diff --git a/CHANGELOG.md b/CHANGELOG.md index 17a336c0b59f..950e98a70f0b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## [v4.2.3](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.3) (2022-08-06) +[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.2...v4.2.3) + +* SECURITY: Improve CSRF protection (for Shield CSRF security fix) + ## [v4.2.2](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.2) (2022-08-05) [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.1...v4.2.2) diff --git a/admin/RELEASE.md b/admin/RELEASE.md index 47e553e6d2e0..3448c3e72926 100644 --- a/admin/RELEASE.md +++ b/admin/RELEASE.md @@ -2,7 +2,7 @@ > Documentation guide based on the releases of `4.0.5` and `4.1.0` on January 31, 2021. > -> Updated for `4.1.6` on December 24, 2021. +> Updated for `4.2.3` on August 6, 2022. > > -MGatner @@ -29,8 +29,9 @@ git clone git@github.com:codeigniter4/CodeIgniter4.git git clone git@github.com:codeigniter4/userguide.git ``` * Vet the **admin/** folders for any removed hidden files (Action deploy scripts *do not remove these*) +* Merge any Security Advisory PRs in private forks -## CodeIgniter4 +## Process > Note: Most changes that need noting in the User Guide and docs should have been included > with their PR, so this process assumes you will not be generating much new content. @@ -75,6 +76,7 @@ composer create-project codeigniter4/appstarter release-test cd release-test composer test && composer info codeigniter4/framework ``` +* publish any Security Advisories that were resolved from private forks ## User Guide diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php index 7dbfbc8e5705..285576f4352a 100644 --- a/system/CodeIgniter.php +++ b/system/CodeIgniter.php @@ -47,7 +47,7 @@ class CodeIgniter /** * The current version of CodeIgniter Framework */ - public const CI_VERSION = '4.2.2'; + public const CI_VERSION = '4.2.3'; /** * App startup time. diff --git a/system/Security/Security.php b/system/Security/Security.php index 529e10b0a8f7..36f4a730da5f 100644 --- a/system/Security/Security.php +++ b/system/Security/Security.php @@ -528,9 +528,9 @@ private function restoreHash(): void } /** - * Generates (Regenerate) the CSRF Hash. + * Generates (Regenerates) the CSRF Hash. */ - protected function generateHash(): string + public function generateHash(): string { $this->hash = bin2hex(random_bytes(static::CSRF_HASH_BYTES)); diff --git a/tests/system/Security/SecurityTest.php b/tests/system/Security/SecurityTest.php index 62d0afc92be6..aaea7072d5f2 100644 --- a/tests/system/Security/SecurityTest.php +++ b/tests/system/Security/SecurityTest.php @@ -243,6 +243,32 @@ public function testRegenerateWithFalseSecurityRegenerateProperty() $this->assertSame($oldHash, $newHash); } + public function testRegenerateWithFalseSecurityRegeneratePropertyManually() + { + $_SERVER['REQUEST_METHOD'] = 'POST'; + $_POST['csrf_test_name'] = '8b9218a55906f9dcc1dc263dce7f005a'; + $_COOKIE['csrf_cookie_name'] = '8b9218a55906f9dcc1dc263dce7f005a'; + + $config = new SecurityConfig(); + $config->regenerate = false; + Factories::injectMock('config', 'Security', $config); + + $security = new MockSecurity(new MockAppConfig()); + $request = new IncomingRequest( + new MockAppConfig(), + new URI('http://badurl.com'), + null, + new UserAgent() + ); + + $oldHash = $security->getHash(); + $security->verify($request); + $security->generateHash(); + $newHash = $security->getHash(); + + $this->assertNotSame($oldHash, $newHash); + } + public function testRegenerateWithTrueSecurityRegenerateProperty() { $_SERVER['REQUEST_METHOD'] = 'POST'; diff --git a/user_guide_src/source/changelogs/index.rst b/user_guide_src/source/changelogs/index.rst index cae666d86e56..bcb0792d2ed4 100644 --- a/user_guide_src/source/changelogs/index.rst +++ b/user_guide_src/source/changelogs/index.rst @@ -12,6 +12,7 @@ See all the changes. .. toctree:: :titlesonly: + v4.2.4 v4.2.3 v4.2.2 v4.2.1 diff --git a/user_guide_src/source/changelogs/v4.2.2.rst b/user_guide_src/source/changelogs/v4.2.2.rst index 8fd83e68e883..f752227aaece 100644 --- a/user_guide_src/source/changelogs/v4.2.2.rst +++ b/user_guide_src/source/changelogs/v4.2.2.rst @@ -18,11 +18,6 @@ BREAKING - A bug that caused pages to be cached before after filters