Merge pull request #5747 from kenjis/merge-419-master-into-develop

Merge v4.1.9 master into develop

Author: kenjis

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## [v4.1.9](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.9) (2022-02-25)
+
+[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.8...v4.1.9)
+
+**SECURITY**
+
+* *Remote CLI Command Execution Vulnerability* was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-xjp4-6w75-qrj7) for more information.
+* *Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability* was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554) for more information.
+
 ## [v4.1.8](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.8) (2022-01-24)
 
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.7...v4.1.8)

phpstan-baseline.neon.dist

@@ -110,11 +110,6 @@ parameters:
 			count: 1
 			path: system/CodeIgniter.php
 
-		-
-			message: "#^Dead catch \\- CodeIgniter\\\\Exceptions\\\\PageNotFoundException is never thrown in the try block\\.$#"
-			count: 1
-			path: system/CodeIgniter.php
-
 		-
 			message: "#^Property Config\\\\App\\:\\:\\$appTimezone \\(string\\) on left side of \\?\\? is not nullable\\.$#"
 			count: 1

system/CodeIgniter.php

@@ -45,7 +45,7 @@ class CodeIgniter
     /**
      * The current version of CodeIgniter Framework
      */
-    public const CI_VERSION = '4.1.8';
+    public const CI_VERSION = '4.1.9';
 
     private const MIN_PHP_VERSION = '7.4';
 
@@ -318,6 +318,12 @@ public function run(?RouteCollectionInterface $routes = null, bool $returnRespon
 
         $this->spoofRequestMethod();
 
+        if ($this->request instanceof IncomingRequest && $this->request->getMethod() === 'cli') {
+            $this->response->setStatusCode(405)->setBody('Method Not Allowed');
+
+            return $this->sendResponse();
+        }
+
         Events::trigger('pre_system');
 
         // Check for a cached page. Execution will stop
@@ -400,6 +406,7 @@ private function isWeb(): bool
     /**
      * Handles the main request logic and fires the controller.
      *
+     * @throws PageNotFoundException
      * @throws RedirectException
      *
      * @return mixed|RequestInterface|ResponseInterface
@@ -1046,7 +1053,10 @@ public function spoofRequestMethod()
             return;
         }
 
-        $this->request = $this->request->setMethod($method);
+        // Only allows PUT, PATCH, DELETE
+        if (in_array(strtoupper($method), ['PUT', 'PATCH', 'DELETE'], true)) {
+            $this->request = $this->request->setMethod($method);
+        }
     }
 
     /**

tests/system/CodeIgniterTest.php

@@ -441,4 +441,59 @@ public function testRunDefaultRoute()
 
         $this->assertStringContainsString('Welcome to CodeIgniter', $output);
     }
+
+    public function testRunCLIRoute()
+    {
+        $_SERVER['argv'] = ['index.php', 'cli'];
+        $_SERVER['argc'] = 2;
+
+        $_SERVER['REQUEST_URI']     = '/cli';
+        $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
+        $_SERVER['REQUEST_METHOD']  = 'CLI';
+
+        $routes = Services::routes();
+        $routes->cli('cli', '\Tests\Support\Controllers\Popcorn::index');
+
+        ob_start();
+        $this->codeigniter->useSafeOutput(true)->run();
+        $output = ob_get_clean();
+
+        $this->assertStringContainsString('Method Not Allowed', $output);
+    }
+
+    public function testSpoofRequestMethodCanUsePUT()
+    {
+        $_SERVER['argv'] = ['index.php'];
+        $_SERVER['argc'] = 1;
+
+        $_SERVER['REQUEST_URI']     = '/';
+        $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
+        $_SERVER['REQUEST_METHOD']  = 'POST';
+
+        $_POST['_method'] = 'PUT';
+
+        ob_start();
+        $this->codeigniter->useSafeOutput(true)->run();
+        ob_get_clean();
+
+        $this->assertSame('put', Services::request()->getMethod());
+    }
+
+    public function testSpoofRequestMethodCannotUseGET()
+    {
+        $_SERVER['argv'] = ['index.php'];
+        $_SERVER['argc'] = 1;
+
+        $_SERVER['REQUEST_URI']     = '/';
+        $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
+        $_SERVER['REQUEST_METHOD']  = 'POST';
+
+        $_POST['_method'] = 'GET';
+
+        ob_start();
+        $this->codeigniter->useSafeOutput(true)->run();
+        ob_get_clean();
+
+        $this->assertSame('post', Services::request()->getMethod());
+    }
 }

tests/system/Commands/CommandTest.php

@@ -27,6 +27,8 @@ final class CommandTest extends CIUnitTestCase
 
     protected function setUp(): void
     {
+        $this->resetServices();
+
         parent::setUp();
 
         CITestStreamFilter::$buffer = '';

tests/system/Commands/RoutesTest.php

@@ -26,6 +26,8 @@ final class RoutesTest extends CIUnitTestCase
 
     protected function setUp(): void
     {
+        $this->resetServices();
+
         parent::setUp();
 
