Release v4.1.2

app/Config/App.php

@@ -241,6 +241,8 @@ class App extends BaseConfig
 	 * Set a cookie name prefix if you need to avoid collisions.
 	 *
 	 * @var string
+	 *
+	 * @deprecated use Config\Cookie::$prefix property instead.
 	 */
 	public $cookiePrefix = '';
 
@@ -252,6 +254,8 @@ class App extends BaseConfig
 	 * Set to `.your-domain.com` for site-wide cookies.
 	 *
 	 * @var string
+	 *
+	 * @deprecated use Config\Cookie::$domain property instead.
 	 */
 	public $cookieDomain = '';
 
@@ -263,6 +267,8 @@ class App extends BaseConfig
 	 * Typically will be a forward slash.
 	 *
 	 * @var string
+	 *
+	 * @deprecated use Config\Cookie::$path property instead.
 	 */
 	public $cookiePath = '/';
 
@@ -274,19 +280,23 @@ class App extends BaseConfig
 	 * Cookie will only be set if a secure HTTPS connection exists.
 	 *
 	 * @var boolean
+	 *
+	 * @deprecated use Config\Cookie::$secure property instead.
 	 */
 	public $cookieSecure = false;
 
 	/**
 	 * --------------------------------------------------------------------------
-	 * Cookie HTTP Only
+	 * Cookie HttpOnly
 	 * --------------------------------------------------------------------------
 	 *
 	 * Cookie will only be accessible via HTTP(S) (no JavaScript).
 	 *
 	 * @var boolean
+	 *
+	 * @deprecated use Config\Cookie::$httponly property instead.
 	 */
-	public $cookieHTTPOnly = false;
+	public $cookieHTTPOnly = true;
 
 	/**
 	 * --------------------------------------------------------------------------
@@ -299,11 +309,18 @@ class App extends BaseConfig
 	 * - Strict
 	 * - ''
 	 *
+	 * Alternatively, you can use the constant names:
+	 * - `Cookie::SAMESITE_NONE`
+	 * - `Cookie::SAMESITE_LAX`
+	 * - `Cookie::SAMESITE_STRICT`
+	 *
 	 * Defaults to `Lax` for compatibility with modern browsers. Setting `''`
-	 * (empty string) means no SameSite attribute will be set on cookies. If
-	 * set to `None`, `$cookieSecure` must also be set.
+	 * (empty string) means default SameSite attribute set by browsers (`Lax`)
+	 * will be set on cookies. If set to `None`, `$cookieSecure` must also be set.
+	 *
+	 * @var string
 	 *
-       * @var string 'Lax'|'None'|'Strict'
+	 * @deprecated use Config\Cookie::$samesite property instead.
 	 */
 	public $cookieSameSite = 'Lax';
 

app/Config/Autoload.php

@@ -6,7 +6,7 @@
 
 /**
  * -------------------------------------------------------------------
- * AUTO-LOADER
+ * AUTOLOADER CONFIGURATION
  * -------------------------------------------------------------------
  *
  * This file defines the namespaces and class maps so the Autoloader
@@ -31,12 +31,12 @@ class Autoload extends AutoloadConfig
 	 * else you will need to modify all of those classes for this to work.
 	 *
 	 * Prototype:
-	 *
+	 *```
 	 *   $psr4 = [
 	 *       'CodeIgniter' => SYSTEMPATH,
 	 *       'App'	       => APPPATH
 	 *   ];
-	 *
+	 *```
 	 * @var array<string, string>
 	 */
 	public $psr4 = [
@@ -55,12 +55,30 @@ class Autoload extends AutoloadConfig
 	 * were being autoloaded through a namespace.
 	 *
 	 * Prototype:
-	 *
+	 *```
 	 *   $classmap = [
 	 *       'MyClass'   => '/path/to/class/file.php'
 	 *   ];
-	 *
+	 *```
 	 * @var array<string, string>
 	 */
 	public $classmap = [];
+
+	/**
+	 * -------------------------------------------------------------------
+	 * Files
+	 * -------------------------------------------------------------------
+	 * The files array provides a list of paths to __non-class__ files
+	 * that will be autoloaded. This can be useful for bootstrap operations
+	 * or for loading functions.
+	 *
+	 * Prototype:
+	 * ```
+	 *	  $files = [
+	 *	 	   '/path/to/my/file.php',
+	 *    ];
+	 * ```
+	 * @var array<int, string>
+	 */
+	public $files = [];
 }

app/Config/ContentSecurityPolicy.php

@@ -124,6 +124,14 @@ class ContentSecurityPolicy extends BaseConfig
 	 */
 	public $frameAncestors = null;
 
