Merge branch '4.3' into 4.4

* 4.3: [HttpFoundation] fix docblock Fix MySQL column type definition. Link the right file depending on the new version [Config] fix id-generation for GlobResource [Finder] Allow ssh2 stream wrapper for sftp [DI] Use reproducible entropy to generate env placeholders [WebProfilerBundle] Require symfony/twig-bundle bumped Symfony version to 4.3.9 updated VERSION for 4.3.8 updated CHANGELOG for 4.3.8 bumped Symfony version to 3.4.36 updated VERSION for 3.4.35 updated CHANGELOG for 3.4.35
2019-11-16 16:22:42 +01:00 · 2019-11-16 16:22:42 +01:00 · 4ac626a482
parent 1f73247092 769aced459
commit 4ac626a482
7 changed files with 27 additions and 8 deletions
--- a/CHANGELOG-4.3.md
+++ b/CHANGELOG-4.3.md
@ -7,6 +7,16 @@ in 4.3 minor versions.
 To get the diff for a specific change, go to https://github.com/symfony/symfony/commit/XXX where XXX is the change hash
 To get the diff between two versions, go to https://github.com/symfony/symfony/compare/v4.3.0...v4.3.1

+* 4.3.8 (2019-11-13)
+
+ * bug #34344 [Console] Constant STDOUT might be undefined (nicolas-grekas)
+ * security #cve-2019-18886 [Security\Core] throw AccessDeniedException when switch user fails (nicolas-grekas)
+ * security #cve-2019-18888 [Mime] fix guessing mime-types of files with leading dash (nicolas-grekas)
+ * security #cve-2019-11325 [VarExporter] fix exporting some strings (nicolas-grekas)
+ * security #cve-2019-18889 [Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances (nicolas-grekas)
+ * security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas)
+ * security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof)
+
 * 4.3.7 (2019-11-11)

 * bug #34294 [Workflow] Fix error when we use ValueObject for the marking property (FabienSalles)
--- a/UPGRADE-4.0.md
+++ b/UPGRADE-4.0.md
@ -26,8 +26,8 @@ file and directory structure of your application:

 Then, upgrade the contents of your console script and your front controller:

-* `bin/console`: https://github.com/symfony/recipes/blob/master/symfony/console/3.3/bin/console
-* `public/index.php`: https://github.com/symfony/recipes/blob/master/symfony/framework-bundle/3.3/public/index.php
+* `bin/console`: https://github.com/symfony/recipes/blob/master/symfony/console/4.4/bin/console
+* `public/index.php`: https://github.com/symfony/recipes/blob/master/symfony/framework-bundle/4.4/public/index.php

 Lastly, read the following article to add Symfony Flex to your application and
 upgrade the configuration files: https://symfony.com/doc/current/setup/flex.html
--- a/src/Symfony/Component/Config/Resource/GlobResource.php
+++ b/src/Symfony/Component/Config/Resource/GlobResource.php
@ -41,6 +41,7 @@ class GlobResource implements \IteratorAggregate, SelfCheckingResourceInterface
     */
    public function __construct(string $prefix, string $pattern, bool $recursive, bool $forExclusion = false, array $excludedPrefixes = [])
    {
+        ksort($excludedPrefixes);
        $this->prefix = realpath($prefix) ?: (file_exists($prefix) ? $prefix : false);
        $this->pattern = $pattern;
        $this->recursive = $recursive;
@ -62,7 +63,7 @@ class GlobResource implements \IteratorAggregate, SelfCheckingResourceInterface
     */
    public function __toString()
    {
-        return 'glob.'.$this->prefix.$this->pattern.(int) $this->recursive;
+        return 'glob.'.$this->prefix.(int) $this->recursive.$this->pattern.(int) $this->forExclusion.implode("\0", $this->excludedPrefixes);
    }

    /**
--- a/src/Symfony/Component/DependencyInjection/ParameterBag/EnvPlaceholderParameterBag.php
+++ b/src/Symfony/Component/DependencyInjection/ParameterBag/EnvPlaceholderParameterBag.php
@ -24,6 +24,8 @@ class EnvPlaceholderParameterBag extends ParameterBag
    private $unusedEnvPlaceholders = [];
    private $providedTypes = [];

