Merge remote-tracking branch 'upstream/develop' into 4.3

Conflicts:
	phpstan-baseline.neon.dist
	system/Session/Handlers/DatabaseHandler.php
	system/Test/Mock/MockAppConfig.php
	system/Test/Mock/MockCLIConfig.php
	user_guide_src/source/installation/upgrading.rst
	user_guide_src/source/libraries/sessions.rst
	user_guide_src/source/libraries/sessions/039.php
	user_guide_src/source/libraries/sessions/040.php
	user_guide_src/source/libraries/sessions/041.php
	user_guide_src/source/libraries/sessions/042.php

Author: kenjis

CHANGELOG.md

@@ -1,5 +1,41 @@
 # Changelog
 
+## [v4.2.11](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.10) (2022-12-21)
+[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.10...v4.2.11)
+
+### Fixed Bugs
+* fix:  Request::getIPAddress() by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6820
+* fix: Model cannot insert when $useAutoIncrement is false by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6827
+* fix: View Parser regexp does not support UTF-8 by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6835
+* Handle key generation when key is not present in .env by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6839
+* Fix: Controller Test withBody() by @MGatner in https://github.com/codeigniter4/CodeIgniter4/pull/6843
+* fix: body assigned via options array in CURLRequest class by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/6854
+* Fix CreateDatabase leaving altered database config in connection by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6856
+* fix: cast to string all values except arrays in Header class by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/6862
+* add missing @method Query grouping in Model by @paul45 in https://github.com/codeigniter4/CodeIgniter4/pull/6874
+* fix: `composer update` might cause error "Failed to open directory" by @LeMyst in https://github.com/codeigniter4/CodeIgniter4/pull/6833
+* fix: required PHP extentions by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6897
+* fix: Use Services for the FeatureTestTrait request. by @lonnieezell in https://github.com/codeigniter4/CodeIgniter4/pull/6966
+* fix: FileLocator::locateFile() bug with a similar namespace name by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/6964
+* fix: socket connection in RedisHandler class by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/6972
+* fix: `spark namespaces` cannot show a namespace with mutilple paths by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6977
+* fix: Undefined constant "CodeIgniter\Debug\VENDORPATH" by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6985
+* fix: large HTTP input crashes framework by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6984
+* fix: empty paths for `rewrite.php` by @datamweb in https://github.com/codeigniter4/CodeIgniter4/pull/6991
+* fix: `PHPStan` $cols not defined in `CLI` by @ddevsr in https://github.com/codeigniter4/CodeIgniter4/pull/6994
+* Fix MigrationRunnerTest for Windows by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6855
+* fix: turn off `Xdebug` note when running phpstan by @ddevsr in https://github.com/codeigniter4/CodeIgniter4/pull/6851
+* Fix ShowTableInfoTest to pass on Windows by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6853
+* Fix MigrateStatusTest for Windows by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6866
+* Fix ShowTableInfoTest when migration records are numerous by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6868
+* Fix CreateDatabaseTest to not leave database by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6867
+* Fix coverage merge warning by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6885
+* fix: replace tabs to spaces  by @zl59503020 in https://github.com/codeigniter4/CodeIgniter4/pull/6898
+* fix: slack links by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6907
+* Fix typo in database/queries.rst by @philFernandez in https://github.com/codeigniter4/CodeIgniter4/pull/6920
+* Fix testInsertWithSetAndEscape to make not time dependent by @sclubricants in https://github.com/codeigniter4/CodeIgniter4/pull/6974
+* fix: remove unnecessary global variables in rewrite.php by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6973
+
 ## [v4.2.10](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.10) (2022-11-05)
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.9...v4.2.10)
 

admin/framework/composer.json

@@ -16,7 +16,7 @@
         "kint-php/kint": "^5.0.1",
         "codeigniter/coding-standard": "^1.5",
         "fakerphp/faker": "^1.9",
-        "friendsofphp/php-cs-fixer": "~3.13.0",
+        "friendsofphp/php-cs-fixer": "3.13.0",
         "mikey179/vfsstream": "^1.6",
         "nexusphp/cs-config": "^3.6",
         "phpunit/phpunit": "^9.1",

