Merge branch '4.3' into feature-timer-record-callable

Author: rumpfc

app/Views/errors/html/error_404.php

@@ -2,7 +2,7 @@
 <html lang="en">
 <head>
     <meta charset="utf-8">
-    <title>404 Page Not Found</title>
+    <title><?= lang('Errors.pageNotFound') ?></title>
 
     <style>
         div.logo {
@@ -70,13 +70,13 @@
 </head>
 <body>
     <div class="wrap">
-        <h1>404 - File Not Found</h1>
+        <h1>404</h1>
 
         <p>
             <?php if (! empty($message) && $message !== '(null)') : ?>
                 <?= nl2br(esc($message)) ?>
             <?php else : ?>
-                Sorry! Cannot seem to find the page you were looking for.
+                <?= lang('Errors.sorryCannotFind') ?>
             <?php endif ?>
         </p>
     </div>

system/Database/OCI8/Result.php

@@ -13,7 +13,7 @@
 
 use CodeIgniter\Database\BaseResult;
 use CodeIgniter\Database\ResultInterface;
-use CodeIgniter\Entity;
+use CodeIgniter\Entity\Entity;
 
 /**
  * Result for OCI8

system/Language/en/Errors.php

@@ -11,6 +11,8 @@
 
 // Errors language settings
 return [
-    'whoops'     => 'Whoops!',
-    'weHitASnag' => 'We seem to have hit a snag. Please try again later...',
+    'pageNotFound'    => '404 - Page Not Found',
+    'sorryCannotFind' => 'Sorry! Cannot seem to find the page you were looking for.',
+    'whoops'          => 'Whoops!',
+    'weHitASnag'      => 'We seem to have hit a snag. Please try again later...',
 ];

system/Security/Security.php

@@ -54,7 +54,7 @@ class Security implements SecurityInterface
     protected $tokenRandomize = false;
 
     /**
-     * CSRF Hash
+     * CSRF Hash (without randomization)
      *
      * Random hash for Cross Site Request Forgery protection.
      *
@@ -88,7 +88,7 @@ class Security implements SecurityInterface
     protected $cookie;
 
     /**
-     * CSRF Cookie Name
+     * CSRF Cookie Name (with Prefix)
      *
      * Cookie name for Cross Site Request Forgery protection.
      *
@@ -154,6 +154,14 @@ class Security implements SecurityInterface
      */
     private ?Session $session = null;
 
+    /**
+     * CSRF Hash in Request Cookie
+     *
+     * The cookie value is always CSRF hash (without randomization) even if
+     * $tokenRandomize is true.
+     */
+    private ?string $hashInCookie = null;
+
     /**
      * Constructor.
      *
@@ -192,9 +200,13 @@ public function __construct(App $config)
             $this->configureSession();
         }
 
-        $this->request = Services::request();
+        $this->request      = Services::request();
+        $this->hashInCookie = $this->request->getCookie($this->cookieName);
 
-        $this->generateHash();
+        $this->restoreHash();
+        if ($this->hash === null) {
+            $this->generateHash();
+        }
     }
 
     private function isCSRFCookie(): bool
@@ -240,7 +252,7 @@ public function CSRFVerify(RequestInterface $request)
     }
 
     /**
-     * Returns the CSRF Hash.
+     * Returns the CSRF Token.
      *
      * @deprecated Use `CodeIgniter\Security\Security::getHash()` instead of using this method.
      *
@@ -293,6 +305,22 @@ public function verify(RequestInterface $request)
             throw SecurityException::forDisallowedAction();
         }
 
+        $this->removeTokenInRequest($request);
+
+        if ($this->regenerate) {
+            $this->generateHash();
+        }
+
+        log_message('info', 'CSRF token verified.');
+
+        return $this;
+    }
+
+    /**
+     * Remove token in POST or JSON request data
+     */
+    private function removeTokenInRequest(RequestInterface $request): void
+    {
         $json = json_decode($request->getBody() ?? '');
 
         if (isset($_POST[$this->tokenName])) {
@@ -304,22 +332,6 @@ public function verify(RequestInterface $request)
             unset($json->{$this->tokenName});
             $request->setBody(json_encode($json));
         }
-
-        if ($this->regenerate) {
-            $this->hash = null;
-            if ($this->isCSRFCookie()) {
-                unset($_COOKIE[$this->cookieName]);
-            } else {
-                // Session based CSRF protection
-                $this->session->remove($this->tokenName);
-            }
-        }
-
-        $this->generateHash();
-
-        log_message('info', 'CSRF token verified.');
-
-        return $this;
     }
 
     private function getPostedToken(RequestInterface $request): ?string
@@ -342,7 +354,7 @@ private function getPostedToken(RequestInterface $request): ?string
     }
 
