Merge pull request from GHSA-hwxf-qxj7-7rfj

kenjis · web-flow · commit 423569fc31e2 · 2023-10-27T06:24:46.000+09:00
fix: detailed error report is displayed in production environment
diff --git a/app/Config/Boot/development.php b/app/Config/Boot/development.php
@@ -7,6 +7,8 @@
  | In development, we want to show as many errors as possible to help
  | make sure they don't make it to production. And save us hours of
  | painful debugging.
+ |
+ | If you set 'display_errors' to '1', CI4's detailed error report will show.
  */
 error_reporting(-1);
 ini_set('display_errors', '1');
diff --git a/app/Config/Boot/production.php b/app/Config/Boot/production.php
@@ -6,6 +6,8 @@
  |--------------------------------------------------------------------------
  | Don't show ANY in production environments. Instead, let the system catch
  | it and display a generic error message.
+ |
+ | If you set 'display_errors' to '1', CI4's detailed error report will show.
  */
 ini_set('display_errors', '0');
 error_reporting(E_ALL & ~E_NOTICE & ~E_DEPRECATED & ~E_STRICT & ~E_USER_NOTICE & ~E_USER_DEPRECATED);
diff --git a/app/Config/Boot/testing.php b/app/Config/Boot/testing.php
@@ -1,5 +1,11 @@
 <?php
 
+/*
+ * The environment testing is reserved for PHPUnit testing. It has special
+ * conditions built into the framework at various places to assist with that.
+ * You can’t use it for your development.
+ */
+
 /*
  |--------------------------------------------------------------------------
  | ERROR DISPLAY
diff --git a/app/Views/errors/html/error_404.php b/app/Views/errors/html/error_404.php
@@ -77,7 +77,7 @@
                 <?= nl2br(esc($message)) ?>
             <?php else : ?>
                 <?= lang('Errors.sorryCannotFind') ?>
-            <?php endif ?>
+            <?php endif; ?>
         </p>
     </div>
 </body>
diff --git a/app/Views/errors/html/error_exception.php b/app/Views/errors/html/error_exception.php
@@ -44,6 +44,7 @@
         <?php endif; ?>
     </div>
 
+    <?php if (defined('SHOW_DEBUG_BACKTRACE') && SHOW_DEBUG_BACKTRACE) : ?>
     <div class="container">
 
         <ul class="tabs" id="tabs">
@@ -66,7 +67,7 @@
                     <li>
                         <p>
                             <!-- Trace info -->
-                            <?php if (isset($row['file']) && is_file($row['file'])) :?>
+                            <?php if (isset($row['file']) && is_file($row['file'])) : ?>
                                 <?php
                                 if (isset($row['function']) && in_array($row['function'], ['include', 'include_once', 'require', 'require_once'], true)) {
                                     echo esc($row['function'] . ' ' . clean_path($row['file']));
@@ -375,14 +376,16 @@
         </div>  <!-- /tab-content -->
 
     </div> <!-- /container -->
+    <?php endif; ?>
 
     <div class="footer">
         <div class="container">
 
             <p>
                 Displayed at <?= esc(date('H:i:sa')) ?> &mdash;
                 PHP: <?= esc(PHP_VERSION) ?>  &mdash;
-                CodeIgniter: <?= esc(CodeIgniter::CI_VERSION) ?>
+                CodeIgniter: <?= esc(CodeIgniter::CI_VERSION) ?> --
+                Environment: <?= ENVIRONMENT ?>
             </p>
 
         </div>
diff --git a/system/Debug/ExceptionHandler.php b/system/Debug/ExceptionHandler.php
@@ -129,7 +129,13 @@ protected function determineView(Throwable $exception, string $templatePath): st
         // Production environments should have a custom exception file.
         $view = 'production.php';
 
-        if (str_ireplace(['off', 'none', 'no', 'false', 'null'], '', ini_get('display_errors')) !== '') {
+        if (
+            in_array(
+                strtolower(ini_get('display_errors')),
+                ['1', 'true', 'on', 'yes'],
+                true
+            )
+        ) {
             $view = 'error_exception.php';
         }
 
diff --git a/system/Debug/Exceptions.php b/system/Debug/Exceptions.php
@@ -253,7 +253,13 @@ protected function determineView(Throwable $exception, string $templatePath): st
         $view         = 'production.php';
         $templatePath = rtrim($templatePath, '\\/ ') . DIRECTORY_SEPARATOR;
 
