Merge branch 'develop' into 4.7

Author: paulbalandan

.php-cs-fixer.tests.php

@@ -31,7 +31,8 @@
     ->notName('#Foobar.php$#');
 
 $overrides = [
-    'void_return' => true,
+    'phpdoc_to_return_type' => true,
+    'void_return'           => true,
 ];
 
 return $config

admin/framework/composer.json

@@ -13,7 +13,7 @@
         "php": "^8.1",
         "ext-intl": "*",
         "ext-mbstring": "*",
-        "laminas/laminas-escaper": "^2.14",
+        "laminas/laminas-escaper": "^2.17",
         "psr/log": "^3.0"
     },
     "require-dev": {

composer.json

@@ -13,7 +13,7 @@
         "php": "^8.1",
         "ext-intl": "*",
         "ext-mbstring": "*",
-        "laminas/laminas-escaper": "^2.14",
+        "laminas/laminas-escaper": "^2.17",
         "psr/log": "^3.0"
     },
     "require-dev": {
@@ -28,7 +28,7 @@
         "phpunit/phpcov": "^9.0.2 || ^10.0",
         "phpunit/phpunit": "^10.5.16 || ^11.2",
         "predis/predis": "^3.0",
-        "rector/rector": "2.0.15",
+        "rector/rector": "2.0.16",
         "shipmonk/phpstan-baseline-per-identifier": "^2.0"
     },
     "replace": {

phpstan-bootstrap.php

@@ -1,6 +1,6 @@
 <?php
 
-require __DIR__ . '/system/Test/bootstrap.php';
+require __DIR__ . '/system/util_bootstrap.php';
 
 if (! defined('OCI_COMMIT_ON_SUCCESS')) {
     define('OCI_COMMIT_ON_SUCCESS', 32);

psalm_autoload.php

@@ -2,7 +2,7 @@
 
 declare(strict_types=1);
 
-require __DIR__ . '/system/Test/bootstrap.php';
+require __DIR__ . '/system/util_bootstrap.php';
 
 $helperDirs = [
     'system/Helpers',

rector.php

@@ -71,7 +71,7 @@
     ])
     // do you need to include constants, class aliases or custom autoloader? files listed will be executed
     ->withBootstrapFiles([
-        __DIR__ . '/system/Test/bootstrap.php',
+        __DIR__ . '/system/util_bootstrap.php',
     ])
     ->withPHPStanConfigs([
         __DIR__ . '/phpstan.neon.dist',

system/Boot.php

@@ -16,6 +16,7 @@
 use CodeIgniter\Cache\FactoriesCache;
 use CodeIgniter\CLI\Console;
 use CodeIgniter\Config\DotEnv;
+use Config\App;
 use Config\Autoload;
 use Config\Modules;
 use Config\Optimize;
@@ -75,6 +76,34 @@ public static function bootWeb(Paths $paths): int
         return EXIT_SUCCESS;
     }
 
+    /**
+     * Used by command line scripts other than
+     * * `spark`
+     * * `php-cli`
+     * * `phpunit`
+     *
+     * @used-by `system/util_bootstrap.php`
+     */
+    public static function bootConsole(Paths $paths): void
+    {
+        static::definePathConstants($paths);
+        static::loadConstants();
+        static::checkMissingExtensions();
+
+        static::loadDotEnv($paths);
+        static::loadEnvironmentBootstrap($paths);
+
+        static::loadCommonFunctions();
+        static::loadAutoloader();
+        static::setExceptionHandler();
+        static::initializeKint();
+        static::autoloadHelpers();
+
+        // We need to force the request to be a CLIRequest since we're in console
+        Services::createRequest(new App(), true);
+        service('routes')->loadRoutes();
+    }
+
     /**
      * Used by `spark`
      *

system/Config/AutoloadConfig.php

@@ -14,6 +14,7 @@
 namespace CodeIgniter\Config;
 
