From 4db78fd56151c3b3a9efc121897666332af3f6b1 Mon Sep 17 00:00:00 2001
From: Poldovico <41841263+Poldovico@users.noreply.github.com>
Date: Tue, 7 May 2019 15:21:00 +0200
Subject: [PATCH 1/3] Respects CSRF_ENABLED environment variable

The previous statement would evaluate to true for any value of CSRF_ENABLED.
Using the strict comparison operator means if we set the variable to any false-evaluating values other then boolean false (0, '0', 'false', '' and so on), then CSRF will be disabled.
getenv() evaluates to boolean false if the environment variable is not set, so I know of no simple way to distinguish between the variable being unset, in which case we want to default to enabling CSRF, and it being explicitly set to boolean false.
---
 app/sprinkles/core/config/default.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/sprinkles/core/config/default.php b/app/sprinkles/core/config/default.php
index aec6d554e..17b5cda7e 100755
--- a/app/sprinkles/core/config/default.php
+++ b/app/sprinkles/core/config/default.php
@@ -96,7 +96,7 @@
         * Note : CSRF Middleware should only be disabled for dev or debug purposes.
         */
         'csrf' => [
-            'enabled'          => getenv('CSRF_ENABLED') ?: true,
+            'enabled'          => (getenv('CSRF_ENABLED') !== false) ? getenv('CSRF_ENABLED') : true,
             'name'             => 'csrf',
             'storage_limit'    => 200,
             'strength'         => 16,

From e0f5d1b1591f67b08ac1547d6d6a6d69f1cc1395 Mon Sep 17 00:00:00 2001
From: Louis Charette <charette.louis@gmail.com>
Date: Sat, 15 Jun 2019 16:04:09 -0400
Subject: [PATCH 2/3] Fix migration PHP file detection

---
 .../core/src/Database/Migrator/MigrationLocator.php       | 2 +-
 .../Database/Migrator/MigrationLocatorTest.php            | 8 +++++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/app/sprinkles/core/src/Database/Migrator/MigrationLocator.php b/app/sprinkles/core/src/Database/Migrator/MigrationLocator.php
index 3ee918af1..7059be976 100644
--- a/app/sprinkles/core/src/Database/Migrator/MigrationLocator.php
+++ b/app/sprinkles/core/src/Database/Migrator/MigrationLocator.php
@@ -56,7 +56,7 @@ public function getMigrations()
         foreach ($migrationFiles as $migrationFile) {
             // Note that PSR4 insists that all php files must end in PHP, so ignore all
             // files that don't end in PHP.
-            if (preg_match('/php$/', $migrationFile)) {
+            if ($migrationFile->getExtension() == 'php') {
                 $migrations[] = $this->getMigrationDetails($migrationFile);
             }
         }
diff --git a/app/sprinkles/core/tests/Integration/Database/Migrator/MigrationLocatorTest.php b/app/sprinkles/core/tests/Integration/Database/Migrator/MigrationLocatorTest.php
index a5c0fbdcb..dbb94f16c 100644
--- a/app/sprinkles/core/tests/Integration/Database/Migrator/MigrationLocatorTest.php
+++ b/app/sprinkles/core/tests/Integration/Database/Migrator/MigrationLocatorTest.php
@@ -90,7 +90,13 @@ public function testGetMigrations()
             new Resource($resourceStream, $resourceAccountLocation, 'one/CreatePasswordResetsTable.php'),
             new Resource($resourceStream, $resourceAccountLocation, 'two/CreateFlightsTable.php'),
             new Resource($resourceStream, $resourceAccountLocation, 'CreateMainTable.php'),
-            new Resource($resourceStream, $resourceAccountLocation, 'README.md'), // This shoudn't be returned by the migrator
+
+            // Theses shoudn't be returned by the migrator
+            new Resource($resourceStream, $resourceAccountLocation, 'README.md'),
+            new Resource($resourceStream, $resourceAccountLocation, 'php.md'),
+            new Resource($resourceStream, $resourceAccountLocation, 'foo.foophp'),
+            new Resource($resourceStream, $resourceAccountLocation, 'blah.phpphp'),
+            new Resource($resourceStream, $resourceAccountLocation, 'bar.phpbar'),
         ]);
 
         // Create a new MigrationLocator instance with our simulated ResourceLocation

From c3ab9a6f8529b07e25359bd299c4b837eb4b6f04 Mon Sep 17 00:00:00 2001
From: Louis Charette <charette.louis@gmail.com>
Date: Wed, 26 Jun 2019 21:40:24 -0400
Subject: [PATCH 3/3] Updated changelog [ci skip]

---
 CHANGELOG.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7e4bdad37..6aeb858d3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,12 +8,13 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [v4.2.3]
 
 ### Added
-- Config to set Domain of RememberMe Cookie ([#990]; [#991]; Thanks @xrobau!)
+- Config to set Domain of RememberMe Cookie ([#990], [#991]; Thanks @xrobau !)
 - Config settings for password min/max length ([#993])
 
 ### Fixed
-- [PHPMailer] Turn off opportunistic TLS when disabled ([#986]; [#987])
-- Migrator now ignore files that don't end in `.php` ([#965]; Temporary fix for [#998])
+- [PHPMailer] Turn off opportunistic TLS when disabled ([#986], [#987])
+- Migrator now ignore files that don't end in `.php` ([#965], [#998])
+- Respects CSRF_ENABLED environment variable ([#976]; Thanks @Poldovico !)
 
 ## [v4.2.2]
 
@@ -767,6 +768,7 @@ See [http://learn.userfrosting.com/upgrading/40-to-41](Upgrading 4.0.x to 4.1.x
 [#963]: https://github.com/userfrosting/UserFrosting/issues/963
 [#965]: https://github.com/userfrosting/UserFrosting/issues/965
 [#968]: https://github.com/userfrosting/UserFrosting/issues/968
+[#976]: https://github.com/userfrosting/UserFrosting/issues/976
 [#981]: https://github.com/userfrosting/UserFrosting/issues/981
 [#983]: https://github.com/userfrosting/UserFrosting/issues/983
 [#986]: https://github.com/userfrosting/UserFrosting/issues/986