Security: patch critical vulnerabilities and bump to v0.31.4.0

- Mitigate Stored XSS in UserController by enforcing `esc()` on blacklist notes.
- Fortify Fileeditor to prevent Authorization Bypass by extending `isHiddenPath()` validation to all file operations, safeguarding `.env` and system structures.
- Implement strict allowlist filtering (`preg_replace_callback`) to block `srcdoc` XSS exploits in the Settings Map iframe config.
- Enforce `html_purify` validation on Pages module endpoints to neutralize injected XSS.
- Replace volatile cache-based install guard with a secure persistent `install.lock` mechanism in both web `InstallFilter` and CLI setup, fixing a critical re-entry bypass.
- Resolve CRLF Injection inside environment setup by rigorously stripping carriage returns from untrusted inputs (`Install.php`).
- Update the system version parameters to 0.31.4.0 across setup processes.
- Honor security researcher 'offset' in the README.md Security Hall of Fame.

Author: bertugfahriozer

CHANGELOG.md

@@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) conventions adapted to the existing four-component version numbers.
 
+## [0.31.4.0] - 2026-04-06
+
+### Security
+
+- **XSS Protection:** Mitigated Stored XSS vulnerability in `UserController` by wrapping blacklist status notes in `esc()`.
+- **Authorization Bypass:** Fortified `Fileeditor` module by implementing `isHiddenPath` validation across all file operations (`readFile`, `saveFile`, `createFile`, `createFolder`, `renameFile`, `deleteFileOrFolder`), preventing unauthorized disclosure and modification of protected system files like `.env` and `composer.json`.
+- **Settings Security:** Reformed Google Maps iframe validation (`cMap`) in `Settings` controller to utilize a strict `preg_replace_callback` allowlist, mitigating a sophisticated srcdoc-based Cross-Site Scripting (XSS) exploit.
+- **Pages Security:** Appended the stringent `html_purify` validation rule to page creation and update flows to intercept and neutralize injected JavaScript securely.
+- **Installation Integrity:** Eliminated a volatile cache-dependent installation guard in favor of a persistent filesystem lock (`install.lock`) verification within both Web (`InstallFilter`) and CLI (`Ci4msSetup.php`) boot lifecycles. This successfully remediates a critical post-installation re-entry bypass.
+- **Input Validation:** Patched a CRLF Injection flaw within the initial environment setup by meticulously stripping `\r\n` carriage returns from arbitrary injected payload components inside `Install.php`.
+
 ## [0.31.3.0] - 2026-04-02
 
 ### Added
@@ -226,6 +237,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
 
 - Expanded database migrations and introduced new supporting libraries.
 
+[0.31.4.0]: https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.4.0
+[0.31.3.0]: https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.3.0
 [0.31.2.0]: https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.2.0
 [0.31.1.0]: https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.1.0
 [0.31.0.0]: https://github.com/ci4-cms-erp/ci4ms/releases/tag/0.31.0.0

README.md

@@ -196,5 +196,6 @@ A huge thank you to the security researchers who have helped make **ci4ms** more
 | **[Hunter.](https://github.com/LAW6ZX7)** | Identified Critical Stored XSS in Backend & Blog modules allowing Session Hijacking. | Feb 2026 |
 | **[m1scher](https://github.com/m1scher)** | Assisted with vulnerability triaging and security testing. | Feb 2026 |
 | **[alpernae](https://github.com/alpernae)** | Assisted with vulnerability triaging and security testing. | Feb 2026 |
+| **[offset](https://github.com/offset)** | Identified Critical vulnerabilities including multiple Stored XSS, Authorization Bypass in Fileeditor, Install Guard Bypass, and CRLF Injection. | Apr 2026 |
 
 > If you find a security vulnerability, please report it via [Security Policy](SECURITY.md).

app/Config/Filters.php

@@ -183,6 +183,7 @@ private function loadDynamicFilters(array $directories): void
             \CodeIgniter\Shield\Filters\ForcePasswordResetFilter::class,
             \Modules\Auth\Filters\Ci4MsAuthFilter::class,
             \Modules\Backend\Filters\BackendLogFilter::class,
+            \Modules\Auth\Filters\SessionTracker::class,
         ];
         $this->aliases['langfilter'] = [
             \App\Filters\Ci4ms::class,

app/Controllers/BaseController.php

@@ -175,9 +175,10 @@ protected function getDefaultData(): array
             'menus'          => $menus,
             'languages'      => cache('frontend_languages') ?? [],
             'alternateLinks' => [], // Default empty, filled by child controllers
-            'agent'          => $this->request->getUserAgent(),
             'seoConfig'      => new Seo()
         ];
+        if(is_cli()) $defData['agent']='CLI';
+        else $defData['agent'] = $this->request->getUserAgent();
 
