From 0abc55a22535586929fb146a81d1cee68dbccd10 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Sat, 31 Oct 2015 19:30:41 +0200
Subject: [ci skip] Update changelog, version & upgrade instructions

---
 system/core/CodeIgniter.php                        |  2 +-
 user_guide_src/source/changelog.rst                |  8 +++-
 user_guide_src/source/conf.py                      |  4 +-
 user_guide_src/source/installation/upgrade_300.rst | 45 +++++++++++++++++++++-
 user_guide_src/source/installation/upgrade_303.rst | 43 ++++++++++++++++++++-
 5 files changed, 96 insertions(+), 6 deletions(-)

diff --git a/system/core/CodeIgniter.php b/system/core/CodeIgniter.php
index 8cea813a2..5080dc6d1 100644
--- a/system/core/CodeIgniter.php
+++ b/system/core/CodeIgniter.php
@@ -55,7 +55,7 @@ defined('BASEPATH') OR exit('No direct script access allowed');
  * @var	string
  *
  */
-	define('CI_VERSION', '3.0.3-dev');
+	define('CI_VERSION', '3.0.3');
 
 /*
  * ------------------------------------------------------
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index f9f451d98..d67ae4e8c 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -5,7 +5,13 @@ Change Log
 Version 3.0.3
 =============
 
-Release Date: Not Released
+Release Date: October 31, 2015
+
+-  **Security**
+
+   -  Fixed an XSS attack vector in :doc:`Security Library <libraries/security>` method ``xss_clean()``.
+   -  Changed :doc:`Config Library <libraries/config>` method ``base_url()`` to fallback to ``$_SERVER['SERVER_ADDR']`` when ``$config['base_url']`` is empty in order to avoid *Host* header injections.
+   -  Changed :doc:`CAPTCHA Helper <helpers/captcha_helper>` to use the operating system's PRNG when possible.
 
 -  Database
 
diff --git a/user_guide_src/source/conf.py b/user_guide_src/source/conf.py
index 46e033ec8..031f95e2d 100644
--- a/user_guide_src/source/conf.py
+++ b/user_guide_src/source/conf.py
@@ -48,9 +48,9 @@ copyright = u'2014 - 2015, British Columbia Institute of Technology'
 # built documents.
 #
 # The short X.Y version.
-version = '3.0.3-dev'
+version = '3.0.3'
 # The full version, including alpha/beta/rc tags.
-release = '3.0.3-dev'
+release = '3.0.3'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.
diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst
index 4b3b408a7..a29f400f8 100644
--- a/user_guide_src/source/installation/upgrade_300.rst
+++ b/user_guide_src/source/installation/upgrade_300.rst
@@ -464,8 +464,51 @@ files and error messages format:
 	Therefore you're encouraged to update its usage sooner rather than
 	later.
 
+************************************************************
+Step 19: Make sure your 'base_url' config value is not empty
+************************************************************
+
+When ``$config['base_url']`` is not set, CodeIgniter tries to automatically
+detect what your website's base URL is. This is done purely for convenience
+when you are starting development of a new application.
+
+Auto-detection is never reliable and also has security implications, which
+is why you should **always** have it manually configured!
+
+One of the changes in CodeIgniter 3.0.3 is how this auto-detection works,
+and more specifically it now falls back to the server's IP address instead
+of the hostname requested by the client. Therefore, if you've ever relied
+on auto-detection, it will change how your website works now.
+
+In case you need to allow e.g. multiple domains, or both http:// and
+https:// prefixes to be dynamically used depending on the request,
+remember that *application/config/config.php* is still a PHP script, in
+which you can create this logic with a few lines of code. For example::
+
+	$allowed_domains = array('domain1.tld', 'domain2.tld');
+	$default_domain  = 'domain1.tld';
+
+	if (in_array($_SERVER['HTTP_HOST'], $allowed_domains, TRUE))
+	{
+		$domain = $_SERVER['HTTP_HOST'];
+	}
+	else
+	{
+		$domain = $default_domain;
+	}
+
+	if ( ! empty($_SERVER['HTTPS']))
+	{
+		$config['base_url'] = 'https://'.$domain;
+	}
+	else
+	{
+		$config['base_url'] = 'http://'.$domain;
+	}
+
+
 ****************************************************************
-Step 19: Remove usage of (previously) deprecated functionalities
+Step 20: Remove usage of (previously) deprecated functionalities
 ****************************************************************
 
 In addition to the ``$autoload['core']`` configuration setting, there's a
diff --git a/user_guide_src/source/installation/upgrade_303.rst b/user_guide_src/source/installation/upgrade_303.rst
index a98eed0d4..d13a0fe46 100644
--- a/user_guide_src/source/installation/upgrade_303.rst
+++ b/user_guide_src/source/installation/upgrade_303.rst
@@ -11,4 +11,45 @@ Step 1: Update your CodeIgniter files
 Replace all files and directories in your *system/* directory.
 
 .. note:: If you have any custom developed files in these directories,
-	please make copies of them first.
\ No newline at end of file
+	please make copies of them first.
+
+Step 2: Make sure your 'base_url' config value is not empty
+===========================================================
+
+When ``$config['base_url']`` is not set, CodeIgniter tries to automatically
+detect what your website's base URL is. This is done purely for convenience
+when you are starting development of a new application.
+
+Auto-detection is never reliable and also has security implications, which
+is why you should **always** have it manually configured!
+
+One of the changes in CodeIgniter 3.0.3 is how this auto-detection works,
+and more specifically it now falls back to the server's IP address instead
+of the hostname requested by the client. Therefore, if you've ever relied
+on auto-detection, it will change how your website works now.
+
+In case you need to allow e.g. multiple domains, or both http:// and
+https:// prefixes to be dynamically used depending on the request,
+remember that *application/config/config.php* is still a PHP script, in
+which you can create this logic with a few lines of code. For example::
+
+	$allowed_domains = array('domain1.tld', 'domain2.tld');
+	$default_domain  = 'domain1.tld';
+
+	if (in_array($_SERVER['HTTP_HOST'], $allowed_domains, TRUE))
+	{
+		$domain = $_SERVER['HTTP_HOST'];
+	}
+	else
+	{
+		$domain = $default_domain;
+	}
+
+	if ( ! empty($_SERVER['HTTPS']))
+	{
+		$config['base_url'] = 'https://'.$domain;
+	}
+	else
+	{
+		$config['base_url'] = 'http://'.$domain;
+	}
-- 
cgit v1.2.3-24-g4f1b