Merge branch 'codeigniter4:develop' into develop

Author: thenerdyshark

CHANGELOG.md

@@ -1,5 +1,45 @@
 # Changelog
 
+## [v4.2.11](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.11) (2022-12-21)
+[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.10...v4.2.11)
+
+### SECURITY
+* *Attackers may spoof IP address when using proxy* was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-ghw3-5qvm-3mqc) for more information.
+* *Potential Session Handlers Vulnerability* was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-6cq5-8cj7-g558) for more information.
+
+### Fixed Bugs
+* fix:  Request::getIPAddress() by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6820
+* fix: Model cannot insert when $useAutoIncrement is false by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6827
+* fix: View Parser regexp does not support UTF-8 by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6835
+* Handle key generation when key is not present in .env by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6839
+* Fix: Controller Test withBody() by @MGatner in https://github.com/codeigniter4/CodeIgniter4/pull/6843
+* fix: body assigned via options array in CURLRequest class by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/6854
+* Fix CreateDatabase leaving altered database config in connection by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6856
+* fix: cast to string all values except arrays in Header class by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/6862
+* add missing @method Query grouping in Model by @paul45 in https://github.com/codeigniter4/CodeIgniter4/pull/6874
+* fix: `composer update` might cause error "Failed to open directory" by @LeMyst in https://github.com/codeigniter4/CodeIgniter4/pull/6833
+* fix: required PHP extentions by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6897
+* fix: Use Services for the FeatureTestTrait request. by @lonnieezell in https://github.com/codeigniter4/CodeIgniter4/pull/6966
+* fix: FileLocator::locateFile() bug with a similar namespace name by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/6964
+* fix: socket connection in RedisHandler class by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/6972
+* fix: `spark namespaces` cannot show a namespace with mutilple paths by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6977
+* fix: Undefined constant "CodeIgniter\Debug\VENDORPATH" by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6985
+* fix: large HTTP input crashes framework by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6984
+* fix: empty paths for `rewrite.php` by @datamweb in https://github.com/codeigniter4/CodeIgniter4/pull/6991
+* fix: `PHPStan` $cols not defined in `CLI` by @ddevsr in https://github.com/codeigniter4/CodeIgniter4/pull/6994
+* Fix MigrationRunnerTest for Windows by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6855
+* fix: turn off `Xdebug` note when running phpstan by @ddevsr in https://github.com/codeigniter4/CodeIgniter4/pull/6851
+* Fix ShowTableInfoTest to pass on Windows by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6853
+* Fix MigrateStatusTest for Windows by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6866
+* Fix ShowTableInfoTest when migration records are numerous by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6868
+* Fix CreateDatabaseTest to not leave database by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6867
+* Fix coverage merge warning by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/6885
+* fix: replace tabs to spaces  by @zl59503020 in https://github.com/codeigniter4/CodeIgniter4/pull/6898
+* fix: slack links by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6907
+* Fix typo in database/queries.rst by @philFernandez in https://github.com/codeigniter4/CodeIgniter4/pull/6920
+* Fix testInsertWithSetAndEscape to make not time dependent by @sclubricants in https://github.com/codeigniter4/CodeIgniter4/pull/6974
+* fix: remove unnecessary global variables in rewrite.php by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6973
+
 ## [v4.2.10](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.10) (2022-11-05)
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.9...v4.2.10)
 
@@ -41,6 +81,9 @@
 ## [v4.2.7](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.7) (2022-10-06)
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.6...v4.2.7)
 
+### SECURITY
+* *Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued* was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp) for more information.
+
 ### Breaking Changes
 * fix: make Time::__toString() database-compatible on any locale by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6461
 * fix: set_cookie() does not use Config\Cookie values by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6544

admin/framework/composer.json

@@ -16,7 +16,7 @@
     "require-dev": {
         "codeigniter/coding-standard": "^1.5",
         "fakerphp/faker": "^1.9",
-        "friendsofphp/php-cs-fixer": "~3.13.0",
+        "friendsofphp/php-cs-fixer": "3.13.0",
         "mikey179/vfsstream": "^1.6",
         "nexusphp/cs-config": "^3.6",
         "phpunit/phpunit": "^9.1",

app/Config/App.php

@@ -332,18 +332,21 @@ class App extends BaseConfig
      *
      * If your server is behind a reverse proxy, you must whitelist the proxy
      * IP addresses from which CodeIgniter should trust headers such as
-     * HTTP_X_FORWARDED_FOR and HTTP_CLIENT_IP in order to properly identify
+     * X-Forwarded-For or Client-IP in order to properly identify
      * the visitor's IP address.
      *
-     * You can use both an array or a comma-separated list of proxy addresses,
-     * as well as specifying whole subnets. Here are a few examples:
+     * You need to set a proxy IP address or IP address with subnets and
+     * the HTTP header for the client IP address.
      *
-     * Comma-separated: '10.0.1.200,192.168.5.0/24'
-     * Array: ['10.0.1.200', '192.168.5.0/24']
+     * Here are some examples:
+     *     [
+     *         '10.0.1.200'     => 'X-Forwarded-For',
+     *         '192.168.5.0/24' => 'X-Real-IP',
+     *     ]
      *
-     * @var string|string[]
+     * @var array<string, string>
      */
-    public $proxyIPs = '';
+    public $proxyIPs = [];
 
