly.
 - Due to a bug fix, now :php:func:`random_string` with the first parameter ``'crypto'`` throws ``InvalidArgumentException`` if the second parameter ``$len`` is an odd number.
 
-Enhancements
-************
-
-none.
-
 Changes
 *******
 
@@ -37,6 +32,7 @@ Deprecations
 
 - The parameters of ``Services::request()`` are deprecated.
 - The first parameter ``$cacheConfig`` of ``CodeIgniter::gatherOutput()`` is deprecated.
+- The second parameter ``$ifNotExists`` of ``Forge::_createTable()`` is deprecated.
 
 Bugs Fixed
 **********

diff --git a/user_guide_src/source/changelogs/v4.2.3.rst b/user_guide_src/source/changelogs/v4.2.3.rst
@@ -1,7 +1,7 @@
 Version 4.2.3
 #############
 
-Release Date: Unreleased
+Release Date: August 6, 2022
 
 **4.2.3 release of CodeIgniter4**
 
@@ -17,7 +17,7 @@ none.
 Enhancements
 ************
 
-none.
+- Now ``Security::generateHash()`` is public, and can be used to regenerate CSRF token manually when ``Config\Security::$regenerate`` is false.
 
 Changes
 *******

diff --git a/user_guide_src/source/changelogs/v4.2.4.rst b/user_guide_src/source/changelogs/v4.2.4.rst
@@ -0,0 +1,35 @@
+Version 4.2.4
+#############
+
+Release Date: Unreleased
+
+**4.2.4 release of CodeIgniter4**
+
+.. contents::
+    :local:
+    :depth: 2
+
+BREAKING
+********
+
+- The method signature of ``Validation.php::processRules()`` and ``Validation.php::getErrorMessage()`` have been changed. Both of these methods add new ``$originalField`` parameter.
+
+Enhancements
+************
+
+none.
+
+Changes
+*******
+
+none.
+
+Deprecations
+************
+
+none.
+
+Bugs Fixed
+**********
+
+See the repo's `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_ for a complete list of bugs fixed.
diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py
@@ -24,7 +24,7 @@
 version = '4.2'
 
 # The full version, including alpha/beta/rc tags.
-release = '4.2.2'
+release = '4.2.3'
 
 # -- General configuration ---------------------------------------------------
-Original file line number
+Diff line change
@@ Expand Up / @@ -12,6 +12,7 @@ See all the changes. @@
     .. toctree::
         :titlesonly:
+        v4.2.4
         v4.2.3
         v4.2.2
         v4.2.1
@@ Expand Down @@