Merge remote-tracking branch 'upstream/develop' into 4.7

paulbalandan · paulbalandan · commit d1ee6966bb7c · 2025-07-26T23:47:17.000+08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,9 +1,60 @@
 # Changelog
 
-## [v4.6.1](https://github.com/codeigniter4/CodeIgniter4/tree/v4.6.0) (2025-05-02)
+## [v4.6.2](https://github.com/codeigniter4/CodeIgniter4/tree/v4.6.2) (2025-07-26)
+[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.6.1...v4.6.2)
+
+### Security
+
+* **ImageMagickHandler**: *Command Injection Vulnerability in ImageMagick Handler*
+    Fixes a vulnerability relating to uses of `ImageMagickHandler`'s `resize()` or `text()` methods
+    where an attacker can upload malicious filenames containing shell metacharacters that get executed when
+    the image is processed or when text is added to the image.
+
+    See the [security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-9952-gv64-x94c)
+    for details. Credits to @vicevirus for reporting the issue.
+
+### Fixed Bugs
+
+* chore: add missing EscaperInterface to the AutoloadConfig by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/9561
+* fix: remove service dependency from sanitize_filename() helper function by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/9560
+* fix: use native PHP truthiness for condition evaluation in when()/whenNot() by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/9576
+* fix: add error handling for corrupted cache files in `FileHandler` by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/9586
+* fix: correct `getHostname()` fallback logic in `Email` class by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/9587
+* fix: encapsulation violation in `BasePreparedQuery` class by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/9603
+* fix: URI authority generation for schemes without default ports by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/9605
+* fix: correct path parsing in `SiteURIFactory::parseRequestURI()` by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/9613
+* fix: support for multibyte folder names when the app is served from a subfolder by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/9615
+* fix: use correct 24-hour time format in development error page. by @ping-yee in https://github.com/codeigniter4/CodeIgniter4/pull/9628
+* fix: improve CURLRequest intermediate HTTP response handling by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/9627
+* fix: ensure `make:test` works on Windows by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9635
+* fix: ensure `make:test` generates test files ending in `Test` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9636
+* fix: `make:test` requires 3 inputs after entering an empty class name by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9637
+* fix: add filename parameters to inline Content-Disposition headers by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/9638
+
+### Refactoring
+
+* refactor: add `system/util_bootstrap.php` to curb overreliance to `system/Test/bootstrap.php` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9562
+* refactor: update places to use `system/util_bootstrap.php` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9568
+* refactor: more accurate array PHPDocs of Cookie by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9569
+* refactor: use native phpdocs wherever possible by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9571
+* refactor: fix `notIdentical.alwaysTrue` error by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9579
+* refactor: fix phpstan errors in `Events` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9580
+* refactor: fix non-booleans in if conditions by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9578
+* refactor: fix and micro-optimize code in `Format` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9583
+* refactor: fix various phpstan errors in Log component by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9581
+* refactor: partial fix errors on Email by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9582
+* refactor: fix phpstan errors in `ResponseTrait` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9591
+* refactor: precise PHPDocs for Autoloader by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9593
+* refactor: fix phpstan errors in mock classes by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9594
+* refactor: fix various phpstan errors in Cache by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9610
+* fix: apply rector rule TernaryImplodeToImplodeRector by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/9614
+* refactor: `Console::showHeader()` call `date()` only once by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/9616
+
+## [v4.6.1](https://github.com/codeigniter4/CodeIgniter4/tree/v4.6.1) (2025-05-02)
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.6.0...v4.6.1)
 
 ### Fixed Bugs
+
 * fix(CURLRequest): multiple header sections after redirects by @ducng99 in https://github.com/codeigniter4/CodeIgniter4/pull/9426
 * fix: set headers for CORS by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/9437
 * fix: upsert with composite unique index by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/9454
@@ -13,6 +64,7 @@
 * fix: added "application/octet-stream" to the "stl" mime type in the M… by @Franky5831 in https://github.com/codeigniter4/CodeIgniter4/pull/9543
 
 ### Refactoring
+
 * refactor: get upper first protocol only one call in Email by @ddevsr in https://github.com/codeigniter4/CodeIgniter4/pull/9449
 * refactor: PHPDocs in `env()` by @ddevsr in https://github.com/codeigniter4/CodeIgniter4/pull/9468
 * refactor: remove lowercase event name for logging by @ddevsr in https://github.com/codeigniter4/CodeIgniter4/pull/9483
diff --git a/phpdoc.dist.xml b/phpdoc.dist.xml
@@ -10,7 +10,7 @@
         <output>api/build/</output>
         <cache>api/cache/</cache>
     </paths>
-    <version number="4.6.1">
+    <version number="4.6.2">
         <api format="php">
             <source dsn=".">
                 <path>system</path>
diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php
@@ -55,7 +55,7 @@ class CodeIgniter
     /**
      * The current version of CodeIgniter Framework
      */
-    public const CI_VERSION = '4.6.1';
+    public const CI_VERSION = '4.6.2';
 
