Merge remote-tracking branch 'upstream/develop' into 4.6

contributing/workflow.md

@@ -354,6 +354,13 @@ You might get conflicts when you rebase. It is your
 responsibility to resolve those locally, so that you can continue
 collaborating with the shared repository.
 
+Occasionally, the Composer packages for development may be updated. Run the
+following command to use the latest packages:
+
+```console
+composer update
+```
+
 And finally push your local branch to your GitHub repository:
 
 ```console

phpstan-baseline.php

@@ -103,12 +103,6 @@
 	'count' => 1,
 	'path' => __DIR__ . '/system/BaseModel.php',
 ];
-$ignoreErrors[] = [
-	// identifier: missingType.iterableValue
-	'message' => '#^Method CodeIgniter\\\\BaseModel\\:\\:doErrors\\(\\) return type has no value type specified in iterable type array\\.$#',
-	'count' => 1,
-	'path' => __DIR__ . '/system/BaseModel.php',
-];
 $ignoreErrors[] = [
 	// identifier: missingType.iterableValue
 	'message' => '#^Method CodeIgniter\\\\BaseModel\\:\\:doFind\\(\\) has parameter \\$id with no value type specified in iterable type array\\.$#',
@@ -5869,12 +5863,6 @@
 	'count' => 1,
 	'path' => __DIR__ . '/system/HTTP/ContentSecurityPolicy.php',
 ];
-$ignoreErrors[] = [
-	// identifier: missingType.iterableValue
-	'message' => '#^Property CodeIgniter\\\\HTTP\\\\ContentSecurityPolicy\\:\\:\\$validSources type has no value type specified in iterable type array\\.$#',
-	'count' => 1,
-	'path' => __DIR__ . '/system/HTTP/ContentSecurityPolicy.php',
-];
 $ignoreErrors[] = [
 	// identifier: codeigniter.superglobalAccess
 	'message' => '#^Accessing offset \'HTTP_USER_AGENT\' directly on \\$_SERVER is discouraged\\.$#',

system/BaseModel.php

@@ -541,7 +541,7 @@ abstract protected function doReplace(?array $row = null, bool $returnSQL = fals
      * Grabs the last error(s) that occurred from the Database connection.
      * This method works only with dbCalls.
      *
-     * @return array|null
+     * @return array<string, string>
      */
     abstract protected function doErrors();
 
@@ -1242,7 +1242,7 @@ public function replace(?array $row = null, bool $returnSQL = false)
      *
      * @param bool $forceDB Always grab the db error, not validation
      *
-     * @return array<string,string>
+     * @return array<string, string>
      */
     public function errors(bool $forceDB = false)
     {

system/HTTP/ContentSecurityPolicy.php

@@ -31,7 +31,7 @@ class ContentSecurityPolicy
     /**
      * CSP directives
      *
-     * @var array<string, string>
+     * @var array<string, string> [name => property]
      */
     protected array $directives = [
         'base-uri'        => 'baseURI',
@@ -166,7 +166,8 @@ class ContentSecurityPolicy
     protected $sandbox = [];
 
     /**
-     * Used for security enforcement
+     * A set of endpoints to which csp violation reports will be sent when
+     * particular behaviors are prevented.
      *
      * @var string|null
      */
@@ -189,7 +190,7 @@ class ContentSecurityPolicy
     /**
      * Used for security enforcement
      *
-     * @var array
+     * @var list<string>
      */
     protected $validSources = [
         'self',
@@ -242,7 +243,7 @@ class ContentSecurityPolicy
 
     /**
      * An array of header info since we have
-     * to build ourself before passing to Response.
+     * to build ourselves before passing to Response.
      *
      * @var array
      */
@@ -594,6 +595,9 @@ public function addPluginType($mime, ?bool $explicitReporting = null)
      *
      * @see http://www.w3.org/TR/CSP/#directive-report-uri
      *
+     * @param string $uri URL to send reports. Set `''` if you want to remove
+     *                    this directive at runtime.
+     *
      * @return $this
      */
     public function setReportURI(string $uri)

tests/system/HTTP/ContentSecurityPolicyTest.php

@@ -379,6 +379,19 @@ public function testReportURI(): void
         $this->assertStringContainsString('report-uri http://example.com/csptracker;', $result);
     }
 
+    #[PreserveGlobalState(false)]
+    #[RunInSeparateProcess]
+    public function testRemoveReportURI(): void
+    {
+        $this->prepare();
+        $this->csp->reportOnly(false);
+        $this->csp->setReportURI('');
+        $this->work();
+
+        $result = $this->getHeaderEmitted('Content-Security-Policy');
+        $this->assertStringNotContainsString('report-uri ', $result);
+    }
+
     #[PreserveGlobalState(false)]
     #[RunInSeparateProcess]
     public function testSandboxFlags(): void

user_guide_src/source/libraries/curlrequest.rst

@@ -260,7 +260,7 @@ if it's not already set:
 
 .. literalinclude:: curlrequest/024.php
 
-.. note:: ``form_params`` cannot be used with the ``multipart`` option. You will need to use one or the other.
+.. note:: ``form_params`` cannot be used with the `multipart`_ option. You will need to use one or the other.
         Use ``form_params`` for ``application/x-www-form-urlencoded`` request, and ``multipart`` for ``multipart/form-data``
