Merge pull request from GHSA-7528-7jg5-6g62

Hotfix 4.1.8

Author: MGatner

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [v4.1.8](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.8) (2022-01-24)
+
+[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.7...v4.1.8)
+
+**SECURITY**
+
+* *XSS Vulnerability* in the `API\ResponseTrait` was fixed. See the [Security advisory](https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7528-7jg5-6g62) for more information.
+
 ## [v4.1.7](https://github.com/codeigniter4/CodeIgniter4/tree/v4.1.7) (2022-01-09)
 
 [Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.1.6...v4.1.7)

admin/framework/composer.json

@@ -10,7 +10,7 @@
         "ext-intl": "*",
         "ext-json": "*",
         "ext-mbstring": "*",
-        "kint-php/kint": "^3.3",
+        "kint-php/kint": "^4.0",
         "laminas/laminas-escaper": "^2.9",
         "psr/log": "^1.1"
     },

system/API/ResponseTrait.php

@@ -85,9 +85,9 @@ trait ResponseTrait
      *
      * @param array|string|null $data
      *
-     * @return mixed
+     * @return Response
      */
-    public function respond($data = null, ?int $status = null, string $message = '')
+    protected function respond($data = null, ?int $status = null, string $message = '')
     {
         if ($data === null && $status === null) {
             $status = 404;
@@ -119,9 +119,9 @@ public function respond($data = null, ?int $status = null, string $message = '')
      * @param int          $status   HTTP status code
      * @param string|null  $code     Custom, API-specific, error code
      *
-     * @return mixed
+     * @return Response
      */
-    public function fail($messages, int $status = 400, ?string $code = null, string $customMessage = '')
+    protected function fail($messages, int $status = 400, ?string $code = null, string $customMessage = '')
     {
         if (! is_array($messages)) {
             $messages = ['error' => $messages];
@@ -145,9 +145,9 @@ public function fail($messages, int $status = 400, ?string $code = null, string
      *
      * @param mixed $data
      *
-     * @return mixed
+     * @return Response
      */
-    public function respondCreated($data = null, string $message = '')
+    protected function respondCreated($data = null, string $message = '')
     {
         return $this->respond($data, $this->codes['created'], $message);
     }
@@ -157,9 +157,9 @@ public function respondCreated($data = null, string $message = '')
      *
      * @param mixed $data
      *
-     * @return mixed
+     * @return Response
      */
-    public function respondDeleted($data = null, string $message = '')
+    protected function respondDeleted($data = null, string $message = '')
     {
         return $this->respond($data, $this->codes['deleted'], $message);
     }
@@ -169,9 +169,9 @@ public function respondDeleted($data = null, string $message = '')
      *
      * @param mixed $data
      *
-     * @return mixed
+     * @return Response
      */
-    public function respondUpdated($data = null, string $message = '')
+    protected function respondUpdated($data = null, string $message = '')
     {
         return $this->respond($data, $this->codes['updated'], $message);
     }
@@ -180,9 +180,9 @@ public function respondUpdated($data = null, string $message = '')
      * Used after a command has been successfully executed but there is no
      * meaningful reply to send back to the client.
      *
-     * @return mixed
+     * @return Response
      */
-    public function respondNoContent(string $message = 'No Content')
+    protected function respondNoContent(string $message = 'No Content')
     {
         return $this->respond(null, $this->codes['no_content'], $message);
     }
@@ -192,9 +192,9 @@ public function respondNoContent(string $message = 'No Content')
      * or had bad authorization credentials. User is encouraged to try again
      * with the proper information.
      *
-     * @return mixed
+     * @return Response
      */
-    public function failUnauthorized(string $description = 'Unauthorized', ?string $code = null, string $message = '')
+    protected function failUnauthorized(string $description = 'Unauthorized', ?string $code = null, string $message = '')
     {
         return $this->fail($description, $this->codes['unauthorized'], $code, $message);
     }
@@ -203,31 +203,31 @@ public function failUnauthorized(string $description = 'Unauthorized', ?string $
      * Used when access is always denied to this resource and no amount
      * of trying again will help.
      *
-     * @return mixed
+     * @return Response
      */
-    public function failForbidden(string $description = 'Forbidden', ?string $code = null, string $message = '')
+    protected function failForbidden(string $description = 'Forbidden', ?string $code = null, string $message = '')
     {
         return $this->fail($description, $this->codes['forbidden'], $code, $message);
     }
 
