From bf6f06bfa67ecb3ac225c58388d00074002d46d4 Mon Sep 17 00:00:00 2001 From: memleakd <121398829+memleakd@users.noreply.github.com> Date: Sat, 25 Apr 2026 01:22:01 +0200 Subject: [PATCH] fix: reset Kint CSP state in worker mode Signed-off-by: memleakd <121398829+memleakd@users.noreply.github.com> --- system/CodeIgniter.php | 23 +++++++++++++++++++++ tests/system/CodeIgniterTest.php | 16 ++++++++++++++ user_guide_src/source/changelogs/v4.7.3.rst | 1 + 3 files changed, 40 insertions(+) diff --git a/system/CodeIgniter.php b/system/CodeIgniter.php index da3a438d0e25..dcc8fd33ede9 100644 --- a/system/CodeIgniter.php +++ b/system/CodeIgniter.php @@ -208,6 +208,29 @@ public function resetForWorkerMode(): void // Reset timing $this->startTime = null; $this->totalTime = 0; + + $this->resetKintForWorkerMode(); + } + + /** + * Resets Kint request-specific state for worker mode. + */ + private function resetKintForWorkerMode(): void + { + if (! CI_DEBUG || ! class_exists(Kint::class, false)) { + return; + } + + $csp = service('csp'); + if ($csp->enabled()) { + RichRenderer::$js_nonce = $csp->getScriptNonce(); + RichRenderer::$css_nonce = $csp->getStyleNonce(); + } else { + RichRenderer::$js_nonce = null; + RichRenderer::$css_nonce = null; + } + + RichRenderer::$needs_pre_render = true; } /** diff --git a/tests/system/CodeIgniterTest.php b/tests/system/CodeIgniterTest.php index e4bc8a9e2cd5..e5d371bfb941 100644 --- a/tests/system/CodeIgniterTest.php +++ b/tests/system/CodeIgniterTest.php @@ -30,6 +30,7 @@ use Config\Filters as FiltersConfig; use Config\Modules; use Config\Routing; +use Kint\Renderer\RichRenderer; use PHPUnit\Framework\Attributes\BackupGlobals; use PHPUnit\Framework\Attributes\DataProvider; use PHPUnit\Framework\Attributes\Group; @@ -1273,6 +1274,15 @@ public function testRouteAttributesDisabledInConfig(): void public function testResetForWorkerMode(): void { + $this->resetServices(); + + $appConfig = config(App::class); + $appConfig->CSPEnabled = true; + + RichRenderer::$js_nonce = 'stale-script-nonce'; + RichRenderer::$css_nonce = 'stale-style-nonce'; + RichRenderer::$needs_pre_render = false; + $config = new App(); $codeigniter = new MockCodeIgniter($config); @@ -1292,5 +1302,11 @@ public function testResetForWorkerMode(): void $this->assertNull($this->getPrivateProperty($codeigniter, 'controller')); $this->assertNull($this->getPrivateProperty($codeigniter, 'method')); $this->assertNull($this->getPrivateProperty($codeigniter, 'output')); + + $csp = service('csp'); + + $this->assertSame($csp->getScriptNonce(), RichRenderer::$js_nonce); + $this->assertSame($csp->getStyleNonce(), RichRenderer::$css_nonce); + $this->assertTrue(RichRenderer::$needs_pre_render); } } diff --git a/user_guide_src/source/changelogs/v4.7.3.rst b/user_guide_src/source/changelogs/v4.7.3.rst index 677e1072500b..b53dce77a93d 100644 --- a/user_guide_src/source/changelogs/v4.7.3.rst +++ b/user_guide_src/source/changelogs/v4.7.3.rst @@ -40,6 +40,7 @@ Bugs Fixed - **CLI:** Fixed a bug where ``CLI::generateDimensions()`` leaked ``stty`` error output (e.g., ``stty: 'standard input': Inappropriate ioctl for device``) to stderr when stdin was not a TTY. - **Commands:** Fixed a bug in the ``env`` command where passing options only would cause the command to throw a ``TypeError`` instead of showing the current environment. - **Common:** Fixed a bug where the ``command()`` helper function did not properly clean up output buffers, which could lead to risky tests when exceptions were thrown. +- **Kint:** Fixed a bug where stale Content Security Policy nonces were reused in worker mode, causing browser CSP violations for Debug Toolbar assets. - **Validation:** Fixed a bug where ``Validation::getValidated()`` dropped fields whose validated value was explicitly ``null``. See the repo's