Upgrading from 4.7.3 to 4.7.4

Please refer to the upgrade instructions corresponding to your installation method.

Mandatory File Changes

Breaking Changes

HTTPS Detection Behind Proxies

For security reasons, IncomingRequest::isSecure() no longer trusts the X-Forwarded-Proto and Front-End-Https headers unless the request comes from a trusted proxy. See the Security advisory GHSA-7wmf-pw8j-mc78 for more information.

If your application runs behind a reverse proxy or load balancer that terminates TLS, you must register the proxy in Config\App::$proxyIPs, e.g.:

public array $proxyIPs = [
    '10.0.1.200'     => 'X-Forwarded-For',
    '192.168.5.0/24' => 'X-Forwarded-For',
];

Otherwise, isSecure(), force_https(), and Config\App::$forceGlobalSecureRequests will treat such requests as non-HTTPS, which may result in redirect loops.

Note

On dual-stack servers, a proxy’s IPv4 address may be reported as an IPv4-mapped IPv6 address (e.g., ::ffff:192.168.5.21), which does not match an IPv4 entry such as 192.168.5.0/24. In that case, add the IPv4-mapped form to Config\App::$proxyIPs, e.g., ::ffff:192.168.5.21 or ::ffff:192.168.5.0/120.

Breaking Enhancements

Project Files

Some files in the project space (root, app, public, writable) received updates. Due to these files being outside of the system scope they will not be changed without your intervention.

Note

There are some third-party CodeIgniter modules available to assist with merging changes to the project space: Explore on Packagist.

Content Changes

The following files received significant changes (including deprecations or visual adjustments) and it is recommended that you merge the updated versions with your application:

Config

  • @TODO

All Changes

This is a list of all files in the project space that received changes; many will be simple comments or formatting that have no effect on the runtime:

  • @TODO