diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ecd4ae661e6..d2bf2ed7119c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,14 @@ # Changelog +## [v4.1.9](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.9) (2022-02-25) + +[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.8...v4.1.9) + +**SECURITY** + +* *Remote CLI Command Execution Vulnerability* was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-xjp4-6w75-qrj7) for more information. +* *Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability* was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554) for more information. + ## [v4.1.8](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.8) (2022-01-24) [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.7...v4.1.8) diff --git a/composer.json b/composer.json index 6799259fdf62..376e2cdff38f 100644 --- a/composer.json +++ b/composer.json @@ -15,13 +15,13 @@ "psr/log": "^1.1" }, "require-dev": { - "codeigniter/coding-standard": "^1.1", + "codeigniter/coding-standard": "1.2.*", "fakerphp/faker": "^1.9", - "friendsofphp/php-cs-fixer": "^3.1", + "friendsofphp/php-cs-fixer": "3.2.*", "mikey179/vfsstream": "^1.6", "nexusphp/cs-config": "^3.3", "nexusphp/tachycardia": "^1.0", - "phpstan/phpstan": "^1.0", + "phpstan/phpstan": "1.4.3", "phpunit/phpunit": "^9.1", "predis/predis": "^1.1", "rector/rector": "0.12.10" diff --git a/phpstan-baseline.neon.dist b/phpstan-baseline.neon.dist index 0a91bd7fc64f..d25e5e23a409 100644 --- a/phpstan-baseline.neon.dist +++ b/phpstan-baseline.neon.dist @@ -115,11 +115,6 @@ parameters: count: 1 path: system/CodeIgniter.php - - - message: "#^Dead catch \\- CodeIgniter\\\\Exceptions\\\\PageNotFoundException is never thrown in the try block\\.$#" - count: 1 - path: system/CodeIgniter.php - - message: "#^Property Config\\\\App\\:\\:\\$appTimezone \\(string\\) on left side of \\?\\? is not nullable\\.$#" count: 1 diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php index 24ad148269cf..5704e57be92e 100644 --- a/system/CodeIgniter.php +++ b/system/CodeIgniter.php @@ -45,7 +45,7 @@ class CodeIgniter /** * The current version of CodeIgniter Framework */ - public const CI_VERSION = '4.1.8'; + public const CI_VERSION = '4.1.9'; private const MIN_PHP_VERSION = '7.3'; @@ -299,6 +299,12 @@ public function run(?RouteCollectionInterface $routes = null, bool $returnRespon $this->spoofRequestMethod(); + if ($this->request instanceof IncomingRequest && $this->request->getMethod() === 'cli') { + $this->response->setStatusCode(405)->setBody('Method Not Allowed'); + + return $this->sendResponse(); + } + Events::trigger('pre_system'); // Check for a cached page. Execution will stop @@ -352,6 +358,7 @@ public function useSafeOutput(bool $safe = true) /** * Handles the main request logic and fires the controller. * + * @throws PageNotFoundException * @throws RedirectException * * @return mixed|RequestInterface|ResponseInterface @@ -976,7 +983,10 @@ public function spoofRequestMethod() return; } - $this->request = $this->request->setMethod($method); + // Only allows PUT, PATCH, DELETE + if (in_array(strtoupper($method), ['PUT', 'PATCH', 'DELETE'], true)) { + $this->request = $this->request->setMethod($method); + } } /** diff --git a/tests/system/CodeIgniterTest.php b/tests/system/CodeIgniterTest.php index f7838105af4d..10facadf875a 100644 --- a/tests/system/CodeIgniterTest.php +++ b/tests/system/CodeIgniterTest.php @@ -425,4 +425,59 @@ public function testRunDefaultRoute() $this->assertStringContainsString('Welcome to CodeIgniter', $output); } + + public function