         CITestStreamFilter::$buffer = '';
@@ -40,6 +42,8 @@ protected function setUp(): void
     protected function tearDown(): void
     {
         stream_filter_remove($this->streamFilter);
+
+        $this->resetServices();
     }
 
     protected function getBuffer()
@@ -60,6 +64,7 @@ public function testRoutesCommand()
     public function testRoutesCommandRouteFilterAndAutoRoute()
     {
         $routes = Services::routes();
+        $routes->setDefaultNamespace('App\Controllers');
         $routes->resetRoutes();
         $routes->get('/', 'Home::index', ['filter' => 'csrf']);
 

tests/system/Commands/ScaffoldGeneratorTest.php

@@ -13,6 +13,9 @@
 
 use CodeIgniter\Test\CIUnitTestCase;
 use CodeIgniter\Test\Filters\CITestStreamFilter;
+use Config\Autoload;
+use Config\Modules;
+use Config\Services;
 
 /**
  * @internal
@@ -23,6 +26,9 @@ final class ScaffoldGeneratorTest extends CIUnitTestCase
 
     protected function setUp(): void
     {
+        $this->resetServices();
+        Services::autoloader()->initialize(new Autoload(), new Modules());
+
         CITestStreamFilter::$buffer = '';
 
         $this->streamFilter = stream_filter_append(STDOUT, 'CITestStreamFilter');

tests/system/Commands/SessionsCommandsTest.php

@@ -1,76 +0,0 @@
-<?php
-
-/**
- * This file is part of CodeIgniter 4 framework.
- *
- * (c) CodeIgniter Foundation <admin@codeigniter.com>
- *
- * For the full copyright and license information, please view
- * the LICENSE file that was distributed with this source code.
- */
-
-namespace CodeIgniter\Commands;
-
-use CodeIgniter\Test\CIUnitTestCase;
-use CodeIgniter\Test\Filters\CITestStreamFilter;
-
-/**
- * @internal
- */
-final class SessionsCommandsTest extends CIUnitTestCase
-{
-    private $streamFilter;
-
-    protected function setUp(): void
-    {
-        parent::setUp();
-
-        CITestStreamFilter::$buffer = '';
-
-        $this->streamFilter = stream_filter_append(STDOUT, 'CITestStreamFilter');
-        $this->streamFilter = stream_filter_append(STDERR, 'CITestStreamFilter');
-    }
-
-    protected function tearDown(): void
-    {
-        stream_filter_remove($this->streamFilter);
-
-        $result = str_replace(["\033[0;32m", "\033[0m", "\n"], '', CITestStreamFilter::$buffer);
-        $file   = str_replace('APPPATH' . DIRECTORY_SEPARATOR, APPPATH, trim(substr($result, 14)));
-        if (file_exists($file)) {
-            unlink($file);
-        }
-    }
-
-    public function testCreateMigrationCommand()
-    {
-        command('session:migration');
-
-        // make sure we end up with a migration class in the right place
-        // or at least that we claim to have done so
-        // separate assertions avoid console color codes
-        $this->assertStringContainsString('_CreateCiSessionsTable.php', CITestStreamFilter::$buffer);
-    }
-
-    public function testOverriddenCreateMigrationCommand()
-    {
-        command('session:migration -t mygoodies');
-
-        // make sure we end up with a migration class in the right place
-        $this->assertStringContainsString('_CreateMygoodiesTable.php', CITestStreamFilter::$buffer);
-    }
-
-    public function testCannotWriteFileOnCreateMigrationCommand()
-    {
-        if ('\\' === DIRECTORY_SEPARATOR) {
-            $this->markTestSkipped('chmod does not work as expected on Windows');
-        }
-
-        chmod(APPPATH . 'Database/Migrations', 0444);
-
-        command('session:migration');
-        $this->assertStringContainsString('Error while creating file:', CITestStreamFilter::$buffer);
-
-        chmod(APPPATH . 'Database/Migrations', 0755);
-    }
-}

user_guide_src/source/changelogs/index.rst

@@ -13,6 +13,7 @@ See all the changes.
     :titlesonly:
 
     v4.2.0
+    v4.1.9
     v4.1.8
     v4.1.7
     v4.1.6

user_guide_src/source/changelogs/v4.1.9.rst

@@ -0,0 +1,16 @@
+Version 4.1.9
+#############
+
+Release Date: February 25, 2022
+
+**4.1.9 release of CodeIgniter4**
+
+.. contents::
+    :local:
+    :depth: 2
+
+SECURITY
+********
+
+- *Remote CLI Command Execution Vulnerability* was fixed. See the `Security advisory GHSA-xjp4-6w75-qrj7 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-xjp4-6w75-qrj7>`_ for more information.
+- *Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability* was fixed. See the `Security advisory GHSA-4v37-24gm-h554 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554>`_ for more information.