Merge pull request codeigniter4#6354 from codeigniter4/develop

4.2.3 Ready code
kenjis · Aug 7, 2022 · 9c0c695 · 9c0c695
2 parents 26b247d + d77883e
commit 9c0c695
Show file tree

Hide file tree

Showing 14 changed files with 88 additions and 18 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## [v4.2.3](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.3) (2022-08-06)
+[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.2...v4.2.3)
+
+* SECURITY: Improve CSRF protection (for Shield CSRF security fix)
+
 ## [v4.2.2](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.2) (2022-08-05)
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.1...v4.2.2)
 

diff --git a/admin/RELEASE.md b/admin/RELEASE.md
@@ -2,7 +2,7 @@
 
 > Documentation guide based on the releases of `4.0.5` and `4.1.0` on January 31, 2021.
 >
-> Updated for `4.1.6` on December 24, 2021.
+> Updated for `4.2.3` on August 6, 2022.
 >
 > -MGatner
 
@@ -29,8 +29,9 @@ git clone [email protected]:codeigniter4/CodeIgniter4.git
 git clone [email protected]:codeigniter4/userguide.git
 ```
 * Vet the **admin/** folders for any removed hidden files (Action deploy scripts *do not remove these*)
+* Merge any Security Advisory PRs in private forks
 
-## CodeIgniter4
+## Process
 
 > Note: Most changes that need noting in the User Guide and docs should have been included
 > with their PR, so this process assumes you will not be generating much new content.
@@ -75,6 +76,7 @@ composer create-project codeigniter4/appstarter release-test
 cd release-test
 composer test && composer info codeigniter4/framework
 ```
+* publish any Security Advisories that were resolved from private forks
 
 ## User Guide
 

diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php
@@ -47,7 +47,7 @@ class CodeIgniter
     /**
      * The current version of CodeIgniter Framework
      */
-    public const CI_VERSION = '4.2.2';
+    public const CI_VERSION = '4.2.3';
 
     /**
      * App startup time.

diff --git a/system/Security/Security.php b/system/Security/Security.php
@@ -528,9 +528,9 @@ private function restoreHash(): void
     }
 
     /**
-     * Generates (Regenerate) the CSRF Hash.
+     * Generates (Regenerates) the CSRF Hash.
      */
-    protected function generateHash(): string
+    public function generateHash(): string
     {
         $this->hash = bin2hex(random_bytes(static::CSRF_HASH_BYTES));
 

diff --git a/tests/system/Security/SecurityTest.php b/tests/system/Security/SecurityTest.php
@@ -243,6 +243,32 @@ public function testRegenerateWithFalseSecurityRegenerateProperty()
         $this->assertSame($oldHash, $newHash);
     }
 
+    public function testRegenerateWithFalseSecurityRegeneratePropertyManually()
+    {
+        $_SERVER['REQUEST_METHOD']   = 'POST';
+        $_POST['csrf_test_name']     = '8b9218a55906f9dcc1dc263dce7f005a';
+        $_COOKIE['csrf_cookie_name'] = '8b9218a55906f9dcc1dc263dce7f005a';
+
+        $config             = new SecurityConfig();
+        $config->regenerate = false;
+        Factories::injectMock('config', 'Security', $config);
+
+        $security = new MockSecurity(new MockAppConfig());
+        $request  = new IncomingRequest(
+            new MockAppConfig(),
+            new URI('http://badurl.com'),
+            null,
+            new UserAgent()
+        );
+
+        $oldHash = $security->getHash();
+        $security->verify($request);
+        $security->generateHash();
+        $newHash = $security->getHash();
+
+        $this->assertNotSame($oldHash, $newHash);
+    }
+
     public function testRegenerateWithTrueSecurityRegenerateProperty()
     {
         $_SERVER['REQUEST_METHOD']   = 'POST';

diff --git a/user_guide_src/source/changelogs/index.rst b/user_guide_src/source/changelogs/index.rst
@@ -12,6 +12,7 @@ See all the changes.
 .. toctree::
     :titlesonly:
 
+    v4.2.4
     v4.2.3
     v4.2.2
     v4.2.1

diff --git a/user_guide_src/source/changelogs/v4.2.2.rst b/user_guide_src/source/changelogs/v4.2.2.rst
@@ -18,11 +18,6 @@ BREAKING
 - A bug that caused pages to be cached before after filters were executed when using page caching has been fixed. Adding response headers or changing the response body in after filters now caches them correctly.
 - Due to a bug fix, now :php:func:`random_string` with the first parameter ``'crypto'`` throws ``InvalidArgumentException`` if the second parameter ``$len`` is an odd number.
 
