Remove deprecated items in Security

paulbalandan · paulbalandan · commit 0f80171fcaf0 · 2026-02-21T18:23:54.000+08:00
diff --git a/system/Security/Security.php b/system/Security/Security.php
@@ -29,8 +29,6 @@
 use SensitiveParameter;
 
 /**
- * Class Security
- *
  * Provides methods that help protect your site against
  * Cross-Site Request Forgery attacks.
  *
@@ -42,26 +40,6 @@ class Security implements SecurityInterface
     public const CSRF_PROTECTION_SESSION = 'session';
     protected const CSRF_HASH_BYTES      = 16;
 
-    /**
-     * CSRF Protection Method
-     *
-     * Protection Method for Cross Site Request Forgery protection.
-     *
-     * @var string 'cookie' or 'session'
-     *
-     * @deprecated 4.4.0 Use $this->config->csrfProtection.
-     */
-    protected $csrfProtection = self::CSRF_PROTECTION_COOKIE;
-
-    /**
-     * CSRF Token Randomization
-     *
-     * @var bool
-     *
-     * @deprecated 4.4.0 Use $this->config->tokenRandomize.
-     */
-    protected $tokenRandomize = false;
-
     /**
      * CSRF Hash (without randomization)
      *
@@ -71,28 +49,6 @@ class Security implements SecurityInterface
      */
     protected $hash;
 
-    /**
-     * CSRF Token Name
-     *
-     * Token name for Cross Site Request Forgery protection.
-     *
-     * @var string
-     *
-     * @deprecated 4.4.0 Use $this->config->tokenName.
-     */
-    protected $tokenName = 'csrf_token_name';
-
-    /**
-     * CSRF Header Name
-     *
-     * Header name for Cross Site Request Forgery protection.
-     *
-     * @var string
-     *
-     * @deprecated 4.4.0 Use $this->config->headerName.
-     */
-    protected $headerName = 'X-CSRF-TOKEN';
-
     /**
      * The CSRF Cookie instance.
      *
@@ -109,58 +65,6 @@ class Security implements SecurityInterface
      */
     protected $cookieName = 'csrf_cookie_name';
 
-    /**
-     * CSRF Expires
-     *
-     * Expiration time for Cross Site Request Forgery protection cookie.
-     *
-     * Defaults to two hours (in seconds).
-     *
-     * @var int
-     *
-     * @deprecated 4.4.0 Use $this->config->expires.
-     */
-    protected $expires = 7200;
-
-    /**
-     * CSRF Regenerate
-     *
-     * Regenerate CSRF Token on every request.
-     *
-     * @var bool
-     *
-     * @deprecated 4.4.0 Use $this->config->regenerate.
-     */
-    protected $regenerate = true;
-
-    /**
-     * CSRF Redirect
-     *
-     * Redirect to previous page with error on failure.
-     *
-     * @var bool
-     *
-     * @deprecated 4.4.0 Use $this->config->redirect.
-     */
-    protected $redirect = false;
-
-    /**
-     * CSRF SameSite
-     *
-     * Setting for CSRF SameSite cookie token.
-     *
-     * Allowed values are: None - Lax - Strict - ''.
-     *
-     * Defaults to `Lax` as recommended in this link:
-     *
-     * @see https://portswigger.net/web-security/csrf/samesite-cookies
-     *
-     * @var string
-     *
-     * @deprecated `Config\Cookie` $samesite property is used.
-     */
-    protected $samesite = Cookie::SAMESITE_LAX;
-
     private readonly IncomingRequest $request;
 
     /**
@@ -454,29 +358,6 @@ public function shouldRedirect(): bool
         return $this->config->redirect;
     }
 