     /**
      * --------------------------------------------------------------------------

composer.json

@@ -16,7 +16,7 @@
     "require-dev": {
         "codeigniter/coding-standard": "^1.5",
         "fakerphp/faker": "^1.9",
-        "friendsofphp/php-cs-fixer": "~3.13.0",
+        "friendsofphp/php-cs-fixer": "3.13.0",
         "mikey179/vfsstream": "^1.6",
         "nexusphp/cs-config": "^3.6",
         "nexusphp/tachycardia": "^1.0",

phpstan-baseline.neon.dist

@@ -500,11 +500,6 @@ parameters:
 			count: 1
 			path: system/HTTP/RedirectResponse.php
 
-		-
-			message: "#^Property CodeIgniter\\\\HTTP\\\\Request\\:\\:\\$proxyIPs \\(array\\|string\\) on left side of \\?\\? is not nullable\\.$#"
-			count: 1
-			path: system/HTTP/Request.php
-
 		-
 			message: "#^Property CodeIgniter\\\\HTTP\\\\Request\\:\\:\\$uri \\(CodeIgniter\\\\HTTP\\\\URI\\) in empty\\(\\) is not falsy\\.$#"
 			count: 1

system/CodeIgniter.php

@@ -47,7 +47,7 @@ class CodeIgniter
     /**
      * The current version of CodeIgniter Framework
      */
-    public const CI_VERSION = '4.2.10';
+    public const CI_VERSION = '4.2.11';
 
     /**
      * App startup time.

system/Commands/Server/rewrite.php

@@ -24,7 +24,9 @@
     return;
 }
 
-$uri = urldecode(parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH));
+$uri = urldecode(
+    parse_url('https://codeigniter.com' . $_SERVER['REQUEST_URI'], PHP_URL_PATH) ?? ''
+);
 
 // All request handle by index.php file.
 $_SERVER['SCRIPT_NAME'] = '/index.php';

system/HTTP/Request.php

@@ -23,7 +23,7 @@ class Request extends Message implements MessageInterface, RequestInterface
     /**
      * Proxy IPs
      *
-     * @var array|string
+     * @var array<string, string>
      *
      * @deprecated Check the App config directly
      */

system/HTTP/RequestTrait.php

@@ -11,6 +11,7 @@
 
 namespace CodeIgniter\HTTP;
 
+use CodeIgniter\Exceptions\ConfigException;
 use CodeIgniter\Validation\FormatRules;
 
 /**
@@ -43,7 +44,9 @@ trait RequestTrait
     /**
      * Gets the user's IP address.
      *
-     * @return string IP address
+     * @return string IP address if it can be detected, or empty string.
+     *                If the IP address is not a valid IP address,
+     *                then will return '0.0.0.0'.
      */
     public function getIPAddress(): string
     {
@@ -59,93 +62,84 @@ public function getIPAddress(): string
         /**
          * @deprecated $this->proxyIPs property will be removed in the future
          */
+        // @phpstan-ignore-next-line
         $proxyIPs = $this->proxyIPs ?? config('App')->proxyIPs;
-        if (! empty($proxyIPs) && ! is_array($proxyIPs)) {
-            $proxyIPs = explode(',', str_replace(' ', '', $proxyIPs));
+        // @phpstan-ignore-next-line
+        if (! empty($proxyIPs) && (! is_array($proxyIPs) || is_int(array_key_first($proxyIPs)))) {
+            throw new ConfigException(
+                'You must set an array with Proxy IP address key and HTTP header name value in Config\App::$proxyIPs.'
+            );
         }
 
         $this->ipAddress = $this->getServer('REMOTE_ADDR');
 
         if ($proxyIPs) {
-            foreach (['x-forwarded-for', 'client-ip', 'x-client-ip', 'x-cluster-client-ip'] as $header) {
-                $spoof     = null;
-                $headerObj = $this->header($header);
-
-                if ($headerObj !== null) {
-                    $spoof = $headerObj->getValue();
-
-                    // Some proxies typically list the whole chain of IP
-                    // addresses through which the client has reached us.
-                    // e.g. client_ip, proxy_ip1, proxy_ip2, etc.
-                    sscanf($spoof, '%[^,]', $spoof);
-
-                    if (! $ipValidator($spoof)) {
-                        $spoof = null;
-                    } else {
-                        break;
-                    }
-                }
-            }
-
-            if ($spoof) {
-                foreach ($proxyIPs as $proxyIP) {
-                    // Check if we have an IP address or a subnet
-                    if (strpos($proxyIP, '/') === false) {
-                        // An IP address (and not a subnet) is specified.
-                        // We can compare right away.
-                        if ($proxyIP === $this->ipAddress) {
+            // @TODO Extract all this IP address logic to another class.
+            foreach ($proxyIPs as $proxyIP => $header) {
+                // Check if we have an IP address or a subnet
+                if (strpos($proxyIP, '/') === false) {
+                    // An IP address (and not a subnet) is specified.
+                    // We can compare right away.
+                    if ($proxyIP === $this->ipAddress) {
+                        $spoof = $this->getClientIP($header);
+
+                        if ($spoof !== null) {
                             $this->ipAddress = $spoof;
                             break;
                         }
-
-                        continue;
                     }
 