-Enhancements
-************
-
-none.
-
 Changes
 *******
 

diff --git a/user_guide_src/source/changelogs/v4.2.3.rst b/user_guide_src/source/changelogs/v4.2.3.rst
@@ -1,7 +1,7 @@
 Version 4.2.3
 #############
 
-Release Date: Unreleased
+Release Date: August 6, 2022
 
 **4.2.3 release of CodeIgniter4**
 
@@ -17,7 +17,7 @@ none.
 Enhancements
 ************
 
-none.
+- Now ``Security::generateHash()`` is public, and can be used to regenerate CSRF token manually when ``Config\Security::$regenerate`` is false.
 
 Changes
 *******

diff --git a/user_guide_src/source/changelogs/v4.2.4.rst b/user_guide_src/source/changelogs/v4.2.4.rst
@@ -0,0 +1,35 @@
+Version 4.2.4
+#############
+
+Release Date: Unreleased
+
+**4.2.4 release of CodeIgniter4**
+
+.. contents::
+    :local:
+    :depth: 2
+
+BREAKING
+********
+
+none.
+
+Enhancements
+************
+
+none.
+
+Changes
+*******
+
+none.
+
+Deprecations
+************
+
+none.
+
+Bugs Fixed
+**********
+
+See the repo's `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_ for a complete list of bugs fixed.
diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py
@@ -24,7 +24,7 @@
 version = '4.2'
 
 # The full version, including alpha/beta/rc tags.
-release = '4.2.2'
+release = '4.2.3'
 
 # -- General configuration ---------------------------------------------------
 

diff --git a/user_guide_src/source/installation/upgrade_422.rst b/user_guide_src/source/installation/upgrade_422.rst
@@ -12,10 +12,6 @@ Please refer to the upgrade instructions corresponding to your installation meth
     :local:
     :depth: 2
 
-Mandatory File Changes
-**********************
-
-
 Breaking Changes
 ****************
 
@@ -55,6 +51,8 @@ Content Changes
 
 * app/Views/errors/html/error_404.php
 * app/Views/welcome_message.php
+* public/index.php
+* spark
 
 All Changes
 ===========

diff --git a/user_guide_src/source/installation/upgrade_423.rst b/user_guide_src/source/installation/upgrade_423.rst
@@ -0,0 +1,5 @@
+#############################
+Upgrading from 4.2.2 to 4.2.3
+#############################
+
+Version ``4.2.3`` is an internal change for security measures and requires no intervention in projects.
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
@@ -106,6 +106,9 @@ may alter this behavior by editing the following config parameter value in
 
 .. literalinclude:: security/004.php
 
+.. note:: Since v4.2.3, you can regenerate CSRF token manually with the
+    ``Security::generateHash()`` method.
+
 Redirection on Failure
 ----------------------
 

diff --git a/user_guide_src/source/libraries/sessions.rst b/user_guide_src/source/libraries/sessions.rst
@@ -369,7 +369,7 @@ necessary with our new implementation. However, it may happen that your
 application relied on these values, so here are alternative methods of
 accessing them:
 
-  - session_id: ``session_id()``
+  - session_id: ``$session->session_id`` or ``session_id()`` (PHP’s built-in function)
   - ip_address: ``$_SERVER['REMOTE_ADDR']``
   - user_agent: ``$_SERVER['HTTP_USER_AGENT']`` (unused by sessions)
   - last_activity: Depends on the storage, no straightforward way. Sorry!
-Original file line number
+Diff line change
@@ Expand Up / @@ -12,6 +12,7 @@ See all the changes. @@
     .. toctree::
         :titlesonly:
+        v4.2.4
         v4.2.3
         v4.2.2
         v4.2.1
@@ Expand Down @@