CodeIgniter 3.1.4 was released today, with some security and bug fixes.

Security: Fixed byte-safety handling in the encryption code, and a header injection.

Bug fixes: for the Database, Input, Loader, Session libraries; and for the Html, Text & common functions helpers.
Also updated the Query Builder and Profiler.

Enhancements: Image library.

Changelog of version 3.1.4

Release Date: March 23, 2017

• Security
  • Fixed a header injection vulnerability in common function set_status_header() under Apache (thanks to Guillermo Caminer from Flowgate).
  • Fixed byte-safety issues in Encrypt Library (DEPRECATED) when mbstring.func_overload is enabled.
  • Fixed byte-safety issues in Encryption Library when mbstring.func_overload is enabled.
  • Fixed byte-safety issues in compatibility functions password_hash(), hash_pbkdf2() when mbstring.func_overload is enabled.
  • Updated Encrypt Library (DEPRECATED) to call mcrypt_create_iv() with MCRYPT_DEV_URANDOM.
• General Changes
  • Updated the Image Manipulation Library to work-around an issue with some JPEGs when using GD.

Bug fixes for 3.1.4

• Fixed a regression (#4975) - Loader Library couldn’t handle objects passed as view variables.
• Fixed a bug (#4977) - Loader Library method helper() could accept any character as a filename extension separator.
• Fixed a regression where the Session Library would fail on a session_regenerate_id(TRUE) call with the ‘database’ driver.
• Fixed a bug (#4987) - Query Builder caching didn’t keep track of table aliases.
• Fixed a bug where Text Helper function ascii_to_entities() wasn’t byte-safe when mbstring.func_overload is enabled.
• Fixed a bug where CI_Log, CI_Output, CI_Email and CI_Zip didn’t handle strings in a byte-safe manner when mbstring.func_overload is enabled.
• Fixed a bug where Session Library didn’t read session data in a byte-safe manner when mbstring.func_overload is enabled.
• Fixed a bug (#4990) - Profiler didn’t close <pre> tags it generated.
• Fixed a bug (#4990) - Profiler didn’t HTML-escape quotes for $_SESSION variables.
• Fixed a bug where Input Library method set_cookie() didn’t allow its httponly and secure parameters to be overriden to FALSE.
• Fixed a bug (#5006) - common function get_mimes() didn’t load application/config/mimes.php if an environment specific config exists.
• Fixed a bug (#5006) - common function remove_invisible_characters() didn’t remove URL-encoded 0x7F.
• Fixed a bug (#4815) - Database Library stripped URL-encoded sequences while escaping strings with the ‘mssql’ driver.
• Fixed a bug (#5044) - HTML Helper function img() didn’t accept data: URI schemes for the image source.
• Fixed a bug (#5050) - Database Library tried to access an undefined property in a number of error handling cases.
• Fixed a bug (#5057) - Database driver ‘postgre’ didn’t actually apply extra options (such as ‘connect_timeout’) to its DSN.