This PR was merged into the 2.3 branch.
Discussion
----------
[Intl] Updated icu.ini up to ICU 53
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Extracted from #9206.
Commits
-------
260e2fe [Intl] Updated icu.ini up to ICU 53
This PR was merged into the 2.3 branch.
Discussion
----------
[Intl] Added exception handler to command line scripts
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Extracted from #9206.
Commits
-------
9052efc [Intl] Added exception handler to command line scripts
This PR was merged into the 2.3 branch.
Discussion
----------
[Intl] Removed non-working $fallback argument from ArrayAccessibleResourceBundle
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
The code in question didn't actually work. This was extracted from #9206.
Commits
-------
5feda5e [Intl] Removed non-working $fallback argument from ArrayAccessibleResourceBundle
This PR was submitted for the master branch but it was merged into the 2.3 branch instead (closes#11497).
Discussion
----------
Use separated function to resolve command and related arguments
Hi,
This PR split command and related arguments resolution into two distinct functions.
It will help to solve the HHVM issue sensiolabs/SensioDistributionBundle#150 .
Thanks,
Jérémy
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | yes
| BC breaks? | yes
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ~
| License | MIT
| Doc PR | ~
Commits
-------
ee75af0 Use separated function to resolve command and related arguments
Current version of Swiftmailer is 5.2.1, while (previously to this commit)
the version installed by composer was 5.0.3.
This is rather important, since 5.2.1 closes a security issue that 5.0.3 is
vulnarable to (https://github.com/swiftmailer/swiftmailer/issues/494).
This PR was merged into the 2.3 branch.
Discussion
----------
[Security] Use hash_equals for constant-time string comparison (again)
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Use the `hash_equals` function (introduced in PHP 5.6) for timing attack safe string comparison when available.
Add in the DocBlock that length will leak (https://github.com/symfony/symfony/pull/11797#issuecomment-53990712).
Commits
-------
3071557 [Security] Add more tests for StringUtils::equals
03bd74b [Security] Use hash_equals for constant-time string comparison
This PR was merged into the 2.3 branch.
Discussion
----------
[DI] Added safeguards against invalid config in the YamlFileLoader
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11333
| License | MIT
| Doc PR | n/a
Exceptions explaining the mistake are better than fatal errors or weird notices appearing when trying to deal with such invalid data.
The XML file loader is not affected by this because the data are validated with the XSD before being processed
Commits
-------
5183501 [DI] Added safeguards against invalid config in the YamlFileLoader
This PR was submitted for the 2.5 branch but it was merged into the 2.3 branch instead (closes#11897).
Discussion
----------
[FrameworkBundle] Remove invalid markup
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11896
| License | MIT
| Doc PR | n/a
Commits
-------
1fe8e31 [FrameworkBundle] Remove invalid markup
This PR was merged into the 2.3 branch.
Discussion
----------
[Intl] Added "internal" tag to all classes under Symfony\Component\Intl\ResourceBundle
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | yes?
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
We didn't have this tag yet when this component was first written. The code in that
namespace is only used for resource bundle generation and was never meant for public
use.
We need to include in the update notes that users should check for usage of these classes.
Commits
-------
7fd5e8b [Intl] Added "internal" tag to all classes under Symfony\Component\Intl\ResourceBundle
We didn't have this tag yet when this component was first written. The code in that
namespace is only used for resource bundle generation and was never meant for public
use.
This PR was merged into the 2.3 branch.
Discussion
----------
[FrameworkBundle] improve handling router script paths
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
The `server:run` command switches the working directory before starting the built-in web server. Therefore, the path to a custom router script had to be specified based on the document root path and not based on the user's working directory.
Another option is to update the documentation (as started in symfony/symfony-docs#4194). Though I think the current behaviour is a bug. The intended behaviour can be derived from the command's help message:
> ```
If you have custom docroot directory layout, you can specify your own
router script using --router option:
> ./app/console server:run --router=app/config/router.php
```
As you can see, the path is specified based on the current working directory.
