From 8fd5569577ae13504d4098ddd498f78085e00407 Mon Sep 17 00:00:00 2001
From: Alexander Schwenn <alexander.schwenn@gmail.com>
Date: Tue, 25 Jul 2017 00:00:19 +0200
Subject: [PATCH 1/4] [HttpFoundation] Generate safe fallback filename for
 wrongly encoded filename

---
 .../Component/HttpFoundation/BinaryFileResponse.php   |  4 ++--
 .../HttpFoundation/Tests/BinaryFileResponseTest.php   | 11 +++++++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/Symfony/Component/HttpFoundation/BinaryFileResponse.php b/src/Symfony/Component/HttpFoundation/BinaryFileResponse.php
index 0314621907..177b708e8f 100644
--- a/src/Symfony/Component/HttpFoundation/BinaryFileResponse.php
+++ b/src/Symfony/Component/HttpFoundation/BinaryFileResponse.php
@@ -150,7 +150,7 @@ class BinaryFileResponse extends Response
      * Sets the Content-Disposition header with the given filename.
      *
      * @param string $disposition      ResponseHeaderBag::DISPOSITION_INLINE or ResponseHeaderBag::DISPOSITION_ATTACHMENT
-     * @param string $filename         Optionally use this filename instead of the real name of the file
+     * @param string $filename         Optionally use this UTF-8 encoded filename instead of the real name of the file
      * @param string $filenameFallback A fallback filename, containing only ASCII characters. Defaults to an automatically encoded filename
      *
      * @return $this
@@ -162,7 +162,7 @@ class BinaryFileResponse extends Response
         }
 
         if ('' === $filenameFallback && (!preg_match('/^[\x20-\x7e]*$/', $filename) || false !== strpos($filename, '%'))) {
-            $encoding = mb_detect_encoding($filename, null, true);
+            $encoding = mb_detect_encoding($filename, null, true) ?: '8bit';
 
             for ($i = 0, $filenameLength = mb_strlen($filename, $encoding); $i < $filenameLength; ++$i) {
                 $char = mb_substr($filename, $i, 1, $encoding);
diff --git a/src/Symfony/Component/HttpFoundation/Tests/BinaryFileResponseTest.php b/src/Symfony/Component/HttpFoundation/Tests/BinaryFileResponseTest.php
index e4607201a2..e41a2372b9 100644
--- a/src/Symfony/Component/HttpFoundation/Tests/BinaryFileResponseTest.php
+++ b/src/Symfony/Component/HttpFoundation/Tests/BinaryFileResponseTest.php
@@ -68,6 +68,17 @@ class BinaryFileResponseTest extends ResponseTestCase
         $this->assertSame('attachment; filename="f__.html"; filename*=utf-8\'\'f%C3%B6%C3%B6.html', $response->headers->get('Content-Disposition'));
     }
 
+    public function testSetContentDispositionGeneratesSafeFallbackFilenameForWronglyEncodedFilename()
+    {
+        $response = new BinaryFileResponse(__FILE__);
+
+        $iso88591EncodedFilename = utf8_decode('föö.html');
+        $response->setContentDisposition(ResponseHeaderBag::DISPOSITION_ATTACHMENT, $iso88591EncodedFilename);
+
+        // the parameter filename* is invalid in this case (rawurldecode('f%F6%F6') does not provide a UTF-8 string but an ISO-8859-1 encoded one)
+        $this->assertSame('attachment; filename="f__.html"; filename*=utf-8\'\'f%F6%F6.html', $response->headers->get('Content-Disposition'));
+    }
+
     /**
      * @dataProvider provideRanges
      */

From e5ef9fb74a5d17a7b5df184c08ad28a3ec1d5e21 Mon Sep 17 00:00:00 2001
From: Javier Eguiluz <javier.eguiluz@gmail.com>
Date: Thu, 3 Aug 2017 22:11:44 +0200
Subject: [PATCH 2/4] Avoid infinite loops when profiler data is malformed