+    private static $counter = 0;
+
    /**
     * {@inheritdoc}
     */
@ -57,7 +59,7 @@ class EnvPlaceholderParameterBag extends ParameterBag
                }
            }

-            $uniqueName = md5($name.uniqid(mt_rand(), true));
+            $uniqueName = md5($name.'_'.self::$counter++);
            $placeholder = sprintf('%s_%s_%s', $this->getEnvPlaceholderUniquePrefix(), str_replace(':', '_', $env), $uniqueName);
            $this->envPlaceholders[$env][$placeholder] = $placeholder;

@ -72,7 +74,13 @@ class EnvPlaceholderParameterBag extends ParameterBag
     */
    public function getEnvPlaceholderUniquePrefix(): string
    {
-        return $this->envPlaceholderUniquePrefix ?? $this->envPlaceholderUniquePrefix = 'env_'.bin2hex(random_bytes(8));
+        if (null === $this->envPlaceholderUniquePrefix) {
+            $reproducibleEntropy = unserialize(serialize($this->parameters));
+            array_walk_recursive($reproducibleEntropy, function (&$v) { $v = null; });
+            $this->envPlaceholderUniquePrefix = 'env_'.substr(md5(serialize($reproducibleEntropy)), -16);
+        }
+
+        return $this->envPlaceholderUniquePrefix;
    }

    /**
--- a/src/Symfony/Component/Finder/Finder.php
+++ b/src/Symfony/Component/Finder/Finder.php
@ -799,7 +799,7 @@ class Finder implements \IteratorAggregate, \Countable
    {
        $dir = rtrim($dir, '/'.\DIRECTORY_SEPARATOR);

-        if (preg_match('#^s?ftp://#', $dir)) {
+        if (preg_match('#^(ssh2\.)?s?ftp://#', $dir)) {
            $dir .= '/';
        }

--- a/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/PdoSessionHandler.php
+++ b/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/PdoSessionHandler.php
@ -219,7 +219,7 @@ class PdoSessionHandler extends AbstractSessionHandler
                // - trailing space removal
                // - case-insensitivity
                // - language processing like é == e
-                $sql = "CREATE TABLE $this->table ($this->idCol VARBINARY(128) NOT NULL PRIMARY KEY, $this->dataCol BLOB NOT NULL, $this->lifetimeCol MEDIUMINT NOT NULL, $this->timeCol INTEGER UNSIGNED NOT NULL) COLLATE utf8_bin, ENGINE = InnoDB";
+                $sql = "CREATE TABLE $this->table ($this->idCol VARBINARY(128) NOT NULL PRIMARY KEY, $this->dataCol BLOB NOT NULL, $this->lifetimeCol INTEGER UNSIGNED NOT NULL, $this->timeCol INTEGER UNSIGNED NOT NULL) COLLATE utf8_bin, ENGINE = InnoDB";
                break;
            case 'sqlite':
                $sql = "CREATE TABLE $this->table ($this->idCol TEXT NOT NULL PRIMARY KEY, $this->dataCol BLOB NOT NULL, $this->lifetimeCol INTEGER NOT NULL, $this->timeCol INTEGER NOT NULL)";
--- a/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/RedisSessionHandler.php
+++ b/src/Symfony/Component/HttpFoundation/Session/Storage/Handler/RedisSessionHandler.php
@ -34,7 +34,7 @@ class RedisSessionHandler extends AbstractSessionHandler
     * List of available options:
     *  * prefix: The prefix to use for the keys in order to avoid collision on the Redis server.
     *
-     * @param \Redis|\RedisArray|\RedisCluster|\Predis\ClientInterface|RedisProxy $redis
+     * @param \Redis|\RedisArray|\RedisCluster|\Predis\ClientInterface|RedisProxy|RedisClusterProxy $redis
     *
     * @throws \InvalidArgumentException When unsupported client or options are passed
     */