Merge pull request from GHSA-6gch-wjxj-hc2w

Improve CSRF protection (for Shield CSRF security fix)

Author: MGatner

system/Security/Security.php

@@ -528,9 +528,9 @@ private function restoreHash(): void
     }
 
     /**
-     * Generates (Regenerate) the CSRF Hash.
+     * Generates (Regenerates) the CSRF Hash.
      */
-    protected function generateHash(): string
+    public function generateHash(): string
     {
         $this->hash = bin2hex(random_bytes(static::CSRF_HASH_BYTES));
 

tests/system/Security/SecurityTest.php

@@ -243,6 +243,32 @@ public function testRegenerateWithFalseSecurityRegenerateProperty()
         $this->assertSame($oldHash, $newHash);
     }
 
+    public function testRegenerateWithFalseSecurityRegeneratePropertyManually()
+    {
+        $_SERVER['REQUEST_METHOD']   = 'POST';
+        $_POST['csrf_test_name']     = '8b9218a55906f9dcc1dc263dce7f005a';
+        $_COOKIE['csrf_cookie_name'] = '8b9218a55906f9dcc1dc263dce7f005a';
+
+        $config             = new SecurityConfig();
+        $config->regenerate = false;
+        Factories::injectMock('config', 'Security', $config);
+
+        $security = new MockSecurity(new MockAppConfig());
+        $request  = new IncomingRequest(
+            new MockAppConfig(),
+            new URI('http://badurl.com'),
+            null,
+            new UserAgent()
+        );
+
+        $oldHash = $security->getHash();
+        $security->verify($request);
+        $security->generateHash();
+        $newHash = $security->getHash();
+
+        $this->assertNotSame($oldHash, $newHash);
+    }
+
     public function testRegenerateWithTrueSecurityRegenerateProperty()
     {
         $_SERVER['REQUEST_METHOD']   = 'POST';

user_guide_src/source/changelogs/v4.2.2.rst

@@ -18,11 +18,6 @@ BREAKING
 - A bug that caused pages to be cached before after filters were executed when using page caching has been fixed. Adding response headers or changing the response body in after filters now caches them correctly.
 - Due to a bug fix, now :php:func:`random_string` with the first parameter ``'crypto'`` throws ``InvalidArgumentException`` if the second parameter ``$len`` is an odd number.
 
-Enhancements
-************
-
-none.
-
 Changes
 *******
 

user_guide_src/source/changelogs/v4.2.3.rst

@@ -17,7 +17,7 @@ none.
 Enhancements
 ************
 
-none.
+- Now ``Security::generateHash()`` is public, and can be used to regenerate CSRF token manually when ``Config\Security::$regenerate`` is false.
 
 Changes
 *******

user_guide_src/source/libraries/security.rst

@@ -106,6 +106,9 @@ may alter this behavior by editing the following config parameter value in
 
 .. literalinclude:: security/004.php
 
+.. note:: Since v4.2.3, you can regenerate CSRF token manually with the
+    ``Security::generateHash()`` method.
+
 Redirection on Failure
 ----------------------