-                    // We have a subnet ... now the heavy lifting begins
-                    if (! isset($separator)) {
-                        $separator = $ipValidator($this->ipAddress, 'ipv6') ? ':' : '.';
-                    }
+                    continue;
+                }
 
-                    // If the proxy entry doesn't match the IP protocol - skip it
-                    if (strpos($proxyIP, $separator) === false) {
-                        continue;
-                    }
+                // We have a subnet ... now the heavy lifting begins
+                if (! isset($separator)) {
+                    $separator = $ipValidator($this->ipAddress, 'ipv6') ? ':' : '.';
+                }
 
-                    // Convert the REMOTE_ADDR IP address to binary, if needed
-                    if (! isset($ip, $sprintf)) {
-                        if ($separator === ':') {
-                            // Make sure we're have the "full" IPv6 format
-                            $ip = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($this->ipAddress, ':')), $this->ipAddress));
+                // If the proxy entry doesn't match the IP protocol - skip it
+                if (strpos($proxyIP, $separator) === false) {
+                    continue;
+                }
 
-                            for ($j = 0; $j < 8; $j++) {
-                                $ip[$j] = intval($ip[$j], 16);
-                            }
+                // Convert the REMOTE_ADDR IP address to binary, if needed
+                if (! isset($ip, $sprintf)) {
+                    if ($separator === ':') {
+                        // Make sure we're having the "full" IPv6 format
+                        $ip = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($this->ipAddress, ':')), $this->ipAddress));
 
-                            $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b';
-                        } else {
-                            $ip      = explode('.', $this->ipAddress);
-                            $sprintf = '%08b%08b%08b%08b';
+                        for ($j = 0; $j < 8; $j++) {
+                            $ip[$j] = intval($ip[$j], 16);
                         }
 
-                        $ip = vsprintf($sprintf, $ip);
+                        $sprintf = '%016b%016b%016b%016b%016b%016b%016b%016b';
+                    } else {
+                        $ip      = explode('.', $this->ipAddress);
+                        $sprintf = '%08b%08b%08b%08b';
                     }
 
-                    // Split the netmask length off the network address
-                    sscanf($proxyIP, '%[^/]/%d', $netaddr, $masklen);
+                    $ip = vsprintf($sprintf, $ip);
+                }
 
-                    // Again, an IPv6 address is most likely in a compressed form
-                    if ($separator === ':') {
-                        $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr));
+                // Split the netmask length off the network address
+                sscanf($proxyIP, '%[^/]/%d', $netaddr, $masklen);
 
-                        for ($i = 0; $i < 8; $i++) {
-                            $netaddr[$i] = intval($netaddr[$i], 16);
-                        }
-                    } else {
-                        $netaddr = explode('.', $netaddr);
+                // Again, an IPv6 address is most likely in a compressed form
+                if ($separator === ':') {
+                    $netaddr = explode(':', str_replace('::', str_repeat(':', 9 - substr_count($netaddr, ':')), $netaddr));
+
+                    for ($i = 0; $i < 8; $i++) {
+                        $netaddr[$i] = intval($netaddr[$i], 16);
                     }
+                } else {
+                    $netaddr = explode('.', $netaddr);
+                }
+
+                // Convert to binary and finally compare
+                if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) {
+                    $spoof = $this->getClientIP($header);
 
-                    // Convert to binary and finally compare
-                    if (strncmp($ip, vsprintf($sprintf, $netaddr), $masklen) === 0) {
+                    if ($spoof !== null) {
                         $this->ipAddress = $spoof;
                         break;
                     }
@@ -160,6 +154,34 @@ public function getIPAddress(): string
         return empty($this->ipAddress) ? '' : $this->ipAddress;
     }
 
+    /**
+     * Gets the client IP address from the HTTP header.
+     */
+    private function getClientIP(string $header): ?string
+    {
+        $ipValidator = [
+            new FormatRules(),
+            'valid_ip',
+        ];
+        $spoof     = null;
+        $headerObj = $this->header($header);
+
+        if ($headerObj !== null) {
+            $spoof = $headerObj->getValue();
+
+            // Some proxies typically list the whole chain of IP
+            // addresses through which the client has reached us.
+            // e.g. client_ip, proxy_ip1, proxy_ip2, etc.
+            sscanf($spoof, '%[^,]', $spoof);
+
+            if (! $ipValidator($spoof)) {
+                $spoof = null;
+            }
+        }
+
+        return $spoof;
+    }
+
     /**
      * Fetch an item from the $_SERVER array.
      *