From 2f8139ca5ef506aafe88b01fbcd7c2a44d0f4a43 Mon Sep 17 00:00:00 2001 From: kenjis Date: Wed, 31 Jul 2024 12:04:02 +0900 Subject: [PATCH 01/12] docs: add links to sections --- user_guide_src/source/libraries/curlrequest.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user_guide_src/source/libraries/curlrequest.rst b/user_guide_src/source/libraries/curlrequest.rst index b33fad802f4a..d50620d22b49 100644 --- a/user_guide_src/source/libraries/curlrequest.rst +++ b/user_guide_src/source/libraries/curlrequest.rst @@ -260,7 +260,7 @@ if it's not already set: .. literalinclude:: curlrequest/024.php -.. note:: ``form_params`` cannot be used with the ``multipart`` option. You will need to use one or the other. +.. note:: ``form_params`` cannot be used with the `multipart`_ option. You will need to use one or the other. Use ``form_params`` for ``application/x-www-form-urlencoded`` request, and ``multipart`` for ``multipart/form-data`` requests. @@ -312,7 +312,7 @@ has been disabled. Any files that you want to send must be passed as instances o .. literalinclude:: curlrequest/028.php -.. note:: ``multipart`` cannot be used with the ``form_params`` option. You can only use one or the other. Use +.. note:: ``multipart`` cannot be used with the `form_params`_ option. You can only use one or the other. Use ``form_params`` for ``application/x-www-form-urlencoded`` requests, and ``multipart`` for ``multipart/form-data`` requests. From ceb26a5e95a6b595ab78bc4c53f422ab702ed57d Mon Sep 17 00:00:00 2001 From: kenjis Date: Wed, 31 Jul 2024 12:04:35 +0900 Subject: [PATCH 02/12] docs: add empty line for readability --- user_guide_src/source/libraries/curlrequest.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/user_guide_src/source/libraries/curlrequest.rst b/user_guide_src/source/libraries/curlrequest.rst index d50620d22b49..1e06b69cc484 100644 --- a/user_guide_src/source/libraries/curlrequest.rst +++ b/user_guide_src/source/libraries/curlrequest.rst @@ -306,8 +306,10 @@ multipart ========= When you need to send files and other data via a POST request, you can use the ``multipart`` option, along with -the `CURLFile Class `_. The values should be an associative array -of POST data to send. For safer usage, the legacy method of uploading files by prefixing their name with an `@` +the `CURLFile Class `_. + +The values should be an associative array +of POST data to send. For safer usage, the legacy method of uploading files by prefixing their name with an ``@`` has been disabled. Any files that you want to send must be passed as instances of CURLFile: .. literalinclude:: curlrequest/028.php From a2dffb32db3b8b0a644a2a5c32b211791827897c Mon Sep 17 00:00:00 2001 From: kenjis Date: Wed, 31 Jul 2024 12:04:58 +0900 Subject: [PATCH 03/12] docs: improve sample code --- user_guide_src/source/libraries/curlrequest/028.php | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/user_guide_src/source/libraries/curlrequest/028.php b/user_guide_src/source/libraries/curlrequest/028.php index fcce227c1d9a..e56b96b127a5 100644 --- a/user_guide_src/source/libraries/curlrequest/028.php +++ b/user_guide_src/source/libraries/curlrequest/028.php @@ -1,6 +1,8 @@ 'bar', - 'userfile' => new \CURLFile('/path/to/file.txt'), -]; +$client->request('POST', '/post', [ + 'multipart' => [ + 'foo' => 'bar', + 'userfile' => new \CURLFile('/path/to/file.txt'), + ], +]); From ac225bb8ee1b74a9dcf48a03ee7eaeefed02df77 Mon Sep 17 00:00:00 2001 From: kenjis Date: Thu, 1 Aug 2024 10:51:29 +0900 Subject: [PATCH 04/12] docs: add step to update Composer packages --- contributing/workflow.