     /**
-     * Returns the CSRF Hash.
+     * Returns the CSRF Token.
      */
     public function getHash(): ?string
     {
@@ -351,6 +363,10 @@ public function getHash(): ?string
 
     /**
      * Randomize hash to avoid BREACH attacks.
+     *
+     * @params string $hash CSRF hash
+     *
+     * @return string CSRF token
      */
     protected function randomize(string $hash): string
     {
@@ -367,7 +383,11 @@ protected function randomize(string $hash): string
     /**
      * Derandomize the token.
      *
+     * @params string $token CSRF token
+     *
      * @throws InvalidArgumentException "hex2bin(): Hexadecimal input string must have an even length"
+     *
+     * @return string CSRF hash
      */
     protected function derandomize(string $token): string
     {
@@ -493,42 +513,47 @@ public function sanitizeFilename(string $str, bool $relativePath = false): strin
     }
 
     /**
-     * Generates the CSRF Hash.
+     * Restore hash from Session or Cookie
      */
-    protected function generateHash(): string
+    private function restoreHash(): void
     {
-        if ($this->hash === null) {
-            // If the cookie exists we will use its value.
-            // We don't necessarily want to regenerate it with
-            // each page load since a page could contain embedded
-            // sub-pages causing this feature to fail
-            if ($this->isCSRFCookie()) {
-                if ($this->isHashInCookie()) {
-                    return $this->hash = $_COOKIE[$this->cookieName];
-                }
-            } elseif ($this->session->has($this->tokenName)) {
-                // Session based CSRF protection
-                return $this->hash = $this->session->get($this->tokenName);
+        if ($this->isCSRFCookie()) {
+            if ($this->isHashInCookie()) {
+                $this->hash = $this->hashInCookie;
             }
+        } elseif ($this->session->has($this->tokenName)) {
+            // Session based CSRF protection
+            $this->hash = $this->session->get($this->tokenName);
+        }
+    }
 
-            $this->hash = bin2hex(random_bytes(static::CSRF_HASH_BYTES));
+    /**
+     * Generates (Regenerate) the CSRF Hash.
+     */
+    protected function generateHash(): string
+    {
+        $this->hash = bin2hex(random_bytes(static::CSRF_HASH_BYTES));
 
-            if ($this->isCSRFCookie()) {
-                $this->saveHashInCookie();
-            } else {
-                // Session based CSRF protection
-                $this->saveHashInSession();
-            }
+        if ($this->isCSRFCookie()) {
+            $this->saveHashInCookie();
+        } else {
+            // Session based CSRF protection
+            $this->saveHashInSession();
         }
 
         return $this->hash;
     }
 
     private function isHashInCookie(): bool
     {
-        return isset($_COOKIE[$this->cookieName])
-        && is_string($_COOKIE[$this->cookieName])
-        && preg_match('#^[0-9a-f]{32}$#iS', $_COOKIE[$this->cookieName]) === 1;
+        if ($this->hashInCookie === null) {
+            return false;
+        }
+
+        $length  = static::CSRF_HASH_BYTES * 2;
+        $pattern = '#^[0-9a-f]{' . $length . '}$#iS';
+
+        return preg_match($pattern, $this->hashInCookie) === 1;
     }
 