-        if (str_ireplace(['off', 'none', 'no', 'false', 'null'], '', ini_get('display_errors')) !== '') {
+        if (
+            in_array(
+                strtolower(ini_get('display_errors')),
+                ['1', 'true', 'on', 'yes'],
+                true
+            )
+        ) {
             $view = 'error_exception.php';
         }
 
diff --git a/tests/system/Debug/ExceptionHandlerTest.php b/tests/system/Debug/ExceptionHandlerTest.php
@@ -70,6 +70,21 @@ public function testDetermineViewsRuntimeExceptionCode404(): void
         $this->assertSame('error_404.php', $viewFile);
     }
 
+    public function testDetermineViewsDisplayErrorsOffRuntimeException(): void
+    {
+        ini_set('display_errors', '0');
+
+        $determineView = $this->getPrivateMethodInvoker($this->handler, 'determineView');
+
+        $exception    = new RuntimeException('Exception');
+        $templatePath = APPPATH . 'Views/errors/html';
+        $viewFile     = $determineView($exception, $templatePath);
+
+        $this->assertSame('production.php', $viewFile);
+
+        ini_set('display_errors', '1');
+    }
+
     public function testCollectVars(): void
     {
         $collectVars = $this->getPrivateMethodInvoker($this->handler, 'collectVars');
diff --git a/user_guide_src/source/changelogs/v4.4.3.rst b/user_guide_src/source/changelogs/v4.4.3.rst
@@ -9,6 +9,13 @@ Release Date: Unreleased
     :local:
     :depth: 3
 
+SECURITY
+********
+
+- *Detailed Error Report is Displayed in Production Environment* was fixed.
+  See the `Security advisory GHSA-hwxf-qxj7-7rfj <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-hwxf-qxj7-7rfj>`_
+  for more information.
+
 BREAKING
 ********
 
diff --git a/user_guide_src/source/general/environments.rst b/user_guide_src/source/general/environments.rst
@@ -30,6 +30,8 @@ By default, CodeIgniter has three environments defined.
 If you want another environment, e.g., for staging, you can add custom environments.
 See `Adding Environments`_.
 
+.. _setting-environment:
+
 *******************
 Setting Environment
 *******************
diff --git a/user_guide_src/source/general/errors.rst b/user_guide_src/source/general/errors.rst
@@ -49,8 +49,12 @@ Error Reporting
 ---------------
 
 By default, CodeIgniter will display a detailed error report with all errors in the ``development`` and ``testing`` environments, and will not
-display any errors in the ``production`` environment. You can change this by setting the ``CI_ENVIRONMENT`` variable
-in the :ref:`.env <dotenv-file>` file.
+display any errors in the ``production`` environment.
+
+.. image:: ../images/error.png
+
+You can change your environment by setting the ``CI_ENVIRONMENT`` variable.
+See :ref:`setting-environment`.
 
 .. important:: Disabling error reporting DOES NOT stop logs from being written if there are errors.
 
diff --git a/user_guide_src/source/installation/upgrade_443.rst b/user_guide_src/source/installation/upgrade_443.rst
@@ -15,6 +15,14 @@ Please refer to the upgrade instructions corresponding to your installation meth
 Mandatory File Changes
 **********************
 
+error_exception.php
+===================
+
+The following file received significant changes and
+**you must merge the updated versions** with your application:
+
+- app/Views/errors/html/error_exception.php
+
 Breaking Changes
 ****************
 
@@ -48,3 +56,9 @@ This is a list of all files in the **project space** that received changes;
 many will be simple comments or formatting that have no effect on the runtime:
 
 - @TODO
+- app/Config/Boot/development.php
+- app/Config/Boot/production.php
+- app/Config/Boot/testing.php
+- app/Config/Filters.php
+- app/Views/errors/html/error_404.php
+- app/Views/errors/html/error_exception.php
