Merge pull request from GHSA-xjp4-6w75-qrj7

MGatner · web-flow · commit 202f41ad522b · 2022-02-25T19:49:22.000-05:00
Hotfix 4.1.9
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,14 @@
 # Changelog
 
+## [v4.1.9](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.9) (2022-02-25)
+
+[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.8...v4.1.9)
+
+**SECURITY**
+
+* *Remote CLI Command Execution Vulnerability* was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-xjp4-6w75-qrj7) for more information.
+* *Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability* was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554) for more information.
+
 ## [v4.1.8](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.8) (2022-01-24)
 
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.7...v4.1.8)
diff --git a/composer.json b/composer.json
@@ -15,13 +15,13 @@
         "psr/log": "^1.1"
     },
     "require-dev": {
-        "codeigniter/coding-standard": "^1.1",
+        "codeigniter/coding-standard": "1.2.*",
         "fakerphp/faker": "^1.9",
-        "friendsofphp/php-cs-fixer": "^3.1",
+        "friendsofphp/php-cs-fixer": "3.2.*",
         "mikey179/vfsstream": "^1.6",
         "nexusphp/cs-config": "^3.3",
         "nexusphp/tachycardia": "^1.0",
-        "phpstan/phpstan": "^1.0",
+        "phpstan/phpstan": "1.4.3",
         "phpunit/phpunit": "^9.1",
         "predis/predis": "^1.1",
         "rector/rector": "0.12.10"
diff --git a/phpstan-baseline.neon.dist b/phpstan-baseline.neon.dist
@@ -115,11 +115,6 @@ parameters:
 			count: 1
 			path: system/CodeIgniter.php
 
-		-
-			message: "#^Dead catch \\- CodeIgniter\\\\Exceptions\\\\PageNotFoundException is never thrown in the try block\\.$#"
-			count: 1
-			path: system/CodeIgniter.php
-
 		-
 			message: "#^Property Config\\\\App\\:\\:\\$appTimezone \\(string\\) on left side of \\?\\? is not nullable\\.$#"
 			count: 1
diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php
@@ -45,7 +45,7 @@ class CodeIgniter
     /**
      * The current version of CodeIgniter Framework
      */
-    public const CI_VERSION = '4.1.8';
+    public const CI_VERSION = '4.1.9';
 
     private const MIN_PHP_VERSION = '7.3';
 
@@ -299,6 +299,12 @@ public function run(?RouteCollectionInterface $routes = null, bool $returnRespon
 
         $this->spoofRequestMethod();
 
+        if ($this->request instanceof IncomingRequest && $this->request->getMethod() === 'cli') {
+            $this->response->setStatusCode(405)->setBody('Method Not Allowed');
+
+            return $this->sendResponse();
+        }
+
         Events::trigger('pre_system');
 
         // Check for a cached page. Execution will stop
@@ -352,6 +358,7 @@ public function useSafeOutput(bool $safe = true)
     /**
      * Handles the main request logic and fires the controller.
      *
+     * @throws PageNotFoundException
      * @throws RedirectException
      *
      * @return mixed|RequestInterface|ResponseInterface
@@ -976,7 +983,10 @@ public function spoofRequestMethod()
             return;
         }
 
-        $this->request = $this->request->setMethod($method);
+        // Only allows PUT, PATCH, DELETE
+        if (in_array(strtoupper($method), ['PUT', 'PATCH', 'DELETE'], true)) {
+            $this->request = $this->request->setMethod($method);
+        }
     }
 
     /**
diff --git a/tests/system/CodeIgniterTest.php b/tests/system/CodeIgniterTest.php
@@ -425,4 +425,59 @@ public function testRunDefaultRoute()
 