app/Config/App.php

@@ -331,18 +331,21 @@ class App extends BaseConfig
      *
      * If your server is behind a reverse proxy, you must whitelist the proxy
      * IP addresses from which CodeIgniter should trust headers such as
-     * HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP in order to properly identify
+     * X-Forwarded-For or Client-IP in order to properly identify
      * the visitor's IP address.
      *
-     * You can use both an array or a comma-separated list of proxy addresses,
-     * as well as specifying whole subnets. Here are a few examples:
+     * You need to set a proxy IP address or IP address with subnets and
+     * the HTTP header for the client IP address.
      *
-     * Comma-separated: '10.0.1.200,192.168.5.0/24'
-     * Array: ['10.0.1.200', '192.168.5.0/24']
+     * Here are some examples:
+     *     [
+     *         '10.0.1.200'     => 'X-Forwarded-For',
+     *         '192.168.5.0/24' => 'X-Real-IP',
+     *     ]
      *
-     * @var string|string[]
+     * @var array<string, string>
      */
-    public $proxyIPs = '';
+    public $proxyIPs = [];
 
     /**
      * --------------------------------------------------------------------------

composer.json

@@ -16,7 +16,7 @@
         "kint-php/kint": "^5.0.1",
         "codeigniter/coding-standard": "^1.5",
         "fakerphp/faker": "^1.9",
-        "friendsofphp/php-cs-fixer": "~3.13.0",
+        "friendsofphp/php-cs-fixer": "3.13.0",
         "mikey179/vfsstream": "^1.6",
         "nexusphp/cs-config": "^3.6",
         "nexusphp/tachycardia": "^1.0",

phpstan-baseline.neon.dist

@@ -175,11 +175,6 @@ parameters:
 			count: 1
 			path: system/HTTP/RedirectResponse.php
 
-		-
-			message: "#^Property CodeIgniter\\\\HTTP\\\\Request\\:\\:\\$proxyIPs \\(array\\|string\\) on left side of \\?\\? is not nullable\\.$#"
-			count: 1
-			path: system/HTTP/Request.php
-
 		-
 			message: "#^Property CodeIgniter\\\\HTTP\\\\URI\\:\\:\\$fragment \\(string\\) on left side of \\?\\? is not nullable\\.$#"
 			count: 1

system/CodeIgniter.php

@@ -47,7 +47,7 @@ class CodeIgniter
     /**
      * The current version of CodeIgniter Framework
      */
-    public const CI_VERSION = '4.2.10';
+    public const CI_VERSION = '4.2.11';
 
     /**
      * App startup time.

system/HTTP/Request.php

@@ -24,7 +24,7 @@ class Request extends OutgoingRequest implements RequestInterface
     /**
      * Proxy IPs
      *
-     * @var array|string
+     * @var array<string, string>
      *
      * @deprecated Check the App config directly
      */

system/HTTP/RequestTrait.php

@@ -11,6 +11,7 @@
 
 namespace CodeIgniter\HTTP;
 
+use CodeIgniter\Exceptions\ConfigException;
 use CodeIgniter\Validation\FormatRules;
 
 /**
@@ -43,7 +44,9 @@ trait RequestTrait
     /**
      * Gets the user's IP address.
      *
-     * @return string IP address
+     * @return string IP address if it can be detected, or empty string.
+     *                If the IP address is not a valid IP address,
+     *                then will return '0.0.0.0'.
      */
     public function getIPAddress(): string
     {
@@ -59,93 +62,86 @@ public function getIPAddress(): string
         /**
          * @deprecated $this->proxyIPs property will be removed in the future
          */
+        // @phpstan-ignore-next-line
         $proxyIPs = $this->proxyIPs ?? config('App')->proxyIPs;
-        if (! empty($proxyIPs) && ! is_array($proxyIPs)) {
-            $proxyIPs = explode(',', str_replace(' ', '', $proxyIPs));
+        if (! empty($proxyIPs)) {
+            // @phpstan-ignore-next-line
+            if (! is_array($proxyIPs) || is_int(array_key_first($proxyIPs))) {
+                throw new ConfigException(
+                    'You must set an array with Proxy IP address key and HTTP header name value in Config\App::$proxyIPs.'
+                );
+            }
         }
 