     private function saveHashInCookie(): void

tests/system/Security/SecurityCSRFCookieRandomizeTokenTest.php

@@ -0,0 +1,88 @@
+<?php
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) CodeIgniter Foundation <[email protected]>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace CodeIgniter\Security;
+
+use CodeIgniter\Config\Factories;
+use CodeIgniter\Cookie\Cookie;
+use CodeIgniter\HTTP\IncomingRequest;
+use CodeIgniter\HTTP\URI;
+use CodeIgniter\HTTP\UserAgent;
+use CodeIgniter\Test\CIUnitTestCase;
+use CodeIgniter\Test\Mock\MockAppConfig;
+use CodeIgniter\Test\Mock\MockSecurity;
+use Config\Security as SecurityConfig;
+
+/**
+ * @internal
+ */
+final class SecurityCSRFCookieRandomizeTokenTest extends CIUnitTestCase
+{
+    /**
+     * @var string CSRF protection hash
+     */
+    private string $hash = '8b9218a55906f9dcc1dc263dce7f005a';
+
+    /**
+     * @var string CSRF randomized token
+     */
+    private string $randomizedToken = '8bc70b67c91494e815c7d2219c1ae0ab005513c290126d34d41bf41c5265e0f1';
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $_COOKIE = [];
+
+        $config                 = new SecurityConfig();
+        $config->csrfProtection = Security::CSRF_PROTECTION_COOKIE;
+        $config->tokenRandomize = true;
+        Factories::injectMock('config', 'Security', $config);
+
+        // Set Cookie value
+        $security                            = new MockSecurity(new MockAppConfig());
+        $_COOKIE[$security->getCookieName()] = $this->hash;
+
+        $this->resetServices();
+    }
+
+    public function testTokenIsReadFromCookie()
+    {
+        $security = new MockSecurity(new MockAppConfig());
+
+        $this->assertSame(
+            $this->randomizedToken,
+            $security->getHash()
+        );
+    }
+
+    public function testCSRFVerifySetNewCookie()
+    {
+        $_SERVER['REQUEST_METHOD'] = 'POST';
+        $_POST['foo']              = 'bar';
+        $_POST['csrf_test_name']   = $this->randomizedToken;
+
+        $request = new IncomingRequest(new MockAppConfig(), new URI('http://badurl.com'), null, new UserAgent());
+
+        $security = new Security(new MockAppConfig());
+
+        $this->assertInstanceOf(Security::class, $security->verify($request));
+        $this->assertLogged('info', 'CSRF token verified.');
+        $this->assertCount(1, $_POST);
+
+        /** @var Cookie $cookie */
+        $cookie  = $this->getPrivateProperty($security, 'cookie');
+        $newHash = $cookie->getValue();
+
+        $this->assertNotSame($this->hash, $newHash);
+        $this->assertSame(32, strlen($newHash));
+    }
+}

tests/system/Security/SecurityTest.php

@@ -36,7 +36,7 @@ protected function setUp(): void
 
         $_COOKIE = [];
 
-        Factories::reset();
+        $this->resetServices();
     }
 
     public function testBasicConfigIsSaved()

user_guide_src/source/changelogs/v4.0.4.rst

@@ -16,7 +16,7 @@ Enhancements:
 - New Testing Feature: :doc:`Fabricator </testing/fabricator>` makes creating mock classes simple and repeatable in your tests.
 - Model class can now have the callbacks overridden at runtime. Useful for testing.
 - A number of improvements to :doc:`Feature Tests </testing/feature>` in general.
-- New :doc:`command() helper function </cli/cli_commands>` to programatically run your CLI commands. Useful for testing and cron jobs.
+- New :doc:`command() helper function </cli/spark_commands>` to programatically run your CLI commands. Useful for testing and cron jobs.
 - New command, ``make:seeder`` to generate a :doc:`Database Seed class </dbmgmt/seeds>` skeleton file.
 - Colors now available on the CLI within Windows, as well as other Windows-related CLI improvements.
 - New helper :doc:`mb_url_title </helpers/url_helper>` that functions like ``url_title`` but automatically escapes and extended URL characters.

user_guide_src/source/installation/index.rst

@@ -2,9 +2,8 @@
 Installation
 ############
 
-CodeIgniter4 can be installed in a number of different ways: manually,
-using `Composer <https://getcomposer.org>`_, or using
-`Git <https://git-scm.com/>`_.
+CodeIgniter has two supported installation methods: manual download,
+or using `Composer <https://getcomposer.org>`_.
 Which is right for you?
 
 - We recommend the Composer installation because it keeps CodeIgniter up to date easily.