     /**
      * App startup time.
diff --git a/tests/system/Images/ImageMagickHandlerTest.php b/tests/system/Images/ImageMagickHandlerTest.php
@@ -444,6 +444,67 @@ public function testImageReorientPortrait(): void
         }
     }
 
+    public function testCommandInjectionPrevention(): void
+    {
+        $injectionFile     = 'ci4_security_test.txt';
+        $maliciousFilename = 'image.png`echo 123456 | tee ' . $injectionFile . '`';
+        $tempPath          = $this->root . $maliciousFilename;
+
+        $source = $this->origin . 'rocket.png';
+
+        if (file_exists($injectionFile)) {
+            unlink($injectionFile);
+        }
+
+        file_put_contents($tempPath, file_get_contents($source));
+
+        try {
+            $this->handler->withFile($tempPath);
+            $this->handler->resize(50, 50);
+        } catch (ImageException) {
+            $this->fail('Command injection succeeded. Fix is incomplete.');
+        } finally {
+            // Check that the command injection file was NOT created
+            $this->assertFileDoesNotExist($injectionFile);
+
+            // Verify the image processing still works normally
+            $this->assertSame(50, $this->handler->getWidth());
+            $this->assertSame(50, $this->handler->getHeight());
+
+            if (file_exists($tempPath)) {
+                unlink($tempPath);
+            }
+        }
+    }
+
+    public function testCommandInjectionPreventionWithText(): void
+    {
+        $injectionFile = 'ci4_security_test.txt';
+        $tempFilename  = 'image.png';
+        $tempPath      = $this->root . $tempFilename;
+
+        $source = $this->origin . 'rocket.png';
+
+        if (file_exists($injectionFile)) {
+            unlink($injectionFile);
+        }
+
+        file_put_contents($tempPath, file_get_contents($source));
+
+        try {
+            $this->handler->withFile($tempPath);
+            $text = "Hello'; echo 123456 > {$injectionFile}; echo 'World";
+            $this->handler->text($text);
+        } finally {
+            // Check that the command injection file was NOT created
+            $this->assertFileDoesNotExist($injectionFile);
+
+            if (file_exists($tempPath)) {
+                unlink($tempPath);
+            }
+        }
+    }
+
     public function testClearMetadataEnsuresResource(): void
     {
         $this->expectException(ImageException::class);
diff --git a/user_guide_src/source/changelogs/v4.6.2.rst b/user_guide_src/source/changelogs/v4.6.2.rst
@@ -2,7 +2,7 @@
 Version 4.6.2
 #############
 
-Release Date: Unreleased
+Release Date: July 26, 2025
 
 **4.6.2 release of CodeIgniter4**
 
@@ -11,12 +11,12 @@ Release Date: Unreleased
     :depth: 3
 
 ********
-BREAKING
+SECURITY
 ********
 
-***************
-Message Changes
-***************
+- **ImageMagick Handler:** *Command Injection Vulnerability in ImageMagick Handler* was fixed.
+  See the `Security advisory GHSA-9952-gv64-x94c <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-9952-gv64-x94c>`_
+  for more information.
 
 *******
 Changes
diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py
@@ -26,7 +26,7 @@
 version = '4.6'
 
 # The full version, including alpha/beta/rc tags.
-release = '4.6.1'
+release = '4.6.2'
 
 # -- General configuration ---------------------------------------------------
 
diff --git a/user_guide_src/source/installation/upgrade_462.rst b/user_guide_src/source/installation/upgrade_462.rst
@@ -12,18 +12,6 @@ Please refer to the upgrade instructions corresponding to your installation meth
     :local:
     :depth: 2
 
-**********************
-Mandatory File Changes
-**********************
-
-****************
-Breaking Changes
-****************
-
-*********************
-Breaking Enhancements
-*********************
-
 *************
 Project Files
 *************
@@ -44,12 +32,33 @@ and it is recommended that you merge the updated versions with your application:
 Config
 ------
 
-- @TODO
+- app/Config/Autoload.php
+- app/Config/Cache.php
+- app/Config/Cookie.php
+- app/Config/DocTypes.php
+- app/Config/Logger.php
+- app/Config/Mimes.php
+- app/Config/Modules.php
+- app/Config/Optimize.php
+- app/Config/Paths.php
 
 All Changes
 ===========
 
 This is a list of all files in the **project space** that received changes;
 many will be simple comments or formatting that have no effect on the runtime:
 
-- @TODO
+- app/Config/Autoload.php
+- app/Config/Cache.php
+- app/Config/Cookie.php
+- app/Config/DocTypes.php
+- app/Config/Logger.php
+- app/Config/Mimes.php
+- app/Config/Modules.php
+- app/Config/Optimize.php
+- app/Config/Paths.php
+- app/Views/errors/html/debug.css
+- app/Views/errors/html/error_exception.php
+- preload.php
+- public/index.php
+- spark