         $this->assertStringContainsString('Welcome to CodeIgniter', $output);
     }
+
+    public function testRunCLIRoute()
+    {
+        $_SERVER['argv'] = ['index.php', 'cli'];
+        $_SERVER['argc'] = 2;
+
+        $_SERVER['REQUEST_URI']     = '/cli';
+        $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
+        $_SERVER['REQUEST_METHOD']  = 'CLI';
+
+        $routes = Services::routes();
+        $routes->cli('cli', '\Tests\Support\Controllers\Popcorn::index');
+
+        ob_start();
+        $this->codeigniter->useSafeOutput(true)->run();
+        $output = ob_get_clean();
+
+        $this->assertStringContainsString('Method Not Allowed', $output);
+    }
+
+    public function testSpoofRequestMethodCanUsePUT()
+    {
+        $_SERVER['argv'] = ['index.php'];
+        $_SERVER['argc'] = 1;
+
+        $_SERVER['REQUEST_URI']     = '/';
+        $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
+        $_SERVER['REQUEST_METHOD']  = 'POST';
+
+        $_POST['_method'] = 'PUT';
+
+        ob_start();
+        $this->codeigniter->useSafeOutput(true)->run();
+        ob_get_clean();
+
+        $this->assertSame('put', Services::request()->getMethod());
+    }
+
+    public function testSpoofRequestMethodCannotUseGET()
+    {
+        $_SERVER['argv'] = ['index.php'];
+        $_SERVER['argc'] = 1;
+
+        $_SERVER['REQUEST_URI']     = '/';
+        $_SERVER['SERVER_PROTOCOL'] = 'HTTP/1.1';
+        $_SERVER['REQUEST_METHOD']  = 'POST';
+
+        $_POST['_method'] = 'GET';
+
+        ob_start();
+        $this->codeigniter->useSafeOutput(true)->run();
+        ob_get_clean();
+
+        $this->assertSame('post', Services::request()->getMethod());
+    }
 }
diff --git a/tests/system/Commands/CommandTest.php b/tests/system/Commands/CommandTest.php
@@ -27,6 +27,8 @@ final class CommandTest extends CIUnitTestCase
 
     protected function setUp(): void
     {
+        $this->resetServices();
+
         parent::setUp();
 
         CITestStreamFilter::$buffer = '';
diff --git a/user_guide_src/source/changelogs/index.rst b/user_guide_src/source/changelogs/index.rst
@@ -12,6 +12,7 @@ See all the changes.
 .. toctree::
     :titlesonly:
 
+    v4.1.9
     v4.1.8
     v4.1.7
     v4.1.6
diff --git a/user_guide_src/source/changelogs/v4.1.9.rst b/user_guide_src/source/changelogs/v4.1.9.rst
@@ -0,0 +1,16 @@
+Version 4.1.9
+#############
+
+Release Date: February 25, 2022
+
+**4.1.9 release of CodeIgniter4**
+
+.. contents::
+    :local:
+    :depth: 2
+
+SECURITY
+********
+
+- *Remote CLI Command Execution Vulnerability* was fixed. See the `Security advisory GHSA-xjp4-6w75-qrj7 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-xjp4-6w75-qrj7>`_ for more information.
+- *Cross-Site Request Forgery (CSRF) Protection Bypass Vulnerability* was fixed. See the `Security advisory GHSA-4v37-24gm-h554 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-4v37-24gm-h554>`_ for more information.
diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py
@@ -24,7 +24,7 @@
 version = '4.1'
 
 # The full version, including alpha/beta/rc tags.
-release = '4.1.8'
+release = '4.1.9'
 
 # -- General configuration ---------------------------------------------------
 
diff --git a/user_guide_src/source/installation/upgrading.rst b/user_guide_src/source/installation/upgrading.rst
@@ -8,6 +8,7 @@ upgrading from.
 .. toctree::
     :titlesonly:
 
+    Upgrading from 4.1.7 to 4.1.8 <upgrade_418>
     Upgrading from 4.1.6 to 4.1.7 <upgrade_417>
     Upgrading from 4.1.5 to 4.1.6 <upgrade_416>
     Upgrading from 4.1.4 to 4.1.5 <upgrade_415>

Original file line number	Diff line number	Diff line change
`@@ -27,6 +27,8 @@ final class CommandTest extends CIUnitTestCase`
`27`	`27`
`28`	`28`	`protected function setUp(): void`
`29`	`29`	`{`
	`30`	`+ $this->resetServices();`
	`31`	`+`
`30`	`32`	`parent::setUp();`
`31`	`33`
`32`	`34`	`CITestStreamFilter::$buffer = '';`