Skip to content

Commit cf49152

Browse files
authored
Prep for 4.7.4 release (#10379)
1 parent 6ea1227 commit cf49152

6 files changed

Lines changed: 82 additions & 30 deletions

File tree

CHANGELOG.md

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,81 @@
11
# Changelog
22

3+
## [v4.7.4](https://github.com/codeigniter4/CodeIgniter4/tree/v4.7.4) (2026-07-07)
4+
[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.7.3...v4.7.4)
5+
6+
### Security
7+
8+
* **IncomingRequest:** *HTTPS detection via client-supplied headers* was fixed.
9+
``IncomingRequest::isSecure()`` now trusts the ``X-Forwarded-Proto`` and
10+
``Front-End-Https`` headers only when the request comes from a trusted proxy
11+
configured in ``Config\App::$proxyIPs``.
12+
See the `Security advisory GHSA-7wmf-pw8j-mc78 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7wmf-pw8j-mc78>`_
13+
for more information.
14+
15+
* **Query Builder:** Fixed a SQL injection vulnerability in ``deleteBatch()``.
16+
When ``deleteBatch()`` was used together with ``where()`` conditions, the
17+
bound values from the WHERE clause were substituted into the generated SQL
18+
with their escape flag ignored, so they were never escaped or quoted. The
19+
WHERE binds are now escaped in the same way as a regular ``delete()``.
20+
21+
See the `Security advisory GHSA-c9w5-rwh3-7pm9 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-c9w5-rwh3-7pm9>`_
22+
for more information.
23+
24+
* **UploadedFile:** ``UploadedFile::move()`` now sanitizes the client-provided
25+
filename when called without a second argument. Previously, the unsanitized
26+
client filename was used as the default, allowing path traversal sequences
27+
(e.g. ``../../public/shell.php``) to write the uploaded file outside the
28+
intended directory. A name explicitly passed as the second argument is not
29+
sanitized and remains the caller's responsibility.
30+
See the `Security advisory GHSA-hhmc-q9hp-r662 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hhmc-q9hp-r662>`_
31+
for more information.
32+
33+
* **Validation:** The ``is_image`` and ``mime_in`` file upload validation rules
34+
now also verify non-empty client filename extensions. Previously, these rules
35+
classified an upload solely by its content-derived MIME type, so a file with a
36+
dangerous client extension (for example, a ``.php`` file prepended with image
37+
magic bytes) could pass validation while keeping its original extension on
38+
disk.
39+
See the `Security advisory GHSA-mmj4-63m4-r6h5 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-mmj4-63m4-r6h5>`_
40+
for more information.
41+
42+
The ``is_image`` rule now rejects uploads when a non-empty client filename
43+
extension is not an image extension. The ``mime_in`` rule now rejects uploads
44+
when a non-empty client filename extension does not match the detected file
45+
content, matching the same extension/content agreement used by ``ext_in``.
46+
Files uploaded without any extension (such as JavaScript ``Blob`` uploads)
47+
are still accepted, since the rules validate the file content.
48+
49+
### Fixed Bugs
50+
51+
* fix: prevent updateBatch with existing where conditions by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10236
52+
* fix: detect Safari version from Version token by @memleakd in https://github.com/codeigniter4/CodeIgniter4/pull/10251
53+
* fix: nested transformer request scope leakage by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10281
54+
* fix(model): pass $recursive parameter to parent in objectToRawArray by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10258
55+
* fix: preserve enclosing stream filter when using `MockInputOutput` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10307
56+
* fix: skip already-translated keys in `spark lang:find` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10308
57+
* fix(Filters): check both keys and values in `InvalidChars` arrays by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10303
58+
* fix: use dynamic lockMaxRetries limit in RedisHandler by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10295
59+
* fix: preserve sub-namespace when generating Entity from Model (i.e., `--return entity`) by @xgrind in https://github.com/codeigniter4/CodeIgniter4/pull/10232
60+
* fix: `env()` TypeError for non-string `$_SERVER` values + `esc()` fixes by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10305
61+
* fix: unify casing in BaseService::injectMock by @ThomasMeschke in https://github.com/codeigniter4/CodeIgniter4/pull/10316
62+
* fix: normalize SodiumHandler params and padding failures by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10321
63+
* fix(Validation): correct required_without logic and prevent array key warnings by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10328
64+
* fix: handle null ini values in phpini check by @Will-thom in https://github.com/codeigniter4/CodeIgniter4/pull/10233
65+
* fix: preserve zero values in XML export by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10367
66+
* fix: support array indexes in `getPostGet()` and `getGetPost()` by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10362
67+
68+
### Refactoring
69+
70+
* refactor: narrow `Image` original dimension types to `int` by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10326
71+
* refactor(HTTP): optimize file path parsing in `download()` method by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10330
72+
* refactor(database): optimize groupGetType by caching it inside BaseBuilder loops by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10340
73+
* refactor: bump to phpstan-codeigniter v2.1 by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10312
74+
* refactor: replace type `mixed` with more specific types by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10345
75+
* refactor: optimize `prepQuotedPrintable()` with hash lookup and int-length tracking by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10344
76+
* refactor: add precise `array` phpdocs for `CLI` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10354
77+
* refactor(database): optimize `_processForeignKeys()` string allocations and loop invariants by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10351
78+
379
## [v4.7.3](https://github.com/codeigniter4/CodeIgniter4/tree/v4.7.3) (2026-05-22)
480
[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.7.2...v4.7.3)
581

