Merge pull request #34 from monkenWu/update_to_4.1.5

Update to 4.1.5

Author: monkenWu

security.rst

@@ -0,0 +1,148 @@
+##############
+安全性類別
+##############
+
+安全性類別包含許多方法，有助於保護你的網站免於遭到跨站請求偽造（Cross-Site Request Forgery）攻擊。
+
+.. contents::
+    :local:
+    :depth: 2
+
+*******************
+載入程式庫
+*******************
+
+如果你載入這個程式庫是為了處理 CSRF 保護，那麼你將永遠不需要載入它，因為它已作為一個過濾器運作，不需要手動操作。
+
+如真的有需要直接呼叫這個類別的情況發生，你可以透過 Services 檔案載入它：
+
+::
+
+    $security = \Config\Services::security();
+
+*********************************
+跨站請求偽造（CSRF）
+*********************************
+
+.. warning:: The CSRF Protection is only available for **POST/PUT/PATCH/DELETE** requests.
+    Requests for other methods are not protected.
+
+CSRF Protection Methods
+=======================
+
+By default, the Cookie based CSRF Protection is used. It is
+`Double Submit Cookie <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#double-submit-cookie>`_
+on OWASP Cross-Site Request Forgery Prevention Cheat Sheet.
+
+You can also use Session based CSRF Protection. It is
+`Synchronizer Token Pattern <https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern>`_.
+
+You can set to use the Session based CSRF protection by editing the following config parameter value in
+**app/Config/Security.php**::
+
+    public $csrfProtection = 'session';
+
+Enable CSRF Protection
+======================
+
+你可以透過修改 **app/Config/Filters.php** 開啟 CSRF 的保護功能。並在全域啟用 `CSRF` 過濾器：
+
+::
+
+    public $globals = [
+        'before' => [
+            //'honeypot'
+            'csrf'
+        ]
+    ];
+
+你所選擇的 URI 將會進入 CSRF 保護的白名單（例如：API 端點期待外部 POST 的內容）。你可以在過濾器中添加這些 URI 作為例外狀況::
+
+    public $globals = [
+        'before' => [
+            'csrf' => ['except' => ['api/record/save']]
+        ]
+    ];
+
+也支援輸入正規表示式（與大小寫無關）：
+
+::
+
+    public $globals = [
+        'before' => [
+            'csrf' => ['except' => ['api/record/[0-9]+']]
+        ]
+    ];
+
+HTML 表單
+==========
+
+如果你使用 :doc:`表單輔助函數 <../helpers/form_helper>`，那麼
+:func:`form_open()` 會自動在你的表單中插入一個隱藏的 csrf 欄位。
+
+.. note:: To use auto-generation of CSRF field, you need to turn CSRF filter on to the form page.
+    In most cases it is requested using the ``GET`` method.
+
+如果沒有，你可以使用 ``csrf_token()`` 和 ``csrf_hash()`` 函數。
+
+::
+
+    <input type="hidden" name="<?= csrf_token() ?>" value="<?= csrf_hash() ?>" />
+
+此外，你可以使用 ``csrf_field()`` 方法來產生隱藏的輸入欄位::
+
+    // Generates: <input type="hidden" name="{csrf_token}" value="{csrf_hash}" />
+    <?= csrf_field() ?>
+
+當發送一個 JSON 請求時， CSRF 權杖也可以作為被傳遞的參數之一。
+下一個傳遞 CSRF 權杖的方法是一個特殊的 Http 標頭，它的名稱可以透過函數 ``csrf_header()`` 來實現。
+
+此外，你可以使用 ``csrf_meta()`` 方法便捷地產生 meta 標籤::
+
+    // Generates: <meta name="{csrf_header}" content="{csrf_hash}" />
+    <?= csrf_meta() ?>
+
+The Order of Token Sent by Users
+================================
+
+檢查 CSRF 權杖可用性的順序如下:
+
+1. ``$_POST`` 陣列
+2. Http 標頭
+3. ``php://input`` （JSON 請求） - 請記得，這種方法是最慢的，因為我們必須先對 JSON 進行解碼，然後再進行編碼
+
+Token Regeneration
+===================
+
+權杖可以在每次提交時重新產生（預設），也可以在 CSRF cookie 整個生命週期中保持不變。預設將重新產生權杖，這將提供了更好的安全性，但也可能導致可用性問題，例如：其他權杖會變得無效（導覽歷程記錄上一頁或下一頁、多個分頁視窗、非同步操作等）。你可以透過編輯以下設定參數來改變此特性。
+
+::
+
+    public $regenerate  = true;
+
+Redirection on Failure
+======================
+
+當請求沒有通過 CSRF 驗證檢查時，預設情況下將會重新導向上一頁，你可以設定一個 ``error`` 的即時訊息，向終端使用者顯示該訊息，這提供了比瀏覽器崩潰更好的使用者體驗。這個功能可以透過編輯 **app/Config/App.php** 中的 ``$CSRFRedirect`` 值來關閉：
+
+::
+
+    public $redirect = false;
+
+即使重新導向值為  **true**，AJAX 呼叫也不會重新導向，但是會引發錯誤。
+
+*********************
+其他實用方法
+*********************
+
+你不需要直接使用安全性類別中大部分的方法。以下是一些與 CSRF 無關的方法。
+
+**sanitizeFilename()**
+
+嘗試將檔案名稱消毒，以防止「企圖遍歷目錄」和其他安全性問題，這對於經由使用者輸入所提供的檔案特別有用。第一個參數是路徑消毒。
+
+如果允許使用者輸入相對路徑，例如： file/in/some/approved/folder.txt ，可以將第二個可選參數 $relative_path 傳入 true。
+
+::
+
+    $path = $security->sanitizeFilename($request->getVar('filepath'));

