Release v4.4.7

Author: actions-user

LICENSE

@@ -1,7 +1,7 @@
 The MIT License (MIT)
 
 Copyright (c) 2014-2019 British Columbia Institute of Technology
-Copyright (c) 2019-2023 CodeIgniter Foundation
+Copyright (c) 2019-2024 CodeIgniter Foundation
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

app/Config/App.php

@@ -59,6 +59,30 @@ class App extends BaseConfig
      */
     public string $uriProtocol = 'REQUEST_URI';
 
+    /*
+    |--------------------------------------------------------------------------
+    | Allowed URL Characters
+    |--------------------------------------------------------------------------
+    |
+    | This lets you specify which characters are permitted within your URLs.
+    | When someone tries to submit a URL with disallowed characters they will
+    | get a warning message.
+    |
+    | As a security measure you are STRONGLY encouraged to restrict URLs to
+    | as few characters as possible.
+    |
+    | By default, only these are allowed: `a-z 0-9~%.:_-`
+    |
+    | Set an empty string to allow all characters -- but only if you are insane.
+    |
+    | The configured value is actually a regular expression character group
+    | and it will be used as: '/\A[<permittedURIChars>]+\z/iu'
+    |
+    | DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
+    |
+    */
+    public string $permittedURIChars = 'a-z 0-9~%.:_\-';
+
     /**
      * --------------------------------------------------------------------------
      * Default Locale

app/Config/Cache.php

@@ -61,7 +61,7 @@ class Cache extends BaseConfig
      *    ['q'] = Enabled, but only take into account the specified list
      *            of query parameters.
      *
-     * @var bool|string[]
+     * @var bool|list<string>
      */
     public $cacheQueryString = false;
 

app/Config/ContentSecurityPolicy.php

@@ -45,28 +45,28 @@ class ContentSecurityPolicy extends BaseConfig
     /**
      * Will default to self if not overridden
      *
-     * @var string|string[]|null
+     * @var list<string>|string|null
      */
     public $defaultSrc;
 
     /**
      * Lists allowed scripts' URLs.
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $scriptSrc = 'self';
 
     /**
      * Lists allowed stylesheets' URLs.
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $styleSrc = 'self';
 
     /**
      * Defines the origins from which images can be loaded.
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $imageSrc = 'self';
 
@@ -75,36 +75,36 @@ class ContentSecurityPolicy extends BaseConfig
      *
      * Will default to self if not overridden
      *
-     * @var string|string[]|null
+     * @var list<string>|string|null
      */
     public $baseURI;
 
     /**
      * Lists the URLs for workers and embedded frame contents
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $childSrc = 'self';
 
     /**
      * Limits the origins that you can connect to (via XHR,
      * WebSockets, and EventSource).
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $connectSrc = 'self';
 
     /**
      * Specifies the origins that can serve web fonts.
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $fontSrc;
 
     /**
      * Lists valid endpoints for submission from `<form>` tags.
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $formAction = 'self';
 
@@ -114,48 +114,48 @@ class ContentSecurityPolicy extends BaseConfig
      * and `<applet>` tags. This directive can't be used in
      * `<meta>` tags and applies only to non-HTML resources.
      *
-     * @var string|string[]|null
+     * @var list<string>|string|null
      */
     public $frameAncestors;
 
     /**
      * The frame-src directive restricts the URLs which may
      * be loaded into nested browsing contexts.
      *
-     * @var array|string|null
+     * @var list<string>|string|null
      */
     public $frameSrc;
 
     /**
      * Restricts the origins allowed to deliver video and audio.
      *
-     * @var string|string[]|null
+     * @var list<string>|string|null
      */
     public $mediaSrc;
 
     /**
      * Allows control over Flash and other plugins.
      *
-     * @var string|string[]
+     * @var list<string>|string
      */
     public $objectSrc = 'self';
 
     /**
-     * @var string|string[]|null
+     * @var list<string>|string|null
      */
     public $manifestSrc;
 
     /**
      * Limits the kinds of plugins a page may invoke.
      *
-     * @var string|string[]|null
+     * @var list<string>|string|null
      */
     public $pluginTypes;
 
     /**
      * List of actions allowed.
      *
-     * @var string|string[]|null
+     * @var list<string>|string|null
      */
     public $sandbox;
 

app/Config/Database.php

@@ -23,6 +23,8 @@ class Database extends Config
 
     /**
      * The default database connection.
+     *
+     * @var array<string, mixed>
      */
     public array $default = [
         'DSN'          => '',
@@ -48,6 +50,8 @@ class Database extends Config
     /**
      * This database connection is used when
      * running PHPUnit database tests.
+     *
+     * @var array<string, mixed>
      */
     public array $tests = [
         'DSN'         => '',

app/Config/Exceptions.php

@@ -30,6 +30,8 @@ class Exceptions extends BaseConfig
      * --------------------------------------------------------------------------
      * Any status codes here will NOT be logged if logging is turned on.
      * By default, only 404 (Page Not Found) exceptions are ignored.
+     *
+     * @var list<int>
      */
     public array $ignoreCodes = [404];
 
@@ -51,6 +53,8 @@ class Exceptions extends BaseConfig
      * Any data that you would like to hide from the debug trace.
      * In order to specify 2 levels, use "/" to separate.
      * ex. ['server', 'setup/password', 'secret_token']
+     *
+     * @var list<string>
      */
     public array $sensitiveDataInTrace = [];
 

app/Config/Filters.php

@@ -55,6 +55,8 @@ class Filters extends BaseConfig
      * If you use this, you should disable auto-routing because auto-routing
      * permits any HTTP method to access a controller. Accessing the controller
      * with a method you don't expect could bypass the filter.
+     *
+     * @var array<string, list<string>>
      */
     public array $methods = [];
 
@@ -64,6 +66,8 @@ class Filters extends BaseConfig
      *
      * Example:
      * 'isLoggedIn' => ['before' => ['account/*', 'profiles/*']]
+     *
+     * @var array<string, array<string, list<string>>>
      */
     public array $filters = [];
 }

app/Config/Format.php

@@ -22,7 +22,7 @@ class Format extends BaseConfig
      * These formats are only checked when the data passed to the respond()
      * method is an array.
      *
-     * @var string[]
+     * @var list<string>
      */
     public array $supportedResponseFormats = [
         'application/json',

app/Config/Logger.php

@@ -36,7 +36,7 @@ class Logger extends BaseConfig
      * For a live site you'll usually enable Critical or higher (3) to be logged otherwise
      * your log files will fill up very fast.
      *
-     * @var array|int
+     * @var int|list<int>
      */
     public $threshold = (ENVIRONMENT === 'production') ? 4 : 9;
 
@@ -72,6 +72,8 @@ class Logger extends BaseConfig
      *
      * Handlers are executed in the order defined in this array, starting with
      * the handler on top and continuing down.
+     *
+     * @var array<class-string, array<string, int|list<string>|string>>
      */
     public array $handlers = [
         /*

app/Config/Mimes.php

@@ -22,6 +22,8 @@ class Mimes
 {
     /**
      * Map of extensions to mime types.
+     *
+     * @var array<string, list<string>|string>
      */
     public static array $mimes = [
         'hqx' => [