diogo
/
symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Change the default value of cookie_httponly to fix #15303

This commit is contained in:
Jérémy Derussé 2015-07-27 09:36:17 +02:00
parent 96e211d2da
commit a7bef1eb2d
6 changed files with 27 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
UPGRADE-2.8.md
View File

@ -8,32 +8,32 @@ Form
option together with the `Valid` constraint instead. Contrary to option together with the `Valid` constraint instead. Contrary to
"cascade_validation", "constraints" must be set on the respective child forms, "cascade_validation", "constraints" must be set on the respective child forms,
not the parent form. not the parent form.
Before: Before:
```php ```php
$form = $this->createForm('form', $article, array('cascade_validation' => true)) $form = $this->createForm('form', $article, array('cascade_validation' => true))
->add('author', new AuthorType()) ->add('author', new AuthorType())
->getForm(); ->getForm();
``` ```
After: After:
```php ```php
use Symfony\Component\Validator\Constraints\Valid; use Symfony\Component\Validator\Constraints\Valid;
$form = $this->createForm('form', $article) $form = $this->createForm('form', $article)
->add('author', new AuthorType(), array( ->add('author', new AuthorType(), array(
'constraints' => new Valid(), 'constraints' => new Valid(),
)) ))
->getForm(); ->getForm();
``` ```
Alternatively, you can set the `Valid` constraint in the model itself: Alternatively, you can set the `Valid` constraint in the model itself:
```php ```php
use Symfony\Component\Validator\Constraints as Assert; use Symfony\Component\Validator\Constraints as Assert;
class Article class Article
{ {
/** /**
@ -136,3 +136,17 @@ DependencyInjection
<service id="foo" class="stdClass" shared="false" /> <service id="foo" class="stdClass" shared="false" />
</services> </services>
``` ```
FrameworkBundle
---------------
* The default value of the parameter `session`.`cookie_httponly` is now `true`.
It prevents scripting languages, such as JavaScript to access the cookie,
which help to reduce identity theft through XSS attacks. If your
application needs to access the session cookie, override this parameter:
```yaml
framework:
session:
cookie_httponly: false
```

2
src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
View File

@ -340,7 +340,7 @@ class Configuration implements ConfigurationInterface
->scalarNode('cookie_path')->end() ->scalarNode('cookie_path')->end()
->scalarNode('cookie_domain')->end() ->scalarNode('cookie_domain')->end()
->booleanNode('cookie_secure')->end() ->booleanNode('cookie_secure')->end()
->booleanNode('cookie_httponly')->end() ->booleanNode('cookie_httponly')->defaultTrue()->end()
->scalarNode('gc_divisor')->end() ->scalarNode('gc_divisor')->end()
->scalarNode('gc_probability')->defaultValue(1)->end() ->scalarNode('gc_probability')->defaultValue(1)->end()
->scalarNode('gc_maxlifetime')->end() ->scalarNode('gc_maxlifetime')->end()

2
src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/php/full.php
View File

@ -32,7 +32,7 @@ $container->loadFromExtension('framework', array(
'cookie_path' => '/', 'cookie_path' => '/',
'cookie_domain' => 'example.com', 'cookie_domain' => 'example.com',
'cookie_secure' => true, 'cookie_secure' => true,
'cookie_httponly' => true, 'cookie_httponly' => false,
'gc_maxlifetime' => 90000, 'gc_maxlifetime' => 90000,
'gc_divisor' => 108, 'gc_divisor' => 108,
'gc_probability' => 1, 'gc_probability' => 1,

2
src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/xml/full.xml
View File

@ -14,7 +14,7 @@
<framework:esi enabled="true" /> <framework:esi enabled="true" />
<framework:profiler only-exceptions="true" enabled="false" /> <framework:profiler only-exceptions="true" enabled="false" />
<framework:router resource="%kernel.root_dir%/config/routing.xml" type="xml" /> <framework:router resource="%kernel.root_dir%/config/routing.xml" type="xml" />
<framework:session gc-maxlifetime="90000" gc-probability="1" gc-divisor="108" storage-id="session.storage.native" handler-id="session.handler.native_file" name="_SYMFONY" cookie-lifetime="86400" cookie-path="/" cookie-domain="example.com" cookie-secure="true" cookie-httponly="true" save-path="/path/to/sessions" /> <framework:session gc-maxlifetime="90000" gc-probability="1" gc-divisor="108" storage-id="session.storage.native" handler-id="session.handler.native_file" name="_SYMFONY" cookie-lifetime="86400" cookie-path="/" cookie-domain="example.com" cookie-secure="true" cookie-httponly="false" save-path="/path/to/sessions" />
<framework:request> <framework:request>
<framework:format name="csv"> <framework:format name="csv">
<framework:mime-type>text/csv</framework:mime-type> <framework:mime-type>text/csv</framework:mime-type>

2
src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/Fixtures/yml/full.yml
View File

@ -24,7 +24,7 @@ framework:
cookie_path: / cookie_path: /
cookie_domain: example.com cookie_domain: example.com
cookie_secure: true cookie_secure: true
cookie_httponly: true cookie_httponly: false
gc_probability: 1 gc_probability: 1
gc_divisor: 108 gc_divisor: 108
gc_maxlifetime: 90000 gc_maxlifetime: 90000

2
src/Symfony/Bundle/FrameworkBundle/Tests/DependencyInjection/FrameworkExtensionTest.php
View File

@ -149,7 +149,7 @@ abstract class FrameworkExtensionTest extends TestCase
$this->assertEquals('/', $options['cookie_path']); $this->assertEquals('/', $options['cookie_path']);
$this->assertEquals('example.com', $options['cookie_domain']); $this->assertEquals('example.com', $options['cookie_domain']);
$this->assertTrue($options['cookie_secure']); $this->assertTrue($options['cookie_secure']);
$this->assertTrue($options['cookie_httponly']); $this->assertFalse($options['cookie_httponly']);
$this->assertEquals(108, $options['gc_divisor']); $this->assertEquals(108, $options['gc_divisor']);
$this->assertEquals(1, $options['gc_probability']); $this->assertEquals(1, $options['gc_probability']);
$this->assertEquals(90000, $options['gc_maxlifetime']); $this->assertEquals(90000, $options['gc_maxlifetime']);