|
1 | 1 | # Changelog |
2 | 2 |
|
| 3 | +## [v4.7.4](https://github.com/codeigniter4/CodeIgniter4/tree/v4.7.4) (2026-07-07) |
| 4 | +[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.7.3...v4.7.4) |
| 5 | + |
| 6 | +### Security |
| 7 | + |
| 8 | +* **IncomingRequest:** *HTTPS detection via client-supplied headers* was fixed. |
| 9 | + ``IncomingRequest::isSecure()`` now trusts the ``X-Forwarded-Proto`` and |
| 10 | + ``Front-End-Https`` headers only when the request comes from a trusted proxy |
| 11 | + configured in ``Config\App::$proxyIPs``. |
| 12 | + See the `Security advisory GHSA-7wmf-pw8j-mc78 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7wmf-pw8j-mc78>`_ |
| 13 | + for more information. |
| 14 | + |
| 15 | +* **Query Builder:** Fixed a SQL injection vulnerability in ``deleteBatch()``. |
| 16 | + When ``deleteBatch()`` was used together with ``where()`` conditions, the |
| 17 | + bound values from the WHERE clause were substituted into the generated SQL |
| 18 | + with their escape flag ignored, so they were never escaped or quoted. The |
| 19 | + WHERE binds are now escaped in the same way as a regular ``delete()``. |
| 20 | + |
| 21 | + See the `Security advisory GHSA-c9w5-rwh3-7pm9 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-c9w5-rwh3-7pm9>`_ |
| 22 | + for more information. |
| 23 | + |
| 24 | +* **UploadedFile:** ``UploadedFile::move()`` now sanitizes the client-provided |
| 25 | + filename when called without a second argument. Previously, the unsanitized |
| 26 | + client filename was used as the default, allowing path traversal sequences |
| 27 | + (e.g. ``../../public/shell.php``) to write the uploaded file outside the |
| 28 | + intended directory. A name explicitly passed as the second argument is not |
| 29 | + sanitized and remains the caller's responsibility. |
| 30 | + See the `Security advisory GHSA-hhmc-q9hp-r662 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hhmc-q9hp-r662>`_ |
| 31 | + for more information. |
| 32 | + |
| 33 | +* **Validation:** The ``is_image`` and ``mime_in`` file upload validation rules |
| 34 | + now also verify non-empty client filename extensions. Previously, these rules |
| 35 | + classified an upload solely by its content-derived MIME type, so a file with a |
| 36 | + dangerous client extension (for example, a ``.php`` file prepended with image |
| 37 | + magic bytes) could pass validation while keeping its original extension on |
| 38 | + disk. |
| 39 | + See the `Security advisory GHSA-mmj4-63m4-r6h5 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-mmj4-63m4-r6h5>`_ |
| 40 | + for more information. |
| 41 | + |
| 42 | + The ``is_image`` rule now rejects uploads when a non-empty client filename |
| 43 | + extension is not an image extension. The ``mime_in`` rule now rejects uploads |
| 44 | + when a non-empty client filename extension does not match the detected file |
| 45 | + content, matching the same extension/content agreement used by ``ext_in``. |
| 46 | + Files uploaded without any extension (such as JavaScript ``Blob`` uploads) |
| 47 | + are still accepted, since the rules validate the file content. |
| 48 | + |
| 49 | +### Fixed Bugs |
| 50 | + |
| 51 | +* fix: prevent updateBatch with existing where conditions by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10236 |
| 52 | +* fix: detect Safari version from Version token by @memleakd in https://github.com/codeigniter4/CodeIgniter4/pull/10251 |
| 53 | +* fix: nested transformer request scope leakage by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10281 |
| 54 | +* fix(model): pass $recursive parameter to parent in objectToRawArray by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10258 |
| 55 | +* fix: preserve enclosing stream filter when using `MockInputOutput` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10307 |
| 56 | +* fix: skip already-translated keys in `spark lang:find` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10308 |
| 57 | +* fix(Filters): check both keys and values in `InvalidChars` arrays by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10303 |
| 58 | +* fix: use dynamic lockMaxRetries limit in RedisHandler by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10295 |
| 59 | +* fix: preserve sub-namespace when generating Entity from Model (i.e., `--return entity`) by @xgrind in https://github.com/codeigniter4/CodeIgniter4/pull/10232 |
| 60 | +* fix: `env()` TypeError for non-string `$_SERVER` values + `esc()` fixes by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10305 |
| 61 | +* fix: unify casing in BaseService::injectMock by @ThomasMeschke in https://github.com/codeigniter4/CodeIgniter4/pull/10316 |
| 62 | +* fix: normalize SodiumHandler params and padding failures by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10321 |
| 63 | +* fix(Validation): correct required_without logic and prevent array key warnings by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10328 |
| 64 | +* fix: handle null ini values in phpini check by @Will-thom in https://github.com/codeigniter4/CodeIgniter4/pull/10233 |
| 65 | +* fix: preserve zero values in XML export by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10367 |
| 66 | +* fix: support array indexes in `getPostGet()` and `getGetPost()` by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10362 |
| 67 | + |
| 68 | +### Refactoring |
| 69 | + |
| 70 | +* refactor: narrow `Image` original dimension types to `int` by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10326 |
| 71 | +* refactor(HTTP): optimize file path parsing in `download()` method by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10330 |
| 72 | +* refactor(database): optimize groupGetType by caching it inside BaseBuilder loops by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10340 |
| 73 | +* refactor: bump to phpstan-codeigniter v2.1 by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10312 |
| 74 | +* refactor: replace type `mixed` with more specific types by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10345 |
| 75 | +* refactor: optimize `prepQuotedPrintable()` with hash lookup and int-length tracking by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10344 |
| 76 | +* refactor: add precise `array` phpdocs for `CLI` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10354 |
| 77 | +* refactor(database): optimize `_processForeignKeys()` string allocations and loop invariants by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10351 |
| 78 | + |
3 | 79 | ## [v4.7.3](https://github.com/codeigniter4/CodeIgniter4/tree/v4.7.3) (2026-05-22) |
4 | 80 | [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.7.2...v4.7.3) |
5 | 81 |
|
|
0 commit comments