 use Laminas\Escaper\Escaper;
+use Laminas\Escaper\EscaperInterface;
 use Laminas\Escaper\Exception\ExceptionInterface;
 use Laminas\Escaper\Exception\InvalidArgumentException as EscaperInvalidArgumentException;
 use Laminas\Escaper\Exception\RuntimeException;
@@ -119,6 +120,7 @@ class AutoloadConfig
         ExceptionInterface::class              => SYSTEMPATH . 'ThirdParty/Escaper/Exception/ExceptionInterface.php',
         EscaperInvalidArgumentException::class => SYSTEMPATH . 'ThirdParty/Escaper/Exception/InvalidArgumentException.php',
         RuntimeException::class                => SYSTEMPATH . 'ThirdParty/Escaper/Exception/RuntimeException.php',
+        EscaperInterface::class                => SYSTEMPATH . 'ThirdParty/Escaper/EscaperInterface.php',
         Escaper::class                         => SYSTEMPATH . 'ThirdParty/Escaper/Escaper.php',
     ];
 

system/Cookie/Cookie.php

@@ -99,7 +99,16 @@ class Cookie implements ArrayAccess, CloneableCookieInterface
      * Default attributes for a Cookie object. The keys here are the
      * lowercase attribute names. Do not camelCase!
      *
-     * @var array<string, bool|int|string>
+     * @var array{
+     *  prefix: string,
+     *  expires: int,
+     *  path: string,
+     *  domain: string,
+     *  secure: bool,
+     *  httponly: bool,
+     *  samesite: string,
+     *  raw: bool,
+     * }
      */
     private static array $defaults = [
         'prefix'   => '',
@@ -127,9 +136,27 @@ class Cookie implements ArrayAccess, CloneableCookieInterface
      *
      * This method is called from Response::__construct().
      *
-     * @param array<string, bool|int|string>|CookieConfig $config
+     * @param array{
+     *  prefix?: string,
+     *  expires?: int,
+     *  path?: string,
+     *  domain?: string,
+     *  secure?: bool,
+     *  httponly?: bool,
+     *  samesite?: string,
+     *  raw?: bool,
+     * }|CookieConfig $config
      *
-     * @return array<string, mixed> The old defaults array. Useful for resetting.
+     * @return array{
+     *  prefix: string,
+     *  expires: int,
+     *  path: string,
+     *  domain: string,
+     *  secure: bool,
+     *  httponly: bool,
+     *  samesite: string,
+     *  raw: bool,
+     * } The old defaults array. Useful for resetting.
      */
     public static function setDefaults($config = [])
     {
@@ -198,9 +225,9 @@ public static function fromHeaderString(string $cookie, bool $raw = false)
     /**
      * Construct a new Cookie instance.
      *
-     * @param string                         $name    The cookie's name
-     * @param string                         $value   The cookie's value
-     * @param array<string, bool|int|string> $options The cookie's options
+     * @param string                                                                                                                                                                                      $name    The cookie's name
+     * @param string                                                                                                                                                                                      $value   The cookie's value
+     * @param array{prefix?: string, max-age?: int|numeric-string, expires?: DateTimeInterface|int|string, path?: string, domain?: string, secure?: bool, httponly?: bool, samesite?: string, raw?: bool} $options The cookie's options
      *
      * @throws CookieException
      */

system/Cookie/CookieInterface.php

@@ -145,7 +145,14 @@ public function isRaw(): bool;
      * Gets the options that are passable to the `setcookie` variant
      * available on PHP 7.3+
      *
-     * @return array<string, bool|int|string>
+     * @return array{
+     *  expires: int,
+     *  path: string,
+     *  domain: string,
+     *  secure: bool,
+     *  httponly: bool,
+     *  samesite: string,
+     * }
      */
     public function getOptions(): array;
 
