Merge remote-tracking branch 'upstream/develop' into 4.8

Author: michalsn

system/Autoloader/FileLocator.php

@@ -330,19 +330,7 @@ public function listFiles(string $path): array
         helper('filesystem');
 
         foreach ($this->getNamespaces() as $namespace) {
-            $fullPath     = $namespace['path'] . $path;
-            $resolvedPath = realpath($fullPath);
-            $fullPath     = $resolvedPath !== false ? $resolvedPath : $fullPath;
-
-            if (! is_dir($fullPath)) {
-                continue;
-            }
-
-            $tempFiles = get_filenames($fullPath, true, false, false);
-
-            if ($tempFiles !== []) {
-                $files = array_merge($files, $tempFiles);
-            }
+            $files = array_merge($files, get_filenames($namespace['path'] . $path, true, false, false));
         }
 
         return $files;

system/CodeIgniter.php

@@ -194,6 +194,29 @@ public function resetForWorkerMode(): void
         // Reset timing
         $this->startTime = null;
         $this->totalTime = 0;
+
+        $this->resetKintForWorkerMode();
+    }
+
+    /**
+     * Resets Kint request-specific state for worker mode.
+     */
+    private function resetKintForWorkerMode(): void
+    {
+        if (! CI_DEBUG || ! class_exists(Kint::class, false)) {
+            return;
+        }
+
+        $csp = service('csp');
+        if ($csp->enabled()) {
+            RichRenderer::$js_nonce  = $csp->getScriptNonce();
+            RichRenderer::$css_nonce = $csp->getStyleNonce();
+        } else {
+            RichRenderer::$js_nonce  = null;
+            RichRenderer::$css_nonce = null;
+        }
+
+        RichRenderer::$needs_pre_render = true;
     }
 
     /**

tests/system/CodeIgniterTest.php

@@ -30,6 +30,7 @@
 use Config\Filters as FiltersConfig;
 use Config\Modules;
 use Config\Routing;
+use Kint\Renderer\RichRenderer;
 use PHPUnit\Framework\Attributes\BackupGlobals;
 use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\Attributes\Group;
@@ -1270,6 +1271,15 @@ public function testRouteAttributesDisabledInConfig(): void
 
     public function testResetForWorkerMode(): void
     {
+        $this->resetServices();
+
+        $appConfig             = config(App::class);
+        $appConfig->CSPEnabled = true;
+
+        RichRenderer::$js_nonce         = 'stale-script-nonce';
+        RichRenderer::$css_nonce        = 'stale-style-nonce';
+        RichRenderer::$needs_pre_render = false;
+
         $config      = new App();
         $codeigniter = new MockCodeIgniter($config);
 
@@ -1289,5 +1299,11 @@ public function testResetForWorkerMode(): void
         $this->assertNull($this->getPrivateProperty($codeigniter, 'controller'));
         $this->assertNull($this->getPrivateProperty($codeigniter, 'method'));
         $this->assertNull($this->getPrivateProperty($codeigniter, 'output'));
+
+        $csp = service('csp');
+
+        $this->assertSame($csp->getScriptNonce(), RichRenderer::$js_nonce);
+        $this->assertSame($csp->getStyleNonce(), RichRenderer::$css_nonce);
+        $this->assertTrue(RichRenderer::$needs_pre_render);
     }
 }