         // If languages are empty in cache, load them (fallback)
         if (empty($defData['languages'])) {

modules/Auth/Database/Migrations/2026-04-03-034658_CreateUserSessionsTable.php

@@ -0,0 +1,107 @@
+<?php
+
+namespace Modules\Auth\Database\Migrations;
+
+use CodeIgniter\Database\Migration;
+
+class CreateUserSessionsTable extends Migration
+{
+    public function up(): void
+    {
+        $this->forge->addField([
+            'id' => [
+                'type'           => 'INT',
+                'constraint'     => 11,
+                'unsigned'       => true,
+                'auto_increment' => true,
+            ],
+            'user_id' => [
+                'type'       => 'INT',
+                'constraint' => 11,
+                'unsigned'   => true,
+            ],
+            'session_id' => [
+                'type'       => 'VARCHAR',
+                'constraint' => 128,
+            ],
+            'ip_address' => [
+                'type'       => 'VARCHAR',
+                'constraint' => 45,
+            ],
+            'user_agent' => [
+                'type'       => 'VARCHAR',
+                'constraint' => 512,
+                'null'       => true,
+            ],
+            'browser' => [
+                'type'       => 'VARCHAR',
+                'constraint' => 100,
+                'null'       => true,
+            ],
+            'browser_version' => [
+                'type'       => 'VARCHAR',
+                'constraint' => 50,
+                'null'       => true,
+            ],
+            'os' => [
+                'type'       => 'VARCHAR',
+                'constraint' => 100,
+                'null'       => true,
+            ],
+            'device_type' => [
+                'type'       => 'ENUM',
+                'constraint' => ['desktop', 'mobile', 'tablet', 'bot', 'unknown'],
+                'default'    => 'unknown',
+            ],
+            'device_name' => [
+                'type'       => 'VARCHAR',
+                'constraint' => 150,
+                'null'       => true,
+            ],
+            'region' => [
+                'type'       => 'VARCHAR',
+                'constraint' => 100,
+                'null'       => true,
+            ],
+            'country' => [
+                'type'       => 'VARCHAR',
+                'constraint' => 100,
+                'null'       => true,
+            ],
+            'city' => [
+                'type'       => 'VARCHAR',
+                'constraint' => 100,
+                'null'       => true,
+            ],
+            'last_activity' => [
+                'type' => 'DATETIME',
+                'null' => true,
+            ],
+            'is_active' => [
+                'type'    => 'TINYINT',
+                'constraint' => 1,
+                'default' => 1,
+            ],
+            'created_at' => [
+                'type' => 'DATETIME',
+                'null' => true,
+            ],
+            'terminated_at' => [
+                'type' => 'DATETIME',
+                'null' => true,
+            ],
+        ]);
+
+        $this->forge->addPrimaryKey('id');
+        $this->forge->addKey('user_id');
+        $this->forge->addKey('session_id');
+        $this->forge->addKey(['user_id', 'is_active']); // composite index — liste sorgusu için
+
+        $this->forge->createTable('user_sessions', true);
+    }
+
+    public function down(): void
+    {
+        $this->forge->dropTable('user_sessions', true);
+    }
+}

modules/Auth/Filters/SessionTracker.php

@@ -0,0 +1,77 @@
+<?php
+
+namespace Modules\Auth\Filters;
+
+use Modules\Auth\Models\UserSessionModel;
+use CodeIgniter\Filters\FilterInterface;
+use CodeIgniter\HTTP\RequestInterface;
+use CodeIgniter\HTTP\ResponseInterface;
+
+/**
+ * Security and Tracking Filter: User Session Tracker
+ *
+ * Designed to track the real-time device information and connection durations
+ * of logged-in users. It also synchronously prevents database-controlled (DB-Driven)
+ * session termination (revocation) at the Filter level.
+ */
+class SessionTracker implements FilterInterface
+{
+    /**
+     * Intercepts the request before it reaches the Controller.
+     * Checks for a permanent "Device ID" (Tracker ID) belonging to the user, generates one if missing.
+     * Uses this ID to verify the active status in the database; if inactive, terminates the process and logs the user out.
+     *
+     * @param RequestInterface $request   Incoming HTTP Request
+     * @param mixed            $arguments Additional arguments
+     * @return mixed
+     */
+    public function before(RequestInterface $request, $arguments = null)
+    {
+        helper('device');
+
+        $userId  = auth()->id();
+
+        if (! $userId) {
+            return;
+        }
+
+        $session = session();
+        $sessionId = $session->get('ci4ms_session_tracker_id');
+        
+        if (! $sessionId) {
+            $sessionId = bin2hex(random_bytes(16));
+            $session->set('ci4ms_session_tracker_id', $sessionId);
+        }
+        
+        $model     = new UserSessionModel();
+
+        $exists = $model->where('session_id', $sessionId)->first();
+
+        if (! $exists) {
+            $agent      = $request->getUserAgent();
+            $deviceInfo = extract_device_info($agent);
+
+            $model->recordLogin(
+                userId:     (int) $userId,
+                sessionId:  $sessionId,
+                deviceInfo: $deviceInfo,
+                ip:         $request->getIPAddress()
+            );
+        } else {
+            // If the current device's session status in the database has been remotely set to "is_active = 0",
+            // forces the visitor out of their current device.
+            if ($exists['is_active'] == 0) {
+                auth()->logout();
+                session()->destroy();
+                return redirect()->route('login')->with('error', lang('Users.currentSessionTerminated'));
+            }
+
+            $model->touchSession($sessionId);
+        }
+    }
+
+    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
+    {
+        // No further manipulation needed afterwards.
+    }
+}