---
 .../HttpKernel/Profiler/FileProfilerStorage.php    | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/Symfony/Component/HttpKernel/Profiler/FileProfilerStorage.php b/src/Symfony/Component/HttpKernel/Profiler/FileProfilerStorage.php
index 29da4abf32..0450589910 100644
--- a/src/Symfony/Component/HttpKernel/Profiler/FileProfilerStorage.php
+++ b/src/Symfony/Component/HttpKernel/Profiler/FileProfilerStorage.php
@@ -144,11 +144,19 @@ class FileProfilerStorage implements ProfilerStorageInterface
             }
         }
 
+        $profileToken = $profile->getToken();
+        // when there are errors in sub-requests, the parent and/or children tokens
+        // may equal the profile token, resulting in infinite loops
+        $parentToken = $profile->getParentToken() !== $profileToken ? $profile->getParentToken() : null;
+        $childrenToken = array_filter(array_map(function ($p) use ($profileToken) {
+            return $profileToken !== $p->getToken() ? $p->getToken() : null;
+        }, $profile->getChildren()));
+
         // Store profile
         $data = array(
-            'token' => $profile->getToken(),
-            'parent' => $profile->getParentToken(),
-            'children' => array_map(function ($p) { return $p->getToken(); }, $profile->getChildren()),
+            'token' => $profileToken,
+            'parent' => $parentToken,
+            'children' => $childrenToken,
             'data' => $profile->getCollectors(),
             'ip' => $profile->getIp(),
             'method' => $profile->getMethod(),

From f6c83cf51877151f7eb1ad491f1fb7458733dc27 Mon Sep 17 00:00:00 2001
From: Maxime Steinhausser <maxime.steinhausser@gmail.com>
Date: Sun, 6 Aug 2017 13:40:38 +0200
Subject: [PATCH 3/4] [Security] Fix security.interactive_login event const doc
 block

---
 src/Symfony/Component/Security/Http/SecurityEvents.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/Symfony/Component/Security/Http/SecurityEvents.php b/src/Symfony/Component/Security/Http/SecurityEvents.php
index 46c8257f18..3bd80723d1 100644
--- a/src/Symfony/Component/Security/Http/SecurityEvents.php
+++ b/src/Symfony/Component/Security/Http/SecurityEvents.php
@@ -14,8 +14,11 @@ namespace Symfony\Component\Security\Http;
 final class SecurityEvents
 {
     /**
-     * The INTERACTIVE_LOGIN event occurs after a user is logged in
-     * interactively for authentication based on http, cookies or X509.
+     * The INTERACTIVE_LOGIN event occurs after a user has actively logged
+     * into your website. It is important to distinguish this action from
+     * non-interactive authentication methods, such as:
+     *   - authentication based on your session.
+     *   - authentication using a HTTP basic or HTTP digest header.
      *
      * The event listener method receives a
      * Symfony\Component\Security\Http\Event\InteractiveLoginEvent instance.

From 30eed995b4482f614b89c34853b82744c88c756b Mon Sep 17 00:00:00 2001
From: Maxime Steinhausser <maxime.steinhausser@gmail.com>
Date: Sun, 6 Aug 2017 14:05:07 +0200
Subject: [PATCH 4/4] Github template: Remove EOM 3.2 from branch suggestion

---
 .github/PULL_REQUEST_TEMPLATE.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
index cb9b8a69c1..1bad363eca 100644
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,6 +1,6 @@
 | Q             | A
 | ------------- | ---
-| Branch?       | 3.4 or master / 2.7, 2.8, 3.2 or 3.3 <!-- see comment below -->
+| Branch?       | 3.4 or master / 2.7, 2.8 or 3.3 <!-- see comment below -->
 | Bug fix?      | yes/no
 | New feature?  | yes/no <!-- don't forget updating src/**/CHANGELOG.md files -->
 | BC breaks?    | yes/no