         $this->ipAddress = $this->getServer('REMOTE_ADDR');
 
         if ($proxyIPs) {
-            foreach (['x-forwarded-for', 'client-ip', 'x-client-ip', 'x-cluster-client-ip'] as $header) {
-                $spoof     = null;
-                $headerObj = $this->header($header);
-
-                if ($headerObj !== null) {
-                    $spoof = $headerObj->getValue();
-
-                    // Some proxies typically list the whole chain of IP
-                    // addresses through which the client has reached us.
-                    // e.g. client_ip, proxy_ip1, proxy_ip2, etc.
-                    sscanf($spoof, '%[^,]', $spoof);
-
-                    if (! $ipValidator($spoof)) {
-                        $spoof = null;
-                    } else {
-                        break;
-                    }
-                }
-            }
-
-            if ($spoof) {
-                foreach ($proxyIPs as $proxyIP) {
-                    // Check if we have an IP address or a subnet
-                    if (strpos($proxyIP, '/') === false) {
-                        // An IP address (and not a subnet) is specified.
-                        // We can compare right away.
-                        if ($proxyIP === $this->ipAddress) {
+            // @TODO Extract all this IP address logic to another class.
+            foreach ($proxyIPs as $proxyIP => $header) {
+                // Check if we have an IP address or a subnet
+                if (strpos($proxyIP, '/') === false) {
+                    // An IP address (and not a subnet) is specified.
+                    // We can compare right away.
+                    if ($proxyIP === $this->ipAddress) {
+                        $spoof = $this->getClientIP($header);
+
+                        if ($spoof !== null) {
                             $this->ipAddress = $spoof;
                             break;
                         }
-
-                        continue;
                     }
 
-                    // We have a subnet ... now the heavy lifting begins
-                    if (! isset($separator)) {
-                        $separator = $ipValidator($this->ipAddress, 'ipv6') ? ':' : '.';
-                    }
+                    continue;
+                }
 
-                    // If the proxy entry doesn't match the IP protocol - skip it
-                    if (strpos($proxyIP, $separator) === false) {
-                        continue;
-                    }
+                // We have a subnet ... now the heavy lifting begins
+                if (! isset($separator)) {
+                    $separator = $ipValidator($this->ipAddress, 'ipv6') ? ':' : '.';
+                }
 
-                    // Convert the REMOTE_ADDR IP address to binary, if needed
-                    if (! isset($ip, $sprintf)) {
-                        if ($separator === ':') {
-                            // Make sure we're have the "full" IPv6 format
-                            $ip = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($this->ipAddress, ':')), $this->ipAddress));
+                // If the proxy entry doesn't match the IP protocol - skip it
+                if (strpos($proxyIP, $separator) === false) {
+                    continue;
+                }
 
-                            for ($j = 0; $j < 8; $j++) {
-                                $ip[$j] = intval($ip[$j], 16);
-                            }
+                // Convert the REMOTE_ADDR IP address to binary, if needed
+                if (! isset($ip, $sprintf)) {
+                    if ($separator === ':') {
+                        // Make sure we're having the "full" IPv6 format
+                        $ip = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($this->ipAddress, ':')), $this->ipAddress));
 
-                            $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b';
-                        } else {
-                            $ip      = explode('.', $this->ipAddress);
-                            $sprintf = '%08b%08b%08b%08b';
+                        for ($j = 0; $j < 8; $j++) {
+                            $ip[$j] = intval($ip[$j], 16);
                         }
 
-                        $ip = vsprintf($sprintf, $ip);
+                        $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b';
+                    } else {
+                        $ip      = explode('.', $this->ipAddress);
+                        $sprintf = '%08b%08b%08b%08b';
                     }
 
-                    // Split the netmask length off the network address
-                    sscanf($proxyIP, '%[^/]/%d', $netaddr, $masklen);
+                    $ip = vsprintf($sprintf, $ip);
+                }
 
-                    // Again, an IPv6 address is most likely in a compressed form
-                    if ($separator === ':') {
-                        $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr));
+                // Split the netmask length off the network address
+                sscanf($proxyIP, '%[^/]/%d', $netaddr, $masklen);
 
-                        for ($i = 0; $i < 8; $i++) {
-                            $netaddr[$i] = intval($netaddr[$i], 16);
-                        }
-                    } else {
-                        $netaddr = explode('.', $netaddr);
+                // Again, an IPv6 address is most likely in a compressed form
+                if ($separator === ':') {
+                    $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr));
+
+                    for ($i = 0; $i < 8; $i++) {
+                        $netaddr[$i] = intval($netaddr[$i], 16);
                     }
+                } else {
+                    $netaddr = explode('.', $netaddr);
+                }
+
+                // Convert to binary and finally compare
+                if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) {
+                    $spoof = $this->getClientIP($header);
 
