Merge remote-tracking branch 'upstream/develop' into 4.3

kenjis · kenjis · commit feb177213933 · 2022-12-22T15:51:58.000+09:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,8 +1,12 @@
 # Changelog
 
-## [v4.2.11](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.10) (2022-12-21)
+## [v4.2.11](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.11) (2022-12-21)
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.10...v4.2.11)
 
+### SECURITY
+* *Attackers may spoof IP address when using proxy* was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-ghw3-5qvm-3mqc) for more information.
+* *Potential Session Handlers Vulnerability* was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-6cq5-8cj7-g558) for more information.
+
 ### Fixed Bugs
 * fix:  Request::getIPAddress() by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6820
 * fix: Model cannot insert when $useAutoIncrement is false by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6827
@@ -77,6 +81,9 @@
 ## [v4.2.7](https://github.com/codeigniter4/CodeIgniter4/tree/v4.2.7) (2022-10-06)
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.2.6...v4.2.7)
 
+### SECURITY
+* *Secure or HttpOnly flag set in Config\Cookie is not reflected in Cookies issued* was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-745p-r637-7vvp) for more information.
+
 ### Breaking Changes
 * fix: make Time::__toString() database-compatible on any locale by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6461
 * fix: set_cookie() does not use Config\Cookie values by @kenjis in https://github.com/codeigniter4/CodeIgniter4/pull/6544
diff --git a/system/HTTP/RequestTrait.php b/system/HTTP/RequestTrait.php
@@ -64,13 +64,11 @@ public function getIPAddress(): string
          */
         // @phpstan-ignore-next-line
         $proxyIPs = $this->proxyIPs ?? config('App')->proxyIPs;
-        if (! empty($proxyIPs)) {
-            // @phpstan-ignore-next-line
-            if (! is_array($proxyIPs) || is_int(array_key_first($proxyIPs))) {
-                throw new ConfigException(
-                    'You must set an array with Proxy IP address key and HTTP header name value in Config\App::$proxyIPs.'
-                );
-            }
+        // @phpstan-ignore-next-line
+        if (! empty($proxyIPs) && (! is_array($proxyIPs) || is_int(array_key_first($proxyIPs)))) {
+            throw new ConfigException(
+                'You must set an array with Proxy IP address key and HTTP header name value in Config\App::$proxyIPs.'
+            );
         }
 
         $this->ipAddress = $this->getServer('REMOTE_ADDR');
diff --git a/tests/_support/Database/Seeds/CITestSeeder.php b/tests/_support/Database/Seeds/CITestSeeder.php
@@ -150,7 +150,7 @@ public function run()
 
         if ($this->db->DBDriver === 'MySQLi') {
             $data['ci_sessions'][] = [
-                'id'         => '1f5o06b43phsnnf8if6bo33b635e4p2o',
+                'id'         => 'ci_session:1f5o06b43phsnnf8if6bo33b635e4p2o',
                 'ip_address' => '127.0.0.1',
                 'timestamp'  => '2021-06-25 21:54:14',
                 'data'       => '__ci_last_regenerate|i:1624650854;_ci_previous_url|s:40:\"http://localhost/index.php/home/index\";',
@@ -159,7 +159,7 @@ public function run()
 
         if ($this->db->DBDriver === 'Postgre') {
             $data['ci_sessions'][] = [
-                'id'         => '1f5o06b43phsnnf8if6bo33b635e4p2o',
+                'id'         => 'ci_session:1f5o06b43phsnnf8if6bo33b635e4p2o',
                 'ip_address' => '127.0.0.1',
                 'timestamp'  => '2021-06-25 21:54:14.991403+02',
                 'data'       => '\x' . bin2hex('__ci_last_regenerate|i:1624650854;_ci_previous_url|s:40:\"http://localhost/index.php/home/index\";'),
diff --git a/tests/system/Session/Handlers/Database/AbstractHandlerTestCase.php b/tests/system/Session/Handlers/Database/AbstractHandlerTestCase.php
@@ -81,7 +81,7 @@ public function testWriteInsert()
         $this->setPrivateProperty($handler, 'lock', false);
 
         $row = $this->db->table('ci_sessions')
-            ->getWhere(['id' => '555556b43phsnnf8if6bo33b635e4444'])
+            ->getWhere(['id' => 'ci_session:555556b43phsnnf8if6bo33b635e4444'])
             ->getRow();
 
         $this->assertGreaterThan(time() - 100, strtotime($row->timestamp));
@@ -105,7 +105,7 @@ public function testWriteUpdate()
         $releaseLock();
 
         $row = $this->db->table('ci_sessions')
-            ->getWhere(['id' => '1f5o06b43phsnnf8if6bo33b635e4p2o'])
+            ->getWhere(['id' => 'ci_session:1f5o06b43phsnnf8if6bo33b635e4p2o'])
             ->getRow();
 
         $this->assertGreaterThan(time() - 100, strtotime($row->timestamp));
