Version 4.7.3
Release Date: May 22, 2026
4.7.3 release of CodeIgniter4
SECURITY
Validation: The
ext_infile upload validation rule now validates the client filename extension and verifies that it matches the detected MIME type. Previously,ext_inonly checked the MIME-derived guessed extension, so a file with a mismatched client extension could pass validation. See the Security advisory GHSA-2gr4-ppc7-7mhx for more information.
Message Changes
The
Cache.invalidHandlermessage string was added.
Changes
Commands: The
-hoption for theroutescommand is renamed to--sort-by-handlerto avoid conflict with the common use of-has a shortcut for--help. The old-hoption will continue to work until v4.8.0, at which point it will be removed and repurposed as a shortcut for--help. A warning message is displayed when using the old-hoption to encourage users to switch to the new--sort-by-handleroption.
Bugs Fixed
Autoloader: Fixed a bug where
Autoloader::unregister()(used during tests) silently failed to remove handlers from the SPL autoload stack, causing closures to accumulate permanently.CLI: Fixed a bug where
CLI::generateDimensions()leakedsttyerror output (e.g.,stty: 'standard input': Inappropriate ioctl for device) to stderr when stdin was not a TTY.CLI: Fixed a bug where
CLI::generateDimensions()leakedtputerror output (tput: No value for $TERM and no -T specified) to stderr when thesttyfallback was reached and theTERMenvironment variable was not set.Commands: Fixed a bug in the
envcommand where passing options only would cause the command to throw aTypeErrorinstead of showing the current environment.Commands: Fixed a bug in
key:generatecommand where the regex used to locate theencryption.keyline was fooled by a comment containing the substring (silently writing nothing), and did not handle DotEnv’sexport encryption.key = ...syntax.Commands: Fixed a bug in the
servecommand where the--hostoption was concatenated into thepassthru()call withoutescapeshellarg(), letting shell metacharacters in the locally-supplied argument be interpreted by/bin/sh.Common: Fixed a bug where the
command()helper function did not properly clean up output buffers, which could lead to risky tests when exceptions were thrown.Database: Fixed a bug where
BaseConnection::listTables()could return a sparse array when using cached table names after a table was dropped.Database: Fixed a bug where the PostgreSQL driver’s
increment()anddecrement()methods were not working for numeric columns.Database: Fixed a bug where the SQLSRV driver’s decrement method was adding instead of subtracting the decrement value when
$castTextToIntwas false.Config: Fixed a bug where the app starter’s
zlib.output_compressionguard rejected the valid disabled valueOff.Entity: Fixed a bug where
Entity::normalizeValue()did not handleUnitEnumbefore checking fortoArray(), causing enums implementingtoArray()to be incorrectly normalized as generic objects instead of enums.Kint: Fixed a bug where stale Content Security Policy nonces were reused in worker mode, causing browser CSP violations for Debug Toolbar assets.
Language: Fixed a bug where
Language::getLine()returned the literal dot-notation key instead of the nested array value when the requested key resolved to an intermediate array three or more levels deep.Toolbar: Fixed a bug where the Logs collector raised an undefined property error when using a third-party PSR-3 logger.
Time: Fixed a bug where
Time::createFromTimestamp()could fail for microsecond timestamps whenLC_NUMERICused a comma decimal separator.Validation: Fixed a bug where
Validation::getValidated()dropped fields whose validated value was explicitlynull.Worker Mode: Fixed a bug where the
frankenphp-worker.phptemplate caused aCannot redeclare class Config\Pathsfatal error when FrankenPHP’s watcher re-executed the worker script after a watched file changed.
See the repo’s CHANGELOG.md for a complete list of bugs fixed.