Headline
CVE-2023-46240: Merge pull request from GHSA-hwxf-qxj7-7rfj · codeigniter4/CodeIgniter4@423569f
CodeIgniter is a PHP full-stack web framework. Prior to CodeIgniter4 version 4.4.3, if an error or exception occurs, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. Version 4.4.3 contains a patch. As a workaround, replace ini_set('display_errors', '0') with ini_set('display_errors', 'Off') in app/Config/Boot/production.php.
2 changes: 2 additions & 0 deletions app/Config/Boot/development.php
Expand Up
@@ -7,6 +7,8 @@
| In development, we want to show as many errors as possible to help
| make sure they don’t make it to production. And save us hours of
| painful debugging.
|
| If you set ‘display_errors’ to '1’, CI4’s detailed error report will show.
*/
error_reporting(-1);
ini_set('display_errors’, ‘1’);
Expand Down
2 changes: 2 additions & 0 deletions app/Config/Boot/production.php
Expand Up
@@ -6,6 +6,8 @@
|--------------------------------------------------------------------------
| Don’t show ANY in production environments. Instead, let the system catch
| it and display a generic error message.
|
| If you set ‘display_errors’ to '1’, CI4’s detailed error report will show.
*/
ini_set('display_errors’, ‘0’);
error_reporting(E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT & ~E_USER_NOTICE & ~E_USER_DEPRECATED);
Expand Down
6 changes: 6 additions & 0 deletions app/Config/Boot/testing.php
@@ -1,5 +1,11 @@
<?php
/*
* The environment testing is reserved for PHPUnit testing. It has special
* conditions built into the framework at various places to assist with that.
* You can’t use it for your development.
*/
/*
|--------------------------------------------------------------------------
| ERROR DISPLAY
Expand Down
2 changes: 1 addition & 1 deletion app/Views/errors/html/error_404.php
Expand Up
@@ -77,7 +77,7 @@
<?= nl2br(esc($message)) ?>
<?php else : ?>
<?= lang(‘Errors.sorryCannotFind’) ?>
<?php endif ?>
<?php endif; ?>
</p>
</div>
</body>
Expand Down
7 changes: 5 additions & 2 deletions app/Views/errors/html/error_exception.php
Expand Up
@@ -44,6 +44,7 @@
<?php endif; ?>
</div>
<?php if (defined(‘SHOW_DEBUG_BACKTRACE’) && SHOW_DEBUG_BACKTRACE) : ?>
<div class="container">
<ul class="tabs" id="tabs">
Expand All
@@ -66,7 +67,7 @@
<li>
<p>
<!-- Trace info -->
<?php if (isset($row[‘file’]) && is_file($row[‘file’])) :?>
<?php if (isset($row[‘file’]) && is_file($row[‘file’])) : ?>
<?php
if (isset($row[‘function’]) && in_array($row[‘function’], ['include’, 'include_once’, 'require’, ‘require_once’], true)) {
echo esc($row[‘function’] . ' ' . clean_path($row[‘file’]));
Expand Down Expand Up
@@ -375,14 +376,16 @@
</div> <!-- /tab-content -->
</div> <!-- /container -->
<?php endif; ?>
<div class="footer">
<div class="container">
<p>
Displayed at <?= esc(date(‘H:i:sa’)) ?> —
PHP: <?= esc(PHP_VERSION) ?> —
CodeIgniter: <?= esc(CodeIgniter::CI_VERSION) ?>
CodeIgniter: <?= esc(CodeIgniter::CI_VERSION) ?> –
Environment: <?= ENVIRONMENT ?>
</p>
</div>
Expand Down
8 changes: 7 additions & 1 deletion system/Debug/ExceptionHandler.php
Expand Up
@@ -129,7 +129,13 @@ protected function determineView(Throwable $exception, string $templatePath): st
// Production environments should have a custom exception file.