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/contributing/workflow.md b/contributing/workflow.md index 30dfc80492af..a294cc9e485c 100644 --- a/contributing/workflow.md +++ b/contributing/workflow.md @@ -354,6 +354,13 @@ You might get conflicts when you rebase. It is your responsibility to resolve those locally, so that you can continue collaborating with the shared repository. +Occasionally, the Composer packages for development may be updated. Run the +following command to use the latest packages: + +```console +composer update +``` + And finally push your local branch to your GitHub repository: ```console From 712dcb0aac9f704cb8474e5d73550d5a8a593ca6 Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 2 Aug 2024 09:04:34 +0900 Subject: [PATCH 05/12] docs: add warning for In-Model Validation --- user_guide_src/source/models/model.rst | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/user_guide_src/source/models/model.rst b/user_guide_src/source/models/model.rst index c77e68cb81b8..05323bfba49b 100644 --- a/user_guide_src/source/models/model.rst +++ b/user_guide_src/source/models/model.rst @@ -649,11 +649,14 @@ Cleans out the database table by permanently removing all rows that have 'delete In-Model Validation =================== +.. warning:: In-Model validation is performed just before data is stored in the + database. Prior to that point, the data has not yet been validated. Processing + user-input data prior to validation may introduce vulnerabilities. + Validating Data --------------- -For many people, validating data in the model is the preferred way to ensure the data is kept to a single -standard, without duplicating code. The Model class provides a way to automatically have all data validated +The Model class provides a way to automatically have all data validated prior to saving to the database with the ``insert()``, ``update()``, or ``save()`` methods. .. important:: When you update data, by default, the validation in the model class only From 9e90c2e7bef0606347fc517bb11bee0303cb87d7 Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 2 Aug 2024 09:12:39 +0900 Subject: [PATCH 06/12] docs: add link to "Saving Sets of Validation Rules to the Config File" --- user_guide_src/source/libraries/validation.rst | 2 ++ user_guide_src/source/models/model.rst | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/user_guide_src/source/libraries/validation.rst b/user_guide_src/source/libraries/validation.rst index 7b87954653e1..71d82deff694 100644 --- a/user_guide_src/source/libraries/validation.rst +++ b/user_guide_src/source/libraries/validation.rst @@ -476,6 +476,8 @@ the validation rules. .. literalinclude:: validation/045.php :lines: 2- +.. _saving-validation-rules-to-config-file: + Saving Sets of Validation Rules to the Config File ================================================== diff --git a/user_guide_src/source/models/model.rst b/user_guide_src/source/models/model.rst index 05323bfba49b..b4b143db8ae1 100644 --- a/user_guide_src/source/models/model.rst +++ b/user_guide_src/source/models/model.rst @@ -679,8 +679,10 @@ be applied. If you have custom error message that you want to use, place them in .. literalinclude:: model/027.php -If you'd rather organize your rules and error messages within the Validation configuration file, you can do that -and simply set `$validationRules`_ to the name of the validation rule group you created: +If you'd rather organize your rules and error messages within the +:ref:`Validation Config File `, you can +do that and simply set `$validationRules`_ to the name of the validation rule +group you created: .. literalinclude:: model/034.php From 7938cf3347f598372c8afe4f164e9e7ba19d6b84 Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 2 Aug 2024 09:17:56 +0900 Subject: [PATCH 07/12] docs: add in-page links --- user_guide_src/source/models/model.