+	/**
+	 * The frame-src directive restricts the URLs which may
+	 * be loaded into nested browsing contexts.
+	 *
+	 * @var array|string|null
+	 */
+	public $frameSrc = null;
+
 	/**
 	 * Restricts the origins allowed to deliver video and audio.
 	 *

app/Config/Cookie.php

@@ -0,0 +1,119 @@
+<?php
+
+namespace Config;
+
+use CodeIgniter\Config\BaseConfig;
+use DateTimeInterface;
+
+class Cookie extends BaseConfig
+{
+	/**
+	 * --------------------------------------------------------------------------
+	 * Cookie Prefix
+	 * --------------------------------------------------------------------------
+	 *
+	 * Set a cookie name prefix if you need to avoid collisions.
+	 *
+	 * @var string
+	 */
+	public $prefix = '';
+
+	/**
+	 * --------------------------------------------------------------------------
+	 * Cookie Expires Timestamp
+	 * --------------------------------------------------------------------------
+	 *
+	 * Default expires timestamp for cookies. Setting this to `0` will mean the
+	 * cookie will not have the `Expires` attribute and will behave as a session
+	 * cookie.
+	 *
+	 * @var DateTimeInterface|integer|string
+	 */
+	public $expires = 0;
+
+	/**
+	 * --------------------------------------------------------------------------
+	 * Cookie Path
+	 * --------------------------------------------------------------------------
+	 *
+	 * Typically will be a forward slash.
+	 *
+	 * @var string
+	 */
+	public $path = '/';
+
+	/**
+	 * --------------------------------------------------------------------------
+	 * Cookie Domain
+	 * --------------------------------------------------------------------------
+	 *
+	 * Set to `.your-domain.com` for site-wide cookies.
+	 *
+	 * @var string
+	 */
+	public $domain = '';
+
+	/**
+	 * --------------------------------------------------------------------------
+	 * Cookie Secure
+	 * --------------------------------------------------------------------------
+	 *
+	 * Cookie will only be set if a secure HTTPS connection exists.
+	 *
+	 * @var boolean
+	 */
+	public $secure = false;
+
+	/**
+	 * --------------------------------------------------------------------------
+	 * Cookie HTTPOnly
+	 * --------------------------------------------------------------------------
+	 *
+	 * Cookie will only be accessible via HTTP(S) (no JavaScript).
+	 *
+	 * @var boolean
+	 */
+	public $httponly = true;
+
+	/**
+	 * --------------------------------------------------------------------------
+	 * Cookie SameSite
+	 * --------------------------------------------------------------------------
+	 *
+	 * Configure cookie SameSite setting. Allowed values are:
+	 * - None
+	 * - Lax
+	 * - Strict
+	 * - ''
+	 *
+	 * Alternatively, you can use the constant names:
+	 * - `Cookie::SAMESITE_NONE`
+	 * - `Cookie::SAMESITE_LAX`
+	 * - `Cookie::SAMESITE_STRICT`
+	 *
+	 * Defaults to `Lax` for compatibility with modern browsers. Setting `''`
+	 * (empty string) means default SameSite attribute set by browsers (`Lax`)
+	 * will be set on cookies. If set to `None`, `$secure` must also be set.
+	 *
+	 * @var string
+	 */
+	public $samesite = 'Lax';
+
+	/**
+	 * --------------------------------------------------------------------------
+	 * Cookie Raw
+	 * --------------------------------------------------------------------------
+	 *
+	 * This flag allows setting a "raw" cookie, i.e., its name and value are
+	 * not URL encoded using `rawurlencode()`.
+	 *
+	 * If this is set to `true`, cookie names should be compliant of RFC 2616's
+	 * list of allowed characters.
+	 *
+	 * @var boolean
+	 *
+	 * @see https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#attributes
+	 * @see https://tools.ietf.org/html/rfc2616#section-2.2
+	 */
+	public $raw = false;
+}

app/Config/Events.php

@@ -46,7 +46,7 @@
 	 * --------------------------------------------------------------------
 	 * If you delete, they will no longer be collected.
 	 */
-	if (CI_DEBUG)
+	if (CI_DEBUG && ! is_cli())
 	{
 		Events::on('DBQuery', 'CodeIgniter\Debug\Toolbar\Collectors\Database::collect');
 		Services::toolbar()->respond();

