Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,81 @@
# Changelog

## [v4.7.4](https://github.com/codeigniter4/CodeIgniter4/tree/v4.7.4) (2026-07-07)
[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.7.3...v4.7.4)

### Security

* **IncomingRequest:** *HTTPS detection via client-supplied headers* was fixed.
``IncomingRequest::isSecure()`` now trusts the ``X-Forwarded-Proto`` and
``Front-End-Https`` headers only when the request comes from a trusted proxy
configured in ``Config\App::$proxyIPs``.
See the `Security advisory GHSA-7wmf-pw8j-mc78 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-7wmf-pw8j-mc78>`_
for more information.

* **Query Builder:** Fixed a SQL injection vulnerability in ``deleteBatch()``.
When ``deleteBatch()`` was used together with ``where()`` conditions, the
bound values from the WHERE clause were substituted into the generated SQL
with their escape flag ignored, so they were never escaped or quoted. The
WHERE binds are now escaped in the same way as a regular ``delete()``.

See the `Security advisory GHSA-c9w5-rwh3-7pm9 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-c9w5-rwh3-7pm9>`_
for more information.

* **UploadedFile:** ``UploadedFile::move()`` now sanitizes the client-provided
filename when called without a second argument. Previously, the unsanitized
client filename was used as the default, allowing path traversal sequences
(e.g. ``../../public/shell.php``) to write the uploaded file outside the
intended directory. A name explicitly passed as the second argument is not
sanitized and remains the caller's responsibility.
See the `Security advisory GHSA-hhmc-q9hp-r662 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hhmc-q9hp-r662>`_
for more information.

* **Validation:** The ``is_image`` and ``mime_in`` file upload validation rules
now also verify non-empty client filename extensions. Previously, these rules
classified an upload solely by its content-derived MIME type, so a file with a
dangerous client extension (for example, a ``.php`` file prepended with image
magic bytes) could pass validation while keeping its original extension on
disk.
See the `Security advisory GHSA-mmj4-63m4-r6h5 <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-mmj4-63m4-r6h5>`_
for more information.

The ``is_image`` rule now rejects uploads when a non-empty client filename
extension is not an image extension. The ``mime_in`` rule now rejects uploads
when a non-empty client filename extension does not match the detected file
content, matching the same extension/content agreement used by ``ext_in``.
Files uploaded without any extension (such as JavaScript ``Blob`` uploads)
are still accepted, since the rules validate the file content.

### Fixed Bugs

* fix: prevent updateBatch with existing where conditions by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10236
* fix: detect Safari version from Version token by @memleakd in https://github.com/codeigniter4/CodeIgniter4/pull/10251
* fix: nested transformer request scope leakage by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10281
* fix(model): pass $recursive parameter to parent in objectToRawArray by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10258
* fix: preserve enclosing stream filter when using `MockInputOutput` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10307
* fix: skip already-translated keys in `spark lang:find` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10308
* fix(Filters): check both keys and values in `InvalidChars` arrays by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10303
* fix: use dynamic lockMaxRetries limit in RedisHandler by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10295
* fix: preserve sub-namespace when generating Entity from Model (i.e., `--return entity`) by @xgrind in https://github.com/codeigniter4/CodeIgniter4/pull/10232
* fix: `env()` TypeError for non-string `$_SERVER` values + `esc()` fixes by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10305
* fix: unify casing in BaseService::injectMock by @ThomasMeschke in https://github.com/codeigniter4/CodeIgniter4/pull/10316
* fix: normalize SodiumHandler params and padding failures by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10321
* fix(Validation): correct required_without logic and prevent array key warnings by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10328
* fix: handle null ini values in phpini check by @Will-thom in https://github.com/codeigniter4/CodeIgniter4/pull/10233
* fix: preserve zero values in XML export by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10367
* fix: support array indexes in `getPostGet()` and `getGetPost()` by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10362

### Refactoring

* refactor: narrow `Image` original dimension types to `int` by @michalsn in https://github.com/codeigniter4/CodeIgniter4/pull/10326
* refactor(HTTP): optimize file path parsing in `download()` method by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10330
* refactor(database): optimize groupGetType by caching it inside BaseBuilder loops by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10340
* refactor: bump to phpstan-codeigniter v2.1 by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10312
* refactor: replace type `mixed` with more specific types by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10345
* refactor: optimize `prepQuotedPrintable()` with hash lookup and int-length tracking by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10344
* refactor: add precise `array` phpdocs for `CLI` by @paulbalandan in https://github.com/codeigniter4/CodeIgniter4/pull/10354
* refactor(database): optimize `_processForeignKeys()` string allocations and loop invariants by @gr8man in https://github.com/codeigniter4/CodeIgniter4/pull/10351

## [v4.7.3](https://github.com/codeigniter4/CodeIgniter4/tree/v4.7.3) (2026-05-22)
[Full Changelog](https://github.com/codeigniter4/CodeIgniter4/compare/v4.7.2...v4.7.3)

Expand Down
2 changes: 1 addition & 1 deletion phpdoc.dist.xml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
<output>api/build/</output>
<cache>api/cache/</cache>
</paths>
<version number="4.7.3">
<version number="4.7.4">
<api format="php">
<source dsn=".">
<path>system</path>
Expand Down
2 changes: 1 addition & 1 deletion system/CodeIgniter.php
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ class CodeIgniter
/**
* The current version of CodeIgniter Framework
*/
public const CI_VERSION = '4.7.4-dev';
public const CI_VERSION = '4.7.4';

/**
* App startup time.
Expand Down
18 changes: 1 addition & 17 deletions user_guide_src/source/changelogs/v4.7.4.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
Version 4.7.4
#############

Release Date: Unreleased
Release Date: July 7, 2026

**4.7.4 release of CodeIgniter4**

Expand Down Expand Up @@ -55,22 +55,6 @@ SECURITY
Files uploaded without any extension (such as JavaScript ``Blob`` uploads)
are still accepted, since the rules validate the file content.

********
BREAKING
********

***************
Message Changes
***************

*******
Changes
*******

************
Deprecations
************

**********
Bugs Fixed
**********
Expand Down
2 changes: 1 addition & 1 deletion user_guide_src/source/conf.py
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
version = '4.7'

# The full version, including alpha/beta/rc tags.
release = '4.7.3'
release = '4.7.4'

# -- General configuration ---------------------------------------------------

Expand Down
12 changes: 2 additions & 10 deletions user_guide_src/source/installation/upgrade_474.rst
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,6 @@ Please refer to the upgrade instructions corresponding to your installation meth
:local:
:depth: 2

**********************
Mandatory File Changes
**********************

****************
Breaking Changes
****************
Expand Down Expand Up @@ -47,10 +43,6 @@ non-HTTPS, which may result in redirect loops.
IPv4-mapped form to ``Config\App::$proxyIPs``, e.g.,
``::ffff:192.168.5.21`` or ``::ffff:192.168.5.0/120``.

*********************
Breaking Enhancements
*********************

*************
Project Files
*************
Expand All @@ -71,12 +63,12 @@ and it is recommended that you merge the updated versions with your application:
Config
------

- @TODO
- No config files were changed in this release.

All Changes
===========

This is a list of all files in the **project space** that received changes;
many will be simple comments or formatting that have no effect on the runtime:

- @TODO
- No project files were changed in this release.
Loading