@@ -164,7 +171,18 @@ public function __toString();
     /**
      * Returns the array representation of the Cookie object.
      *
-     * @return array<string, bool|int|string>
+     * @return array{
+     *  name: string,
+     *  value: string,
+     *  prefix: string,
+     *  raw: bool,
+     *  expires: int,
+     *  path: string,
+     *  domain: string,
+     *  secure: bool,
+     *  httponly: bool,
+     *  samesite: string,
+     * }
      */
     public function toArray(): array;
 }

system/Helpers/security_helper.php

@@ -15,11 +15,69 @@
 
 if (! function_exists('sanitize_filename')) {
     /**
-     * Sanitize a filename to use in a URI.
+     * Sanitize Filename
+     *
+     * Tries to sanitize filenames in order to prevent directory traversal attempts
+     * and other security threats, which is particularly useful for files that
+     * were supplied via user input.
+     *
+     * If it is acceptable for the user input to include relative paths,
+     * e.g. file/in/some/approved/folder.txt, you can set the second optional
+     * parameter, $relativePath to TRUE.
+     *
+     * @param string $filename     Input file name
+     * @param bool   $relativePath Whether to preserve paths
      */
-    function sanitize_filename(string $filename): string
+    function sanitize_filename(string $filename, bool $relativePath = false): string
     {
-        return service('security')->sanitizeFilename($filename);
+        // List of sanitized filename strings
+        $bad = [
+            '../',
+            '<!--',
+            '-->',
+            '<',
+            '>',
+            "'",
+            '"',
+            '&',
+            '$',
+            '#',
+            '{',
+            '}',
+            '[',
+            ']',
+            '=',
+            ';',
+            '?',
+            '%20',
+            '%22',
+            '%3c',
+            '%253c',
+            '%3e',
+            '%0e',
+            '%28',
+            '%29',
+            '%2528',
+            '%26',
+            '%24',
+            '%3f',
+            '%3b',
+            '%3d',
+        ];
+
+        if (! $relativePath) {
+            $bad[] = './';
+            $bad[] = '/';
+        }
+
+        $filename = remove_invisible_characters($filename, false);
+
+        do {
+            $old      = $filename;
+            $filename = str_replace($bad, '', $filename);
+        } while ($old !== $filename);
+
+        return stripslashes($filename);
     }
 }
 

system/Security/Security.php

@@ -427,59 +427,16 @@ public function shouldRedirect(): bool
      * e.g. file/in/some/approved/folder.txt, you can set the second optional
      * parameter, $relativePath to TRUE.
      *
+     * @deprecated 4.6.2 Use `sanitize_filename()` instead
+     *
      * @param string $str          Input file name
      * @param bool   $relativePath Whether to preserve paths
      */
     public function sanitizeFilename(string $str, bool $relativePath = false): string
     {
-        // List of sanitize filename strings
-        $bad = [
-            '../',
-            '<!--',
-            '-->',
-            '<',
-            '>',
-            "'",
-            '"',
-            '&',
-            '$',
-            '#',
-            '{',
-            '}',
-            '[',
-            ']',
-            '=',
-            ';',
-            '?',
-            '%20',
-            '%22',
-            '%3c',
-            '%253c',
-            '%3e',
-            '%0e',
-            '%28',
-            '%29',
-            '%2528',
-            '%26',
-            '%24',
-            '%3f',
-            '%3b',
-            '%3d',
-        ];
-
-        if (! $relativePath) {
-            $bad[] = './';
-            $bad[] = '/';
-        }
-
-        $str = remove_invisible_characters($str, false);
-
-        do {
-            $old = $str;
-            $str = str_replace($bad, '', $str);
-        } while ($old !== $str);
+        helper('security');
 
-        return stripslashes($str);
+        return sanitize_filename($str, $relativePath);
     }
 
     /**

system/Security/SecurityInterface.php

@@ -66,6 +66,8 @@ public function shouldRedirect(): bool;
      * e.g. file/in/some/approved/folder.txt, you can set the second optional
      * parameter, $relativePath to TRUE.
      *
+     * @deprecated 4.6.2 Use `sanitize_filename()` instead
+     *
      * @param string $str          Input file name
      * @param bool   $relativePath Whether to preserve paths
      */