         requests.
 
@@ -306,13 +306,15 @@ multipart
 =========
 
 When you need to send files and other data via a POST request, you can use the ``multipart`` option, along with
-the `CURLFile Class <https://www.php.net/manual/en/class.curlfile.php>`_. The values should be an associative array
-of POST data to send. For safer usage, the legacy method of uploading files by prefixing their name with an `@`
+the `CURLFile Class <https://www.php.net/manual/en/class.curlfile.php>`_.
+
+The values should be an associative array
+of POST data to send. For safer usage, the legacy method of uploading files by prefixing their name with an ``@``
 has been disabled. Any files that you want to send must be passed as instances of CURLFile:
 
 .. literalinclude:: curlrequest/028.php
 
-.. note:: ``multipart`` cannot be used with the ``form_params`` option. You can only use one or the other. Use
+.. note:: ``multipart`` cannot be used with the `form_params`_ option. You can only use one or the other. Use
         ``form_params`` for ``application/x-www-form-urlencoded`` requests, and ``multipart`` for ``multipart/form-data``
         requests.
 

user_guide_src/source/libraries/curlrequest/028.php

@@ -1,6 +1,8 @@
 <?php
 
-$post_data = [
-    'foo'      => 'bar',
-    'userfile' => new \CURLFile('/path/to/file.txt'),
-];
+$client->request('POST', '/post', [
+    'multipart' => [
+        'foo'      => 'bar',
+        'userfile' => new \CURLFile('/path/to/file.txt'),
+    ],
+]);

user_guide_src/source/libraries/validation.rst

@@ -476,6 +476,8 @@ the validation rules.
 .. literalinclude:: validation/045.php
    :lines: 2-
 
+.. _saving-validation-rules-to-config-file:
+
 Saving Sets of Validation Rules to the Config File
 ==================================================
 
@@ -875,6 +877,8 @@ Or you can use the following parameters:
 .. literalinclude:: validation/047.php
    :lines: 2-
 
+.. _validation-available-rules:
+
 ***************
 Available Rules
 ***************

user_guide_src/source/models/model.rst

@@ -243,13 +243,13 @@ $validationRules
 
 Contains either an array of validation rules as described in :ref:`validation-array`
 or a string containing the name of a validation group, as described in the same section.
-Described in more detail below.
+See also :ref:`model-setting-validation-rules`.
 
 $validationMessages
 ^^^^^^^^^^^^^^^^^^^
 
 Contains an array of custom error messages that should be used during validation, as
-described in :ref:`validation-custom-errors`. Described in more detail below.
+described in :ref:`validation-custom-errors`. See also :ref:`model-setting-validation-rules`.
 
 $skipValidation
 ^^^^^^^^^^^^^^^
@@ -661,11 +661,14 @@ Cleans out the database table by permanently removing all rows that have 'delete
 In-Model Validation
 ===================
 
+.. warning:: In-Model validation is performed just before data is stored in the
+    database. Prior to that point, the data has not yet been validated. Processing
+    user-input data prior to validation may introduce vulnerabilities.
+
 Validating Data
 ---------------
 
-For many people, validating data in the model is the preferred way to ensure the data is kept to a single
-standard, without duplicating code. The Model class provides a way to automatically have all data validated
+The Model class provides a way to automatically have all data validated
 prior to saving to the database with the ``insert()``, ``update()``, or ``save()`` methods.
 
 .. important:: When you update data, by default, the validation in the model class only
@@ -680,16 +683,24 @@ prior to saving to the database with the ``insert()``, ``update()``, or ``save()
     To avoid such glitches, this behavior can be changed by configuration. See
     :ref:`clean-validation-rules` for details.
 
+.. _model-setting-validation-rules:
+
 Setting Validation Rules
 ------------------------
 
-The first step is to fill out the `$validationRules`_ class property with the fields and rules that should
-be applied. If you have custom error message that you want to use, place them in the `$validationMessages`_ array:
+The first step is to fill out the `$validationRules`_ class property with the
+fields and rules that should be applied.
+
+.. note:: You can see the list of built-in Validation rules in :ref:`validation-available-rules`.
+
+If you have custom error message that you want to use, place them in the `$validationMessages`_ array:
 
 .. literalinclude:: model/027.php
 
-If you'd rather organize your rules and error messages within the Validation configuration file, you can do that
-and simply set `$validationRules`_ to the name of the validation rule group you created:
+If you'd rather organize your rules and error messages within the
+:ref:`Validation Config File <saving-validation-rules-to-config-file>`, you can
+do that and simply set `$validationRules`_ to the name of the validation rule
+group you created:
 
 .. literalinclude:: model/034.php