-                    // Convert to binary and finally compare
-                    if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) {
+                    if ($spoof !== null) {
                         $this->ipAddress = $spoof;
                         break;
                     }
@@ -160,6 +156,34 @@ public function getIPAddress(): string
         return empty($this->ipAddress) ? '' : $this->ipAddress;
     }
 
+    /**
+     * Gets the client IP address from the HTTP header.
+     */
+    private function getClientIP(string $header): ?string
+    {
+        $ipValidator = [
+            new FormatRules(),
+            'valid_ip',
+        ];
+        $spoof     = null;
+        $headerObj = $this->header($header);
+
+        if ($headerObj !== null) {
+            $spoof = $headerObj->getValue();
+
+            // Some proxies typically list the whole chain of IP
+            // addresses through which the client has reached us.
+            // e.g. client_ip, proxy_ip1, proxy_ip2, etc.
+            sscanf($spoof, '%[^,]', $spoof);
+
+            if (! $ipValidator($spoof)) {
+                $spoof = null;
+            }
+        }
+
+        return $spoof;
+    }
+
     /**
      * Fetch an item from the $_SERVER array.
      *

system/Session/Handlers/DatabaseHandler.php

@@ -61,6 +61,11 @@ class DatabaseHandler extends BaseHandler
      */
     protected $rowExists = false;
 
+    /**
+     * ID prefix for multiple session cookies
+     */
+    protected string $idPrefix;
+
     /**
      * @throws SessionException
      */
@@ -74,9 +79,13 @@ public function __construct(AppConfig $config, string $ipAddress)
         // Store Session configurations
         if ($session instanceof SessionConfig) {
             $this->DBGroup = $session->DBGroup ?? config(Database::class)->defaultGroup;
+            // Add sessionCookieName for multiple session cookies.
+            $this->idPrefix = $session->cookieName . ':';
         } else {
             // `Config/Session.php` is absence
             $this->DBGroup = $config->sessionDBGroup ?? config(Database::class)->defaultGroup;
+            // Add sessionCookieName for multiple session cookies.
+            $this->idPrefix = $config->sessionCookieName . ':';
         }
 
         $this->table = $this->savePath;
@@ -124,7 +133,7 @@ public function read($id)
             $this->sessionID = $id;
         }
 
-        $builder = $this->db->table($this->table)->where('id', $id);
+        $builder = $this->db->table($this->table)->where('id', $this->idPrefix . $id);
 
         if ($this->matchIP) {
             $builder = $builder->where('ip_address', $this->ipAddress);
@@ -191,7 +200,7 @@ public function write($id, $data): bool
 
         if ($this->rowExists === false) {
             $insertData = [
-                'id'         => $id,
+                'id'         => $this->idPrefix . $id,
                 'ip_address' => $this->ipAddress,
                 'data'       => $this->prepareData($data),
             ];
@@ -206,7 +215,7 @@ public function write($id, $data): bool
             return true;
         }
 
-        $builder = $this->db->table($this->table)->where('id', $id);
+        $builder = $this->db->table($this->table)->where('id', $this->idPrefix . $id);
 
         if ($this->matchIP) {
             $builder = $builder->where('ip_address', $this->ipAddress);
@@ -251,7 +260,7 @@ public function close(): bool
     public function destroy($id): bool
     {
         if ($this->lock) {
-            $builder = $this->db->table($this->table)->where('id', $id);
+            $builder = $this->db->table($this->table)->where('id', $this->idPrefix . $id);
 
             if ($this->matchIP) {
                 $builder = $builder->where('ip_address', $this->ipAddress);
@@ -285,7 +294,11 @@ public function gc($max_lifetime)
         $separator = ' ';
         $interval  = implode($separator, ['', "{$max_lifetime} second", '']);
 
-        return $this->db->table($this->table)->where('timestamp <', "now() - INTERVAL {$interval}", false)->delete() ? 1 : $this->fail();
+        return $this->db->table($this->table)->where(
+            'timestamp <',
+            "now() - INTERVAL {$interval}",
+            false
+        )->delete() ? 1 : $this->fail();
     }
 
     /**