Merge pull request #6354 from codeigniter4/develop

MGatner · web-flow · commit 9c0c6951579f · 2022-08-06T20:04:02.000-04:00
4.2.3 Ready code
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Changelog
 
+## [v4.2.3](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.3) (2022-08-06)
+[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.2...v4.2.3)
+
+* SECURITY: Improve CSRF protection (for Shield CSRF security fix)
+
 ## [v4.2.2](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.2) (2022-08-05)
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.1...v4.2.2)
 
diff --git a/admin/RELEASE.md b/admin/RELEASE.md
@@ -2,7 +2,7 @@
 
 > Documentation guide based on the releases of `4.0.5` and `4.1.0` on January 31, 2021.
 >
-> Updated for `4.1.6` on December 24, 2021.
+> Updated for `4.2.3` on August 6, 2022.
 >
 > -MGatner
 
@@ -29,8 +29,9 @@ git clone git@github.com:codeigniter4/CodeIgniter4.git
 git clone git@github.com:codeigniter4/userguide.git
 ```
 * Vet the **admin/** folders for any removed hidden files (Action deploy scripts *do not remove these*)
+* Merge any Security Advisory PRs in private forks
 
-## CodeIgniter4
+## Process
 
 > Note: Most changes that need noting in the User Guide and docs should have been included
 > with their PR, so this process assumes you will not be generating much new content.
@@ -75,6 +76,7 @@ composer create-project codeigniter4/appstarter release-test
 cd release-test
 composer test && composer info codeigniter4/framework
 ```
+* publish any Security Advisories that were resolved from private forks
 
 ## User Guide
 
diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php
@@ -47,7 +47,7 @@ class CodeIgniter
     /**
      * The current version of CodeIgniter Framework
      */
-    public const CI_VERSION = '4.2.2';
+    public const CI_VERSION = '4.2.3';
 
     /**
      * App startup time.
diff --git a/system/Security/Security.php b/system/Security/Security.php
@@ -528,9 +528,9 @@ private function restoreHash(): void
     }
 
     /**
-     * Generates (Regenerate) the CSRF Hash.
+     * Generates (Regenerates) the CSRF Hash.
      */
-    protected function generateHash(): string
+    public function generateHash(): string
     {
         $this->hash = bin2hex(random_bytes(static::CSRF_HASH_BYTES));
 
diff --git a/tests/system/Security/SecurityTest.php b/tests/system/Security/SecurityTest.php
@@ -243,6 +243,32 @@ public function testRegenerateWithFalseSecurityRegenerateProperty()
         $this->assertSame($oldHash, $newHash);
     }
 
+    public function testRegenerateWithFalseSecurityRegeneratePropertyManually()
+    {
+        $_SERVER['REQUEST_METHOD']   = 'POST';
+        $_POST['csrf_test_name']     = '8b9218a55906f9dcc1dc263dce7f005a';
+        $_COOKIE['csrf_cookie_name'] = '8b9218a55906f9dcc1dc263dce7f005a';
+
+        $config             = new SecurityConfig();
+        $config->regenerate = false;
+        Factories::injectMock('config', 'Security', $config);
+
+        $security = new MockSecurity(new MockAppConfig());
+        $request  = new IncomingRequest(
+            new MockAppConfig(),
+            new URI('http://badurl.com'),
+            null,
+            new UserAgent()
+        );
+
+        $oldHash = $security->getHash();
+        $security->verify($request);
+        $security->generateHash();
+        $newHash = $security->getHash();
+
+        $this->assertNotSame($oldHash, $newHash);
+    }
+
     public function testRegenerateWithTrueSecurityRegenerateProperty()
     {
         $_SERVER['REQUEST_METHOD']   = 'POST';
diff --git a/user_guide_src/source/changelogs/index.rst b/user_guide_src/source/changelogs/index.rst
@@ -12,6 +12,7 @@ See all the changes.
 .. toctree::
     :titlesonly:
 
+    v4.2.4
     v4.2.3
     v4.2.2
     v4.2.1
diff --git a/user_guide_src/source/changelogs/v4.2.2.rst b/user_guide_src/source/changelogs/v4.2.2.rst
@@ -18,11 +18,6 @@ BREAKING
 - A bug that caused pages to be cached before after filters were executed when using page caching has been fixed. Adding response headers or changing the response body in after filters now caches them correctly.
 - Due to a bug fix, now :php:func:`random_string` with the first parameter ``'crypto'`` throws ``InvalidArgumentException`` if the second parameter ``$len`` is an odd number.
 