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/user_guide_src/source/models/model.rst b/user_guide_src/source/models/model.rst index b4b143db8ae1..1c99b06dc843 100644 --- a/user_guide_src/source/models/model.rst +++ b/user_guide_src/source/models/model.rst @@ -243,13 +243,13 @@ $validationRules Contains either an array of validation rules as described in :ref:`validation-array` or a string containing the name of a validation group, as described in the same section. -Described in more detail below. +See also :ref:`model-setting-validation-rules`. $validationMessages ^^^^^^^^^^^^^^^^^^^ Contains an array of custom error messages that should be used during validation, as -described in :ref:`validation-custom-errors`. Described in more detail below. +described in :ref:`validation-custom-errors`. See also :ref:`model-setting-validation-rules`. $skipValidation ^^^^^^^^^^^^^^^ @@ -671,6 +671,8 @@ prior to saving to the database with the ``insert()``, ``update()``, or ``save() To avoid such glitches, this behavior can be changed by configuration. See :ref:`clean-validation-rules` for details. +.. _model-setting-validation-rules: + Setting Validation Rules ------------------------ From 0630332b61c8581bbc7edf135e58bcd47918675f Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 2 Aug 2024 09:35:11 +0900 Subject: [PATCH 08/12] docs: add link to list of validation rules --- user_guide_src/source/libraries/validation.rst | 2 ++ user_guide_src/source/models/model.rst | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/user_guide_src/source/libraries/validation.rst b/user_guide_src/source/libraries/validation.rst index 71d82deff694..048449580422 100644 --- a/user_guide_src/source/libraries/validation.rst +++ b/user_guide_src/source/libraries/validation.rst @@ -877,6 +877,8 @@ Or you can use the following parameters: .. literalinclude:: validation/047.php :lines: 2- +.. _validation-available-rules: + *************** Available Rules *************** diff --git a/user_guide_src/source/models/model.rst b/user_guide_src/source/models/model.rst index 1c99b06dc843..e8186487f9e6 100644 --- a/user_guide_src/source/models/model.rst +++ b/user_guide_src/source/models/model.rst @@ -676,8 +676,12 @@ prior to saving to the database with the ``insert()``, ``update()``, or ``save() Setting Validation Rules ------------------------ -The first step is to fill out the `$validationRules`_ class property with the fields and rules that should -be applied. If you have custom error message that you want to use, place them in the `$validationMessages`_ array: +The first step is to fill out the `$validationRules`_ class property with the +fields and rules that should be applied. + +.. note:: You can see the list of built-in Validation rules in :ref:`validation-available-rules`. + +If you have custom error message that you want to use, place them in the `$validationMessages`_ array: .. literalinclude:: model/027.php From ae63cb4fb2f31233297d08de5dfe74c28e2bcfbf Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 2 Aug 2024 09:58:44 +0900 Subject: [PATCH 09/12] docs: fix @return type --- phpstan-baseline.php | 6 ------ system/BaseModel.php | 4 ++-- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/phpstan-baseline.php b/phpstan-baseline.php index 1b36c4a8f8ee..9333adddfe43 100644 --- a/phpstan-baseline.php +++ b/phpstan-baseline.php @@ -103,12 +103,6 @@ 'count' => 1, 'path' => __DIR__ . '/system/BaseModel.php', ]; -$ignoreErrors[] = [ - // identifier: missingType.iterableValue - 'message' => '#^Method CodeIgniter\\\\BaseModel\\:\\:doErrors\\(\\) return type has no value type specified in iterable type array\\.$#', - 'count' => 1, - 'path' => __DIR__ . '/system/BaseModel.php', -]; $ignoreErrors[] = [ // identifier: missingType.iterableValue 'message' => '#^Method CodeIgniter\\\\BaseModel\\:\\:doFind\\(\\) has parameter \\$id with no value type specified in iterable type array\\.$#', diff --git a/system/BaseModel.php b/system/BaseModel.php index 9b8bb70ed482..2b364bdc1917 100644 --- a/system/BaseModel.php +++ b/system/BaseModel.php @@ -541,7 +541,7 @@ abstract protected function doReplace(?array $row = null, bool $returnSQL = fals * Grabs the last error(s) that occurred from the Database connection. * This method works only with dbCalls. * - * @return array|null + * @return array */ abstract protected function doErrors(); @@ -1242,7 +1242,7 @@ public function replace(?array $row = null, bool $returnSQL = false) * * @param bool $forceDB Always grab the db error, not validation * - * @return array + * @return array */ public function errors(bool $forceDB = false) { From 26da98d80b824a6dd5f114e08833268c98cb69a3 Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 2 Aug 2024 11:34:40 +0900 Subject: [PATCH 10/12] docs: update PHPDocs --- phpstan-baseline.php | 6 ------ system/HTTP/ContentSecurityPolicy.php | 9 +++++---- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/phpstan-baseline.php b/phpstan-baseline.php index 1b36c4a8f8ee..a1ca30a6c63f 100644 --- a/phpstan-baseline.php +++ b/phpstan-baseline.php @@ -5935,12 +5935,6 @@ 'count' => 1, 'path' => __DIR__ . '/system/HTTP/ContentSecurityPolicy.php', ]; -$ignoreErrors[] = [ - // identifier: missingType.iterableValue - 'message' => '#^Property CodeIgniter\\\\HTTP\\\\ContentSecurityPolicy\\:\\:\\$validSources type has no value type specified in iterable type array\\.$#', - 'count' => 1, - 'path' => __DIR__ . '/system/HTTP/ContentSecurityPolicy.php', -]; $ignoreErrors[] = [ // identifier: codeigniter.superglobalAccess 'message' => '#^Accessing offset \'HTTP_USER_AGENT\' directly on \\$_SERVER is discouraged\\.$#', diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php index 945c3e08d3ce..573e076b7360 100644 --- a/system/HTTP/ContentSecurityPolicy.php +++ b/system/HTTP/ContentSecurityPolicy.php @@ -31,7 +31,7 @@ class ContentSecurityPolicy /** * CSP directives * - * @var array + * @var array [name => property] */ protected array $directives = [ 'base-uri' => 'baseURI', @@ -166,7 +166,8 @@ class ContentSecurityPolicy protected $sandbox = []; /** - * Used for security enforcement + * A set of endpoints to which csp violation reports will be sent when + * particular behaviors are prevented. * * @var string|null */ @@ -189,7 +190,7 @@ class ContentSecurityPolicy /** * Used for security enforcement * - * @var array + * @var list */ protected $validSources = [ 'self', @@ -242,7 +243,7 @@ class ContentSecurityPolicy /** * An array of header info since we have - * to build ourself before passing to Response. + * to build ourselves before passing to Response. * * @var array */ From 80e9d3f391a6eb338b7befa7c332ea7ae7efac63 Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 2 Aug 2024 11:35:40 +0900 Subject: [PATCH 11/12] docs: describe how to remove `report-uri` --- system/HTTP/ContentSecurityPolicy.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/system/HTTP/ContentSecurityPolicy.php b/system/HTTP/ContentSecurityPolicy.php index 573e076b7360..7582bc467733 100644 --- a/system/HTTP/ContentSecurityPolicy.php +++ b/system/HTTP/ContentSecurityPolicy.php @@ -595,6 +595,9 @@ public function addPluginType($mime, ?bool $explicitReporting = null) * * @see http://www.w3.org/TR/CSP/#directive-report-uri * + * @param string $uri URL to send reports. Set `''` if you want to remove + * this directive at runtime. + * * @return $this */ public function setReportURI(string $uri) From 5ba2b785673af44a81fd7f6c34bc03e5dfdd5cdb Mon Sep 17 00:00:00 2001 From: kenjis Date: Fri, 2 Aug 2024 11:37:11 +0900 Subject: [PATCH 12/12] test: add test to remove report-uri --- tests/system/HTTP/ContentSecurityPolicyTest.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tests/system/HTTP/ContentSecurityPolicyTest.php b/tests/system/HTTP/ContentSecurityPolicyTest.php index 7000a881b9d6..596fbfcf0b24 100644 --- a/tests/system/HTTP/ContentSecurityPolicyTest.php +++ b/tests/system/HTTP/ContentSecurityPolicyTest.php @@ -379,6 +379,19 @@ public function testReportURI(): void $this->assertStringContainsString('report-uri http://example.com/csptracker;', $result); } + #[PreserveGlobalState(false)] + #[RunInSeparateProcess] + public function testRemoveReportURI(): void + { + $this->prepare(); + $this->csp->reportOnly(false); + $this->csp->setReportURI(''); + $this->work(); + + $result = $this->getHeaderEmitted('Content-Security-Policy'); + $this->assertStringNotContainsString('report-uri ', $result); + } + #[PreserveGlobalState(false)] #[RunInSeparateProcess] public function testSandboxFlags(): void