app/Config/Exceptions.php

@@ -45,4 +45,16 @@ class Exceptions extends BaseConfig
 	 * @var string
 	 */
 	public $errorViewPath = APPPATH . 'Views/errors';
+
+	/**
+	 * --------------------------------------------------------------------------
+	 * HIDE FROM DEBUG TRACE
+	 * --------------------------------------------------------------------------
+	 * Any data that you would like to hide from the debug trace.
+	 * In order to specify 2 levels, use "/" to separate.
+	 * ex. ['server', 'setup/password', 'secret_token']
+	 *
+	 * @var array
+	 */
+	public $sensitiveDataInTrace = [];
 }

app/Config/Logger.php

@@ -129,12 +129,27 @@ class Logger extends BaseConfig
 		 * The ChromeLoggerHandler requires the use of the Chrome web browser
 		 * and the ChromeLogger extension. Uncomment this block to use it.
 		 */
-		//      'CodeIgniter\Log\Handlers\ChromeLoggerHandler' => [
-		//          /*
-		//           * The log levels that this handler will handle.
-		//           */
-		//          'handles' => ['critical', 'alert', 'emergency', 'debug',
-		//                        'error', 'info', 'notice', 'warning'],
-		//      ]
+		// 'CodeIgniter\Log\Handlers\ChromeLoggerHandler' => [
+		//     /*
+		//      * The log levels that this handler will handle.
+		//      */
+		//     'handles' => ['critical', 'alert', 'emergency', 'debug',
+		//                   'error', 'info', 'notice', 'warning'],
+		// ],
+
+		/**
+		 * The ErrorlogHandler writes the logs to PHP's native `error_log()` function.
+		 * Uncomment this block to use it.
+		 */
+		// 'CodeIgniter\Log\Handlers\ErrorlogHandler' => [
+		// 		/* The log levels this handler can handle. */
+		// 		'handles' => ['critical', 'alert', 'emergency', 'debug', 'error', 'info', 'notice', 'warning'],
+		//
+		// 		/*
+		// 		 * The message type where the error should go. Can be 0 or 4, or use the
+		// 		 * class constants: `ErrorlogHandler::TYPE_OS` (0) or `ErrorlogHandler::TYPE_SAPI` (4)
+		// 		 */
+		// 		'messageType' => 0,
+		// ],
 	];
 }

app/Config/Mimes.php

@@ -335,6 +335,8 @@ class Mimes
 			'application/msword',
 			'application/x-zip',
 		],
+		'xlsb'  => 'application/vnd.ms-excel.sheet.binary.macroEnabled.12',
+		'xlsm'  => 'application/vnd.ms-excel.sheet.macroEnabled.12',
 		'word'  => [
 			'application/msword',
 			'application/octet-stream',

app/Config/Modules.php

@@ -12,7 +12,7 @@ class Modules extends BaseModules
 	 * --------------------------------------------------------------------------
 	 *
 	 * If true, then auto-discovery will happen across all elements listed in
-	 * $activeExplorers below. If false, no auto-discovery will happen at all,
+	 * $aliases below. If false, no auto-discovery will happen at all,
 	 * giving a slight performance boost.
 	 *
 	 * @var boolean

app/Config/Security.php

@@ -84,9 +84,12 @@ class Security extends BaseConfig
 	 * Allowed values are: None - Lax - Strict - ''.
 	 *
 	 * Defaults to `Lax` as recommended in this link:
+	 *
 	 * @see https://portswigger.net/web-security/csrf/samesite-cookies
 	 *
-       * @var string 'Lax'|'None'|'Strict'
+	 * @var string
+	 *
+	 * @deprecated
 	 */
 	public $samesite = 'Lax';
 }

app/Controllers/BaseController.php

@@ -3,6 +3,8 @@
 namespace App\Controllers;
 
 use CodeIgniter\Controller;
+use CodeIgniter\HTTP\CLIRequest;
+use CodeIgniter\HTTP\IncomingRequest;
 use CodeIgniter\HTTP\RequestInterface;
 use CodeIgniter\HTTP\ResponseInterface;
 use Psr\Log\LoggerInterface;
@@ -20,6 +22,13 @@
 
 class BaseController extends Controller
 {
+	/**
+	 * Instance of the main Request object.
+	 *
+	 * @var IncomingRequest|CLIRequest
+	 */
+	protected $request;
+
 	/**
 	 * An array of helpers to be loaded automatically upon
 	 * class instantiation. These helpers will be available