-Enhancements
-************
-
-none.
-
 Changes
 *******
 
diff --git a/user_guide_src/source/changelogs/v4.2.3.rst b/user_guide_src/source/changelogs/v4.2.3.rst
@@ -1,7 +1,7 @@
 Version 4.2.3
 #############
 
-Release Date: Unreleased
+Release Date: August 6, 2022
 
 **4.2.3 release of CodeIgniter4**
 
@@ -17,7 +17,7 @@ none.
 Enhancements
 ************
 
-none.
+- Now ``Security::generateHash()`` is public, and can be used to regenerate CSRF token manually when ``Config\Security::$regenerate`` is false.
 
 Changes
 *******
diff --git a/user_guide_src/source/changelogs/v4.2.4.rst b/user_guide_src/source/changelogs/v4.2.4.rst
@@ -0,0 +1,35 @@
+Version 4.2.4
+#############
+
+Release Date: Unreleased
+
+**4.2.4 release of CodeIgniter4**
+
+.. contents::
+    :local:
+    :depth: 2
+
+BREAKING
+********
+
+none.
+
+Enhancements
+************
+
+none.
+
+Changes
+*******
+
+none.
+
+Deprecations
+************
+
+none.
+
+Bugs Fixed
+**********
+
+See the repo's `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_ for a complete list of bugs fixed.
diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py
@@ -24,7 +24,7 @@
 version = '4.2'
 
 # The full version, including alpha/beta/rc tags.
-release = '4.2.2'
+release = '4.2.3'
 
 # -- General configuration ---------------------------------------------------
 
diff --git a/user_guide_src/source/installation/upgrade_422.rst b/user_guide_src/source/installation/upgrade_422.rst
@@ -12,10 +12,6 @@ Please refer to the upgrade instructions corresponding to your installation meth
     :local:
     :depth: 2
 
-Mandatory File Changes
-**********************
-
-
 Breaking Changes
 ****************
 
@@ -55,6 +51,8 @@ Content Changes
 
 * app/Views/errors/html/error_404.php
 * app/Views/welcome_message.php
+* public/index.php
+* spark
 
 All Changes
 ===========
diff --git a/user_guide_src/source/installation/upgrade_423.rst b/user_guide_src/source/installation/upgrade_423.rst
@@ -0,0 +1,5 @@
+#############################
+Upgrading from 4.2.2 to 4.2.3
+#############################
+
+Version ``4.2.3`` is an internal change for security measures and requires no intervention in projects.
diff --git a/user_guide_src/source/libraries/security.rst b/user_guide_src/source/libraries/security.rst
@@ -106,6 +106,9 @@ may alter this behavior by editing the following config parameter value in
 
 .. literalinclude:: security/004.php
 
+.. note:: Since v4.2.3, you can regenerate CSRF token manually with the
+    ``Security::generateHash()`` method.
+
 Redirection on Failure
 ----------------------
 
diff --git a/user_guide_src/source/libraries/sessions.rst b/user_guide_src/source/libraries/sessions.rst
@@ -369,7 +369,7 @@ necessary with our new implementation. However, it may happen that your
 application relied on these values, so here are alternative methods of
 accessing them:
 
-  - session_id: ``session_id()``
+  - session_id: ``$session->session_id`` or ``session_id()`` (PHP’s built-in function)
   - ip_address: ``$_SERVER['REMOTE_ADDR']``
   - user_agent: ``$_SERVER['HTTP_USER_AGENT']`` (unused by sessions)
   - last_activity: Depends on the storage, no straightforward way. Sorry!

Original file line number	Diff line number	Diff line change
`@@ -528,9 +528,9 @@ private function restoreHash(): void`
`528`	`528`	`}`
`529`	`529`
`530`	`530`	`/**`
`531`		`- * Generates (Regenerate) the CSRF Hash.`
	`531`	`+ * Generates (Regenerates) the CSRF Hash.`
`532`	`532`	`*/`
`533`		`- protected function generateHash(): string`
	`533`	`+ public function generateHash(): string`
`534`	`534`	`{`
`535`	`535`	`$this->hash = bin2hex(random_bytes(static::CSRF_HASH_BYTES));`
`536`	`536`