user_guide_src/source/_static/js/version_switcher.js

@@ -0,0 +1,119 @@
+/*
+ * Version switcher for the user guide sidebar.
+ *
+ * Injects the sphinx_rtd_theme's native ".switch-menus > .version-switch"
+ * scaffolding above the search box in the left sidebar, containing a <select>
+ * so readers can jump between:
+ *   - stable:               https://codeigniter.com/user_guide/
+ *   - latest (in-progress): https://codeigniter4.github.io/userguide/
+ *   - local build:          file:// or localhost, etc. (only shown when not on a deployed host)
+ */
+(() => {
+	const VERSIONS = [
+		{
+			slug: 'stable',
+			label: 'Stable',
+			host: 'codeigniter.com',
+			pathPrefix: '/user_guide/',
+		},
+		{
+			slug: 'latest (in-progress)',
+			label: 'Latest (in-progress)',
+			host: 'codeigniter4.github.io',
+			pathPrefix: '/userguide/',
+		},
+	];
+
+	const LOCAL = Object.freeze({
+		slug: 'local build',
+		label: 'Local build',
+		host: null,
+		pathPrefix: null,
+	});
+
+	const detect_current = () =>
+		VERSIONS.find((version) => version.host === window.location.hostname) ?? LOCAL;
+
+	/*
+	 * Derive the absolute URL of the documentation root by inspecting the
+	 * <script> tag Sphinx always injects for documentation_options.js. Its
+	 * resolved .src is absolute, so we can back out the directory that
+	 * contains _static/, which is the doc root. This works identically for
+	 * http(s), file://, and localhost.
+	 */
+	const doc_root_url = () => {
+		const opts = document.querySelector('script[src*="documentation_options.js"]');
+
+		if (!opts) {
+			return null;
+		}
+
+		const idx = opts.src.lastIndexOf('/_static/');
+
+		return idx < 0 ? null : opts.src.slice(0, idx + 1);
+	};
+
+	const current_page_path = () => {
+		const root = doc_root_url();
+
+		if (!root) {
+			return '';
+		}
+
+        const here = window.location.href.split('#')[0].split('?')[0];
+
+        return here.startsWith(root) ? here.slice(root.length) : '';
+	};
+
+	const url_for = ({ host, pathPrefix }) =>
+		`https://${host}${pathPrefix}${current_page_path()}${window.location.hash}`;
+
+	const build = () => {
+		const searchArea = document.querySelector('.wy-side-nav-search');
+		const searchForm = searchArea?.querySelector('[role="search"]');
+
+		if (!searchArea || !searchForm) {
+			return;
+		}
+
+        if (searchArea.querySelector('.switch-menus')) {
+			return;
+		}
+
+		const current = detect_current();
+		const entries = current === LOCAL ? [LOCAL, ...VERSIONS] : VERSIONS;
+
+		const select = document.createElement('select');
+		select.setAttribute('aria-label', 'Select documentation version');
+
+		for (const entry of entries) {
+			const option = document.createElement('option');
+			option.value = entry.host ? url_for(entry) : '';
+			option.textContent = entry.label;
+			option.selected = entry.slug === current.slug;
+			select.append(option);
+		}
+
+		select.addEventListener('change', () => {
+			if (select.value) {
+				window.location.href = select.value;
+			}
+		});
+
+		const versionSwitch = document.createElement('div');
+		versionSwitch.className = 'version-switch';
+		versionSwitch.append(select);
+
+		const switchMenus = document.createElement('div');
+		switchMenus.className = 'switch-menus';
+		switchMenus.append(versionSwitch);
+
+		searchArea.insertBefore(switchMenus, searchForm);
+	};
+
+	if (document.readyState === 'loading') {
+		document.addEventListener('DOMContentLoaded', build, { once: true });
+	} else {
+		build();
+	}
+})();

user_guide_src/source/changelogs/v4.7.2.rst

@@ -15,8 +15,8 @@ Bugs Fixed
 **********
 
 - **Security:** Fixed a bug where the CSRF filter could corrupt JSON request bodies after successful
-    verification when the CSRF token was provided via the ``X-CSRF-TOKEN`` header.
-    This caused ``IncomingRequest::getJSON()`` to fail on valid ``application/json`` requests.
+  verification when the CSRF token was provided via the ``X-CSRF-TOKEN`` header.
+  This caused ``IncomingRequest::getJSON()`` to fail on valid ``application/json`` requests.
 
 See the repo's
 `CHANGELOG.md <https://github.com/codeigniter4/CodeIgniter4/blob/develop/CHANGELOG.md>`_

user_guide_src/source/changelogs/v4.7.3.rst

@@ -25,8 +25,8 @@ Changes
 *******
 
 - **Commands:** The ``-h`` option for the ``routes`` command is renamed to ``--sort-by-handler`` to avoid conflict with the common use of ``-h`` as a shortcut for ``--help``.
-    The old ``-h`` option will continue to work until v4.8.0, at which point it will be removed and repurposed as a shortcut for ``--help``.
-    A warning message is displayed when using the old ``-h`` option to encourage users to switch to the new ``--sort-by-handler`` option.
+  The old ``-h`` option will continue to work until v4.8.0, at which point it will be removed and repurposed as a shortcut for ``--help``.
+  A warning message is displayed when using the old ``-h`` option to encourage users to switch to the new ``--sort-by-handler`` option.
 
 ************
 Deprecations
@@ -40,6 +40,7 @@ Bugs Fixed
 - **CLI:** Fixed a bug where ``CLI::generateDimensions()`` leaked ``stty`` error output (e.g., ``stty: 'standard input': Inappropriate ioctl for device``) to stderr when stdin was not a TTY.
 - **Commands:** Fixed a bug in the ``env`` command where passing options only would cause the command to throw a ``TypeError`` instead of showing the current environment.
 - **Common:** Fixed a bug where the ``command()`` helper function did not properly clean up output buffers, which could lead to risky tests when exceptions were thrown.
+- **Kint:** Fixed a bug where stale Content Security Policy nonces were reused in worker mode, causing browser CSP violations for Debug Toolbar assets.
 - **Validation:** Fixed a bug where ``Validation::getValidated()`` dropped fields whose validated value was explicitly ``null``.
 