-    /**
-     * Sanitize Filename
-     *
-     * Tries to sanitize filenames in order to prevent directory traversal attempts
-     * and other security threats, which is particularly useful for files that
-     * were supplied via user input.
-     *
-     * If it is acceptable for the user input to include relative paths,
-     * e.g. file/in/some/approved/folder.txt, you can set the second optional
-     * parameter, $relativePath to TRUE.
-     *
-     * @deprecated 4.6.2 Use `sanitize_filename()` instead
-     *
-     * @param string $str          Input file name
-     * @param bool   $relativePath Whether to preserve paths
-     */
-    public function sanitizeFilename(string $str, bool $relativePath = false): string
-    {
-        helper('security');
-
-        return sanitize_filename($str, $relativePath);
-    }
-
     /**
      * Restore hash from Session or Cookie
      */
diff --git a/system/Security/SecurityInterface.php b/system/Security/SecurityInterface.php
@@ -22,9 +22,9 @@
 interface SecurityInterface
 {
     /**
-     * CSRF Verify
+     * Verify CSRF token sent with the request.
      *
-     * @return $this|false
+     * @return $this
      *
      * @throws SecurityException
      */
@@ -54,22 +54,4 @@ public function getCookieName(): string;
      * Check if request should be redirect on failure.
      */
     public function shouldRedirect(): bool;
-
-    /**
-     * Sanitize Filename
-     *
-     * Tries to sanitize filenames in order to prevent directory traversal attempts
-     * and other security threats, which is particularly useful for files that
-     * were supplied via user input.
-     *
-     * If it is acceptable for the user input to include relative paths,
-     * e.g. file/in/some/approved/folder.txt, you can set the second optional
-     * parameter, $relativePath to TRUE.
-     *
-     * @deprecated 4.6.2 Use `sanitize_filename()` instead
-     *
-     * @param string $str          Input file name
-     * @param bool   $relativePath Whether to preserve paths
-     */
-    public function sanitizeFilename(string $str, bool $relativePath = false): string;
 }
diff --git a/tests/system/Security/SecurityTest.php b/tests/system/Security/SecurityTest.php
@@ -240,15 +240,6 @@ public function testCsrfVerifyPutBodyReturnsSelfOnMatch(): void
         $this->assertSame('foo=bar', $request->getBody());
     }
 
-    public function testSanitizeFilename(): void
-    {
-        $security = $this->createMockSecurity();
-
-        $filename = './<!--foo-->';
-
-        $this->assertSame('foo', $security->sanitizeFilename($filename));
-    }
-
     public function testRegenerateWithFalseSecurityRegenerateProperty(): void
     {
         service('superglobals')
diff --git a/user_guide_src/source/changelogs/v4.8.0.rst b/user_guide_src/source/changelogs/v4.8.0.rst
@@ -43,6 +43,17 @@ Removed Deprecated Items
     - ``CodeIgniter\Debug\Exceptions::cleanPath()``
     - ``CodeIgniter\Debug\Exceptions::describeMemory()``
     - ``CodeIgniter\Debug\Exceptions::highlightFile()``
+- **Security:** Removed the following properties and methods deprecated:
+    - ``CodeIgniter\Security\SecurityInterface::sanitizeFilename()`` (deprecated since v4.6.2)
+    - ``CodeIgniter\Security\Security::sanitizeFilename()`` (deprecated since v4.6.2)
+    - ``CodeIgniter\Security\Security::$csrfProtection`` (deprecated since v4.4.0)
+    - ``CodeIgniter\Security\Security::$tokenRandomize`` (deprecated since v4.4.0)
+    - ``CodeIgniter\Security\Security::$tokenName`` (deprecated since v4.4.0)
+    - ``CodeIgniter\Security\Security::$headerName`` (deprecated since v4.4.0)
+    - ``CodeIgniter\Security\Security::$expires`` (deprecated since v4.4.0)
+    - ``CodeIgniter\Security\Security::$regenerate`` (deprecated since v4.4.0)
+    - ``CodeIgniter\Security\Security::$redirect`` (deprecated since v4.4.0)
+    - ``CodeIgniter\Security\Security::$sameSite`` (deprecated since v4.4.0)
 
 ************
 Enhancements