were executed when using page caching has been fixed. Adding response headers or changing the response body in after filters now caches them correctly. - Due to a bug fix, now :php:func:`random_string` with the first parameter ``'crypto'`` throws ``InvalidArgumentException`` if the second parameter ``$len`` is an odd number. -Enhancements -************ - -none. - Changes ******* diff --git a/user_guide_src/source/changelogs/v4.2.3.rst b/user_guide_src/source/changelogs/v4.2.3.rst index 2cff00bf816d..cfa036fd69b8 100644 --- a/user_guide_src/source/changelogs/v4.2.3.rst +++ b/user_guide_src/source/changelogs/v4.2.3.rst @@ -1,7 +1,7 @@ Version 4.2.3 ############# -Release Date: Unreleased +Release Date: August 6, 2022 **4.2.3 release of CodeIgniter4** @@ -17,7 +17,7 @@ none. Enhancements ************ -none. +- Now ``Security::generateHash()`` is public, and can be used to regenerate CSRF token manually when ``Config\Security::$regenerate`` is false. Changes ******* diff --git a/user_guide_src/source/changelogs/v4.2.4.rst b/user_guide_src/source/changelogs/v4.2.4.rst new file mode 100644 index 000000000000..c6ffb56dba7c --- /dev/null +++ b/user_guide_src/source/changelogs/v4.2.4.rst @@ -0,0 +1,35 @@ +Version 4.2.4 +############# + +Release Date: Unreleased + +**4.2.4 release of CodeIgniter4** + +.. contents:: + :local: + :depth: 2 + +BREAKING +******** + +none. + +Enhancements +************ + +none. + +Changes +******* + +none. + +Deprecations +************ + +none. + +Bugs Fixed +********** + +See the repo's `CHANGELOG.md `_ for a complete list of bugs fixed. diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py index 35d868a4ff49..6282570cfdb8 100644 --- a/user_guide_src/source/conf.py +++ b/user_guide_src/source/conf.py @@ -24,7 +24,7 @@ version = '4.2' # The full version, including alpha/beta/rc tags. -release = '4.2.2' +release = '4.2.3' # -- General configuration --------------------------------------------------- diff --git a/user_guide_src/source/installation/upgrade_422.rst b/user_guide_src/source/installation/upgrade_422.rst index f42eea08d17e..61b4764c46b6 100644 --- a/user_guide_src/source/installation/upgrade_422.rst +++ b/user_guide_src/source/installation/upgrade_422.rst @@ -12,10 +12,6 @@ Please refer to the upgrade instructions corresponding to your installation meth :local: :depth: 2 -Mandatory File Changes -********************** - - Breaking Changes **************** @@ -55,6 +51,8 @@ Content Changes * app/Views/errors/html/error_404.php * app/Views/welcome_message.php +* public/index.php +* spark All Changes =========== diff --git a/user_guide_src/source/installation/upgrade_423.rst b/user_guide_src/source/installation/upgrade_423.rst new file mode 100644 index 000000000000..68cb3be6f51e --- /dev/null +++ b/user_guide_src/source/installation/upgrade_423.rst @@ -0,0 +1,5 @@ +############################# +Upgrading from 4.2.2 to 4.2.3 +############################# + +Version ``4.2.3`` is an internal change for security measures and requires no intervention in projects. diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst index c99ce646d464..cbec85970755 100644 --- a/user_guide_src/source/libraries/security.rst +++ b/user_guide_src/source/libraries/security.rst @@ -106,6 +106,9 @@ may alter this behavior by editing the following config parameter value in .. literalinclude:: security/004.php +.. note:: Since v4.2.3, you can regenerate CSRF token manually with the + ``Security::generateHash()`` method. + Redirection on Failure ---------------------- diff --git a/user_guide_src/source/libraries/sessions.rst b/user_guide_src/source/libraries/sessions.rst index 26ffaf8badd0..353da7f1ced8 100644 --- a/user_guide_src/source/libraries/sessions.rst +++ b/user_guide_src/source/libraries/sessions.rst @@ -369,7 +369,7 @@ necessary with our new implementation. However, it may happen that your application relied on these values, so here are alternative methods of accessing them: - - session_id: ``session_id()`` + - session_id: ``$session->session_id`` or ``session_id()`` (PHP’s built-in function) - ip_address: ``$_SERVER['REMOTE_ADDR']`` - user_agent: ``$_SERVER['HTTP_USER_AGENT']`` (unused by sessions) - last_activity: Depends on the storage, no straightforward way. Sorry!