 See the repo's

user_guide_src/source/conf.py

@@ -111,7 +111,8 @@
 # A list of JS files.
 html_js_files = [
 	'js/citheme.js',
-	'js/carbon.js'
+	'js/carbon.js',
+	'js/version_switcher.js'
 ]
 
 # -- Options for LaTeX output --------------------------------------------------

user_guide_src/source/general/ajax.rst

@@ -2,11 +2,11 @@
 AJAX Requests
 ##############
 
-The ``IncomingRequest::isAJAX()`` method uses the ``X-Requested-With`` header to define whether the request is XHR or normal. However, the most recent JavaScript implementations (i.e., fetch) no longer send this header along with the request, thus the use of ``IncomingRequest::isAJAX()`` becomes less reliable, because without this header it is not possible to define whether the request is or not XHR.
+The ``IncomingRequest::isAJAX()`` method uses the ``X-Requested-With`` header to define whether the request is XHR or normal. However, modern JavaScript APIs such as ``fetch`` no longer send this header by default, so ``IncomingRequest::isAJAX()`` becomes less reliable without additional configuration.
 
-To get around this problem, the most efficient solution (so far) is to manually define the request header, forcing the information to be sent to the server, which will then be able to identify that the request is XHR.
+To work around this problem, manually define the request header so the server can identify the request as XHR.
 
-Here's how to force the ``X-Requested-With`` header to be sent in the Fetch API and other JavaScript libraries.
+Here are common ways to send the ``X-Requested-With`` header in the Fetch API and other JavaScript libraries.
 
 .. contents::
     :local:
@@ -28,41 +28,54 @@ Fetch API
 Axios
 =====
 
-If you are using Axios, it also does not include the ``X-Requested-With`` header by default.
+Axios does not include the ``X-Requested-With`` header by default.
 You can add it globally as follows:
 
 .. code-block:: javascript
 
     axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
 
 
-jQuery
-======
-
-For libraries like jQuery for example, it is not necessary to make explicit the sending of this header, because according to the `official documentation <https://api.jquery.com/jquery.ajax/>`_ it is a standard header for all requests ``$.ajax()``. But if you still want to force the shipment to not take risks, just do it as follows:
+If you prefer to avoid global defaults, create an Axios instance instead:
 
 .. code-block:: javascript
 
-    $.ajax({
-        url: "your url",
-        headers: {'X-Requested-With': 'XMLHttpRequest'}
+    const api = axios.create({
+        headers: {
+            'X-Requested-With': 'XMLHttpRequest'
+        }
     });
 
-VueJS
-=====
 
-In VueJS you just need to add the following code to the ``created`` function, as long as you are using Axios for this type of request.
+Vue.js
+-------
+
+Vue does not require a specific HTTP client. If your Vue app uses Axios, configure Axios once during application bootstrap or in a shared API module, and reuse that configuration throughout the app.
+
+React
+-----
+
+React also does not provide a built-in HTTP client. If your React app uses Axios, reuse the shared Axios configuration above, or set the header for an individual request when needed:
 
 .. code-block:: javascript
 
-    axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
+    axios.get('your url', {
+        headers: {
+            'X-Requested-With': 'XMLHttpRequest'
+        }
+    })
 
-React
-=====
+jQuery
+======
+
+For libraries like jQuery for example, it is not necessary to make explicit the sending of this header, because according to the `official documentation <https://api.jquery.com/jquery.ajax/>`_ it is a standard header for all requests ``$.ajax()``. But if you still want to force the shipment to not take risks, just do it as follows:
 
 .. code-block:: javascript
 
-    axios.get("your url", {headers: {'Content-Type': 'application/json'}})
+    $.ajax({
+        url: "your url",
+        headers: {'X-Requested-With': 'XMLHttpRequest'}
+    });
 
 htmx
 ====
@@ -74,3 +87,14 @@ You can use `ajax-header <https://github.com/bigskysoftware/htmx-extensions/blob
     <body hx-ext="ajax-header">
     ...
     </body>
+
+
+Or you can set the header manually with ``hx-headers``:
+
+.. code-block:: html
+
+    <button
+        hx-post="/your-url"
+        hx-headers='{"X-Requested-With": "XMLHttpRequest"}'>
+        Send Request
+    </button>