phpdoc.dist.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
<output>api/build/</output>
1111
<cache>api/cache/</cache>
1212
</paths>
13-
<version number="4.7.3">
13+
<version number="4.7.4">
1414
<api format="php">
1515
<source dsn=".">
1616
<path>system</path>

system/CodeIgniter.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@ class CodeIgniter
5555
/**
5656
* The current version of CodeIgniter Framework
5757
*/
58-
public const CI_VERSION = '4.7.4-dev';
58+
public const CI_VERSION = '4.7.4';
5959

6060
/**
6161
* App startup time.

user_guide_src/source/changelogs/v4.7.4.rst

Lines changed: 1 addition & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
Version 4.7.4
33
#############
44

5-
Release Date: Unreleased
5+
Release Date: July 7, 2026
66

77
**4.7.4 release of CodeIgniter4**
88

@@ -55,22 +55,6 @@ SECURITY
5555
Files uploaded without any extension (such as JavaScript ``Blob`` uploads)
5656
are still accepted, since the rules validate the file content.
5757

58-
********
59-
BREAKING
60-
********
61-
62-
***************
63-
Message Changes
64-
***************
65-
66-
*******
67-
Changes
68-
*******
69-
70-
************
71-
Deprecations
72-
************
73-
7458
**********
7559
Bugs Fixed
7660
**********

user_guide_src/source/conf.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@
2626
version = '4.7'
2727

2828
# The full version, including alpha/beta/rc tags.
29-
release = '4.7.3'
29+
release = '4.7.4'
3030

3131
# -- General configuration ---------------------------------------------------
3232

user_guide_src/source/installation/upgrade_474.rst

Lines changed: 2 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -12,10 +12,6 @@ Please refer to the upgrade instructions corresponding to your installation meth
1212
:local:
1313
:depth: 2
1414

15-
**********************
16-
Mandatory File Changes
17-
**********************
18-
1915
****************
2016
Breaking Changes
2117
****************
@@ -47,10 +43,6 @@ non-HTTPS, which may result in redirect loops.
4743
IPv4-mapped form to ``Config\App::$proxyIPs``, e.g.,
4844
``::ffff:192.168.5.21`` or ``::ffff:192.168.5.0/120``.
4945

50-
*********************
51-
Breaking Enhancements
52-
*********************
53-
5446
*************
5547
Project Files
5648
*************
@@ -71,12 +63,12 @@ and it is recommended that you merge the updated versions with your application:
7163
Config
7264
------
7365

74-
- @TODO
66+
- No config files were changed in this release.
7567

7668
All Changes
7769
===========
7870

7971
This is a list of all files in the **project space** that received changes;
8072
many will be simple comments or formatting that have no effect on the runtime:
8173

82-
- @TODO
74+
- No project files were changed in this release.

0 commit comments

Comments
 (0)