source/changelogs/index.rst

@@ -10,25 +10,28 @@ Version |version|
 See all the changes.
 
 .. toctree::
-        :titlesonly:
+    :titlesonly:
 
-        v4.1.2
-        v4.1.1
-        v4.1.0
-        v4.0.5
-        v4.0.4
-        v4.0.3
-        v4.0.0
-        v4.0.0-rc.4
-        v4.0.0-rc.3
-        v4.0.0-rc.2
-        v4.0.0-rc.1
-        v4.0.0-beta.4
-        v4.0.0-beta.3
-        v4.0.0-beta.2
-        v4.0.0-beta.1
-        v4.0.0-alpha.5
-        v4.0.0-alpha.4
-        v4.0.0-alpha.3
-        v4.0.0-alpha.2
-        v4.0.0-alpha.1
+    v4.1.5
+    v4.1.4
+    v4.1.3
+    v4.1.2
+    v4.1.1
+    v4.1.0
+    v4.0.5
+    v4.0.4
+    v4.0.3
+    v4.0.0
+    v4.0.0-rc.4
+    v4.0.0-rc.3
+    v4.0.0-rc.2
+    v4.0.0-rc.1
+    v4.0.0-beta.4
+    v4.0.0-beta.3
+    v4.0.0-beta.2
+    v4.0.0-beta.1
+    v4.0.0-alpha.5
+    v4.0.0-alpha.4
+    v4.0.0-alpha.3
+    v4.0.0-alpha.2
+    v4.0.0-alpha.1

source/changelogs/v4.1.3.rst

@@ -0,0 +1,25 @@
+Version 4.1.3
+=============
+
+Release Date: June 6, 2021
+
+**4.1.3 release of CodeIgniter4**
+
+Enhancements:
+
+- New functions in the File Helper: ``directory_mirror()`` and ``same_file()``
+- Implemented NexusPHP's ``Tachycardia`` for slow test identification
+- Added a new ``$ttl`` option to ``Cache`` config for future use
+
+Changes:
+
+- Added MySQL 8.0 to the test matrix
+- Improved environment detection from ``$_SERVER``
+- Numerous sweeping code improvements via Rector and analysis
+
+Bugs Fixed:
+
+- Fixed a bug where ``CURLRequest`` would try to use a project URI instead of its base
+- Fixed a bug where CLI mode was not detected under ``cgi-fcgi``
+- Fixed a logic bug in Cookie construction
+- Fixed numerous issues in SQLite3's ``Forge`` class related to an incorrect attribute name