testRunCLIRoute() + { + $_SERVER['argv'] = ['index.php', 'cli']; + $_SERVER['argc'] = 2; + + $_SERVER['REQUEST_URI'] = '/cli'; + $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1'; + $_SERVER['REQUEST_METHOD'] = 'CLI'; + + $routes = Services::routes(); + $routes->cli('cli', '\Tests\Support\Controllers\Popcorn::index'); + + ob_start(); + $this->codeigniter->useSafeOutput(true)->run(); + $output = ob_get_clean(); + + $this->assertStringContainsString('Method Not Allowed', $output); + } + + public function testSpoofRequestMethodCanUsePUT() + { + $_SERVER['argv'] = ['index.php']; + $_SERVER['argc'] = 1; + + $_SERVER['REQUEST_URI'] = '/'; + $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1'; + $_SERVER['REQUEST_METHOD'] = 'POST'; + + $_POST['_method'] = 'PUT'; + + ob_start(); + $this->codeigniter->useSafeOutput(true)->run(); + ob_get_clean(); + + $this->assertSame('put', Services::request()->getMethod()); + } + + public function testSpoofRequestMethodCannotUseGET() + { + $_SERVER['argv'] = ['index.php']; + $_SERVER['argc'] = 1; + + $_SERVER['REQUEST_URI'] = '/'; + $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1'; + $_SERVER['REQUEST_METHOD'] = 'POST'; + + $_POST['_method'] = 'GET'; + + ob_start(); + $this->codeigniter->useSafeOutput(true)->run(); + ob_get_clean(); + + $this->assertSame('post', Services::request()->getMethod()); + } } diff --git a/tests/system/Commands/CommandTest.php b/tests/system/Commands/CommandTest.php index 3333d215ba78..e44524f7e577 100644 --- a/tests/system/Commands/CommandTest.php +++ b/tests/system/Commands/CommandTest.php @@ -27,6 +27,8 @@ final class CommandTest extends CIUnitTestCase protected function setUp(): void { + $this->resetServices(); + parent::setUp(); CITestStreamFilter::$buffer = ''; diff --git a/user_guide_src/source/changelogs/index.rst b/user_guide_src/source/changelogs/index.rst index 4a48ea878d98..9814dde5c4da 100644 --- a/user_guide_src/source/changelogs/index.rst +++ b/user_guide_src/source/changelogs/index.rst @@ -12,6 +12,7 @@ See all the changes. .. toctree:: :titlesonly: + v4.1.9 v4.1.8 v4.1.7 v4.1.6 diff --git a/user_guide_src/source/changelogs/v4.1.9.rst b/user_guide_src/source/changelogs/v4.1.9.rst new file mode 100644 index 000000000000..e409da06e271 --- /dev/null +++ b/user_guide_src/source/changelogs/v4.1.9.rst @@ -0,0 +1,16 @@ +Version 4.1.9 +############# + +Release Date: February 25, 2022 + +**4.1.9 release of CodeIgniter4** + +.. contents:: + :local: + :depth: 2 + +SECURITY +******** + +- *Remote CLI Command Execution Vulnerability* was fixed. See the `Security advisory GHSA-xjp4-6w75-qrj7 `_ for more information. +- *Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability* was fixed. See the `Security advisory GHSA-4v37-24gm-h554 `_ for more information. diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py index 0f7585e66df4..188b3146f9ad 100644 --- a/user_guide_src/source/conf.py +++ b/user_guide_src/source/conf.py @@ -24,7 +24,7 @@ version = '4.1' # The full version, including alpha/beta/rc tags. -release = '4.1.8' +release = '4.1.9' # -- General configuration --------------------------------------------------- diff --git a/user_guide_src/source/installation/upgrading.rst b/user_guide_src/source/installation/upgrading.rst index d142117ba7b9..911f5b836528 100644 --- a/user_guide_src/source/installation/upgrading.rst +++ b/user_guide_src/source/installation/upgrading.rst @@ -8,6 +8,7 @@ upgrading from. .. toctree:: :titlesonly: + Upgrading from 4.1.7 to 4.1.8 Upgrading from 4.1.6 to 4.1.7 Upgrading from 4.1.5 to 4.1.6 Upgrading from 4.1.4 to 4.1.5