     /**
      * Used when a specified resource cannot be found.
      *
-     * @return mixed
+     * @return Response
      */
-    public function failNotFound(string $description = 'Not Found', ?string $code = null, string $message = '')
+    protected function failNotFound(string $description = 'Not Found', ?string $code = null, string $message = '')
     {
         return $this->fail($description, $this->codes['resource_not_found'], $code, $message);
     }
 
     /**
      * Used when the data provided by the client cannot be validated.
      *
-     * @return mixed
+     * @return Response
      *
      * @deprecated Use failValidationErrors instead
      */
-    public function failValidationError(string $description = 'Bad Request', ?string $code = null, string $message = '')
+    protected function failValidationError(string $description = 'Bad Request', ?string $code = null, string $message = '')
     {
         return $this->fail($description, $this->codes['invalid_data'], $code, $message);
     }
@@ -237,19 +237,19 @@ public function failValidationError(string $description = 'Bad Request', ?string
      *
      * @param string|string[] $errors
      *
-     * @return mixed
+     * @return Response
      */
-    public function failValidationErrors($errors, ?string $code = null, string $message = '')
+    protected function failValidationErrors($errors, ?string $code = null, string $message = '')
     {
         return $this->fail($errors, $this->codes['invalid_data'], $code, $message);
     }
 
     /**
      * Use when trying to create a new resource and it already exists.
      *
-     * @return mixed
+     * @return Response
      */
-    public function failResourceExists(string $description = 'Conflict', ?string $code = null, string $message = '')
+    protected function failResourceExists(string $description = 'Conflict', ?string $code = null, string $message = '')
     {
         return $this->fail($description, $this->codes['resource_exists'], $code, $message);
     }
@@ -259,19 +259,19 @@ public function failResourceExists(string $description = 'Conflict', ?string $co
      * Not Found, because here we know the data previously existed, but is now gone,
      * where Not Found means we simply cannot find any information about it.
      *
-     * @return mixed
+     * @return Response
      */
-    public function failResourceGone(string $description = 'Gone', ?string $code = null, string $message = '')
+    protected function failResourceGone(string $description = 'Gone', ?string $code = null, string $message = '')
     {
         return $this->fail($description, $this->codes['resource_gone'], $code, $message);
     }
 
     /**
      * Used when the user has made too many requests for the resource recently.
      *
-     * @return mixed
+     * @return Response
      */
-    public function failTooManyRequests(string $description = 'Too Many Requests', ?string $code = null, string $message = '')
+    protected function failTooManyRequests(string $description = 'Too Many Requests', ?string $code = null, string $message = '')
     {
         return $this->fail($description, $this->codes['too_many_requests'], $code, $message);
     }
@@ -285,7 +285,7 @@ public function failTooManyRequests(string $description = 'Too Many Requests', ?
      *
      * @return Response The value of the Response's send() method.
      */
-    public function failServerError(string $description = 'Internal Server Error', ?string $code = null, string $message = ''): Response
+    protected function failServerError(string $description = 'Internal Server Error', ?string $code = null, string $message = ''): Response
     {
         return $this->fail($description, $this->codes['server_error'], $code, $message);
     }
@@ -346,7 +346,7 @@ protected function format($data = null)
      *
      * @return $this
      */
-    public function setResponseFormat(?string $format = null)
+    protected function setResponseFormat(?string $format = null)
     {
         $this->format = strtolower($format);
 

system/CodeIgniter.php

@@ -45,7 +45,7 @@ class CodeIgniter
     /**
      * The current version of CodeIgniter Framework
      */
-    public const CI_VERSION = '4.1.7';
+    public const CI_VERSION = '4.1.8';
 
     private const MIN_PHP_VERSION = '7.3';