source/changelogs/v4.1.4.rst

@@ -0,0 +1,54 @@
+Version 4.1.4
+=============
+
+Release Date: September 6, 2021
+
+**4.1.4 release of CodeIgniter4**
+
+This release focuses on code style. All changes (except those noted below) are cosmetic to bring the code in line with the new
+`CodeIgniter Coding Standard <https://github.com/CodeIgniter/coding-standard>`_ (based on PSR-12).
+
+Breaking Changes:
+
+- The following methods were changed from "public" to "protected" to match their parent class methods and better align with their uses:
+
+    * ``CodeIgniter\Database\MySQLi\Connection::execute()``
+    * ``CodeIgniter\Database\MySQLi\Connection::_fieldData()``
+    * ``CodeIgniter\Database\MySQLi\Connection::_indexData()``
+    * ``CodeIgniter\Database\MySQLi\Connection::_foreignKeyData()``
+    * ``CodeIgniter\Database\Postgre\Builder::_like_statement()``
+    * ``CodeIgniter\Database\Postgre\Connection::execute()``
+    * ``CodeIgniter\Database\Postgre\Connection::_fieldData()``
+    * ``CodeIgniter\Database\Postgre\Connection::_indexData()``
+    * ``CodeIgniter\Database\Postgre\Connection::_foreignKeyData()``
+    * ``CodeIgniter\Database\SQLSRV\Connection::execute()``
+    * ``CodeIgniter\Database\SQLSRV\Connection::_fieldData()``
+    * ``CodeIgniter\Database\SQLSRV\Connection::_indexData()``
+    * ``CodeIgniter\Database\SQLSRV\Connection::_foreignKeyData()``
+    * ``CodeIgniter\Database\SQLite3\Connection::execute()``
+    * ``CodeIgniter\Database\SQLite3\Connection::_fieldData()``
+    * ``CodeIgniter\Database\SQLite3\Connection::_indexData()``
+    * ``CodeIgniter\Database\SQLite3\Connection::_foreignKeyData()``
+    * ``CodeIgniter\Images\Handlers\GDHandler::_flatten()``
+    * ``CodeIgniter\Images\Handlers\GDHandler::_flip()``
+    * ``CodeIgniter\Images\Handlers\ImageMagickHandler::_flatten()``
+    * ``CodeIgniter\Images\Handlers\ImageMagickHandler::_flip()``
+    * ``CodeIgniter\Test\Mock\MockIncomingRequest::detectURI()``
+    * ``CodeIgniter\Test\Mock\MockSecurity.php::sendCookie()``
+
+- To be compatible with the strict inheritance checks of PHP 8.1, the following method signatures were added return types to match their parents' signatures whenever possible:
+
+    * ``CodeIgniter\Cookie\Cookie::offsetExists()``
+    * ``CodeIgniter\Cookie\Cookie::offsetSet()``
+    * ``CodeIgniter\Cookie\Cookie::offsetUnset()``
+    * ``CodeIgniter\Cookie\CookieStore::getIterator()``
+    * ``CodeIgniter\I18n\Time::__wakeup()``
+    * ``CodeIgniter\Test\Filters\CITestStreamFilter::filter()``
+
+- Related to the strict inheritance checks of PHP 8.1, the following session handlers implementing ``SessionHandlerInterface`` have their public methods modified to match the interface:
+
+    * ``CodeIgniter\Session\Handlers\ArrayHandler``
+    * ``CodeIgniter\Session\Handlers\DatabaseHandler``
+    * ``CodeIgniter\Session\Handlers\FileHandler``
+    * ``CodeIgniter\Session\Handlers\MemcachedHandler``
+    * ``CodeIgniter\Session\Handlers\RedisHandler``