$view = 'production.php’;
if (str_ireplace(['off’, 'none’, 'no’, 'false’, ‘null’], '’, ini_get(‘display_errors’)) !== ‘’) {
if (
in_array(
strtolower(ini_get(‘display_errors’)),
['1’, 'true’, 'on’, ‘yes’],
true
)
) {
$view = 'error_exception.php’;
}
Expand Down
8 changes: 7 additions & 1 deletion system/Debug/Exceptions.php
Expand Up
@@ -253,7 +253,13 @@ protected function determineView(Throwable $exception, string $templatePath): st
$view = 'production.php’;
$templatePath = rtrim($templatePath, '\\/ ') . DIRECTORY_SEPARATOR;
if (str_ireplace(['off’, 'none’, 'no’, 'false’, ‘null’], '’, ini_get(‘display_errors’)) !== ‘’) {
if (
in_array(
strtolower(ini_get(‘display_errors’)),
['1’, 'true’, 'on’, ‘yes’],
true
)
) {
$view = 'error_exception.php’;
}
Expand Down
15 changes: 15 additions & 0 deletions tests/system/Debug/ExceptionHandlerTest.php
Expand Up
@@ -70,6 +70,21 @@ public function testDetermineViewsRuntimeExceptionCode404(): void
$this->assertSame('error_404.php’, $viewFile);
}
public function testDetermineViewsDisplayErrorsOffRuntimeException(): void
{
ini_set('display_errors’, ‘0’);
$determineView = $this->getPrivateMethodInvoker($this->handler, ‘determineView’);
$exception = new RuntimeException(‘Exception’);
$templatePath = APPPATH . 'Views/errors/html’;
$viewFile = $determineView($exception, $templatePath);
$this->assertSame('production.php’, $viewFile);
ini_set('display_errors’, ‘1’);
}
public function testCollectVars(): void
{
$collectVars = $this->getPrivateMethodInvoker($this->handler, ‘collectVars’);
Expand Down
7 changes: 7 additions & 0 deletions user_guide_src/source/changelogs/v4.4.3.rst
Expand Up
@@ -9,6 +9,13 @@ Release Date: Unreleased
:local:
:depth: 3
SECURITY
********
- *Detailed Error Report is Displayed in Production Environment* was fixed.
See the `Security advisory GHSA-hwxf-qxj7-7rfj https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj\`_
for more information.
BREAKING
********
Expand Down
2 changes: 2 additions & 0 deletions user_guide_src/source/general/environments.rst
Expand Up
@@ -30,6 +30,8 @@ By default, CodeIgniter has three environments defined.
If you want another environment, e.g., for staging, you can add custom environments.
See `Adding Environments`_.
… _setting-environment:
*******************
Setting Environment
*******************
Expand Down
8 changes: 6 additions & 2 deletions user_guide_src/source/general/errors.rst
Expand Up
@@ -49,8 +49,12 @@ Error Reporting
---------------
By default, CodeIgniter will display a detailed error report with all errors in the ``development`` and ``testing`` environments, and will not
display any errors in the ``production`` environment. You can change this by setting the ``CI_ENVIRONMENT`` variable
in the :ref:`.env <dotenv-file>` file.
display any errors in the ``production`` environment.
… image:: …/images/error.png
You can change your environment by setting the ``CI_ENVIRONMENT`` variable.
See :ref:`setting-environment`.
… important:: Disabling error reporting DOES NOT stop logs from being written if there are errors.
Expand Down
14 changes: 14 additions & 0 deletions user_guide_src/source/installation/upgrade_443.rst
Expand Up
@@ -15,6 +15,14 @@ Please refer to the upgrade instructions corresponding to your installation meth
Mandatory File Changes
**********************
error_exception.php
===================
The following file received significant changes and
**you must merge the updated versions** with your application:
- app/Views/errors/html/error_exception.php
Breaking Changes
****************
Expand Down Expand Up
@@ -48,3 +56,9 @@ This is a list of all files in the **project space** that received changes;
many will be simple comments or formatting that have no effect on the runtime:
- @TODO
- app/Config/Boot/development.php
- app/Config/Boot/production.php
- app/Config/Boot/testing.php
- app/Config/Filters.php
- app/Views/errors/html/error_404.php
- app/Views/errors/html/error_exception.php
Related news
### Impact If an error or exception occurs in CodeIgniter4 v4.4.2 and earlier, a detailed error report is displayed even if in the production environment. As a result, confidential information may be leaked. ### Patches Upgrade to v4.4.3 or later. See [upgrading guide](https://codeigniter4.github.io/userguide/installation/upgrade_443.html). ### Workarounds Replace `ini_set('display_errors', '0')` with `ini_set('display_errors', 'Off')` in `app/Config/Boot/production.php`. ### For more information If you have any questions or comments about this advisory: * Open an issue in [codeigniter4/CodeIgniter4](https://github.com/codeigniter4/CodeIgniter4/issues) * Email us at [SECURITY.md](https://github.com/codeigniter4/CodeIgniter4/blob/develop/SECURITY.md)