source/changelogs/v4.1.5.rst

@@ -0,0 +1,35 @@
+Version 4.1.5
+#############
+
+Release Date: November 8, 2021
+
+**4.1.5 release of CodeIgniter4**
+
+.. contents::
+    :local:
+    :depth: 1
+
+BREAKING
+========
+
+- Fixed `a bug <https://github.com/codeigniter4/CodeIgniter4/issues/2913>`_ on CSRF protection. Now CSRF protection works on PUT/PATCH/DELETE requests when CSRF filter is applied. If you use such requests, you need to send CSRF token.
+- In the previous version, if you didn't provide your own headers, ``CURLRequest`` would send the request-headers from the browser, due to a bug. As of this version, it does not send them.
+- Fixed ``BaseBuilder::insertBatch()`` return value for ``testMode``. Now it returns SQL string array instead of a number of affected rows. This change was made because of maintaining compatibility between returning types for batch methods. Now the returned data type for ``BaseBuilder::insertBatch()`` is the same as the `updateBatch()` method.
+- Major optimizations have been made to the way data is processed in ``BaseBuilder::insertBatch()`` and ``BaseBuilder::updateBatch()`` methods. This resulted in reduced memory usage and faster query processing. As a trade-off, the result generated by the ``$query->getOriginalQuery()`` method was changed. It no longer returns the query with the binded parameters, but the actual query that was run.
+
+Enhancements
+============
+
+- Added Cache config for reserved characters
+- The ``addForeignKey`` function of the ``Forge`` class can now define composite foreign keys in an array
+- The ``dropKey`` function of the ``Forge`` class can remove key
+
+Changes
+=======
+
+- Always escape identifiers in the ``set``, ``setUpdateBatch``, and ``insertBatch`` functions in ``BaseBuilder``.
+
+Deprecations
+============
+
+- Deprecated ``CodeIgniter\\Cache\\Handlers\\BaseHandler::RESERVED_CHARACTERS`` in favor of the new config property

source/cli/cli.rst

@@ -30,44 +30,46 @@
 
 ::
 
-	<?php namespace App\Controllers;
+    <?php
 
-        use CodeIgniter\Controller;
+    namespace App\Controllers;
 
-	class Tools extends Controller {
+    use CodeIgniter\Controller;
 
-		public function message($to = 'World')
-		{
-			echo "Hello {$to}!".PHP_EOL;
-		}
-	}
+    class Tools extends Controller
+    {
+        public function message($to = 'World')
+        {
+            echo "Hello {$to}!" . PHP_EOL;
+        }
+    }
 
 接著，把這個檔案儲存在你的 **app/Controllers/** 目錄底下。
 
 通常你會使用這樣的 URL 造訪你的網站：
 
 ::
 
-	example.com/index.php/tools/message/to
+    example.com/index.php/tools/message/to
 
 但現在，我們打開 Mac/Linux 的 Terminal ，或者在 Windows 中打開 cmd ，然後定位至 CodeIgniter 的專案根目錄。
 
 .. code-block:: bash
 
-	$ cd /path/to/project/public
-	$ php index.php tools message
+    $ cd /path/to/project/public
+    $ php index.php tools message
 
 如果你做得沒錯，你應該會看到螢幕上出現 *Hello World!* 的訊息。
 
 .. code-block:: bash
 
-	$ php index.php tools message "John Smith"
+    $ php index.php tools message "John Smith"
 
 在這裡，我們使用與 URL 一樣的方式傳遞一個參數， "John Smith" 就會作為參數傳入到控制器方法中，你得輸出就會變為：
 
 ::
 
-	Hello John Smith!
+    Hello John Smith!
 
 基本知識
 ==================