Commits
-------
0a16cf2 improve handling router script paths
This PR was submitted for the master branch but it was merged into the 2.3 branch instead (closes#11868).
Discussion
----------
Remove routes for removed WebProfiler actions
The import/export functionality was moved to commands in f38536ab79, but the routes were not removed.
Commits
-------
1421449 Remove routes for removed WebProfiler actions
This PR was submitted for the master branch but it was merged into the 2.3 branch instead (closes#11860).
Discussion
----------
[Security] Fix usage of unexistent method in DoctrineAclCache.
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #10328
| License | MIT
| Doc PR |
The method `deleteByPrefix` does not exist. I replaced it by `deleteAll`: as @guilhermeblanco said, this method is not available in the interface `Cache` but it is present in the abstract class `CacheProvider`.
Commits
-------
131abd8 [Security] Fix usage of unexistent method in DoctrineAclCache.
This PR was merged into the 2.3 branch.
Discussion
----------
[FrameworkBundle] backport more error information from 2.6 to 2.3
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11724
| License | MIT
| Doc PR |
Commits
-------
87449e0 backport more error information from 2.6 to 2.3
The commit on master was:
server:run command: provide more error information
The server:run command didn't provide many information when the executed
command exited unexpectedly. Now, the process' exit code is passed through
and an error message is displayed.
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpKernel] Escape ESI url in generated response
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | NA
If a template with an `<esi>` tag is configured with an URL containing a `'` (in `src` or `alt`) ; the HttpCache will generate invalide php code.
It's not a security issue, given the template and the `<esi>` tag is written by the developper, but, as the character quote is allowed in URL (https://tools.ietf.org/html/rfc3986) it coud be a potential bug.
Commits
-------
b044c45 Escape parameter on generated response
This PR was merged into the 2.3 branch.
Discussion
----------
[Yaml] improve error message when detecting unquoted asterisks
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11835
| License | MIT
| Doc PR |
Asterisks in unquoted strings are used in YAML to reference variables. Before Symfony 2.3.19, Symfony 2.4.9 and Symfony 2.5.4, unquoted asterisks in inlined YAML code were treated as regular strings. This was fixed for the inline parser in #11677. However, an unquoted * character now led to an error message like this:
```
PHP Warning: array_key_exists(): The first argument should be either a string or an integer in vendor/symfony/symfony/src/Symfony/Component/Yaml/Inline.php on line 409
[Symfony\Component\Yaml\Exception\ParseException]
Reference "" does not exist at line 171 (near "- { foo: * }").
```
Commits
-------
854e07b improve error when detecting unquoted asterisks
The `server:run` command switches the working directory before
starting the built-in web server. Therefore, the path to a custom
router script had to be specified based on the document root path
and not based on the user's working directory.
Asterisks in unquoted strings are used in YAML to reference
variables. Before Symfony 2.3.19, Symfony 2.4.9 and Symfony 2.5.4,
unquoted asterisks in inlined YAML code were treated as regular
strings. This was fixed for the inline parser in #11677. However, an
unquoted * character now led to an error message like this:
```
PHP Warning: array_key_exists(): The first argument should be either a string or an integer in vendor/symfony/symfony/src/Symfony/Component/Yaml/Inline.php on line 409
[Symfony\Component\Yaml\Exception\ParseException]
Reference "" does not exist at line 171 (near "- { foo: * }").
```
This PR was merged into the 2.3 branch.
Discussion
----------
n/a
n/a
Commits
-------
f38536a [WebProfiler] replaced the import/export feature from the web interface to a CLI tool
This PR was merged into the 2.3 branch.
Discussion
----------
n/a
n/a
Commits
-------
9e1bc22 Add tests and more assertions
101a3b7 [FrameworkBundle][Translator] Validate locales.
This PR was merged into the 2.3 branch.
Discussion
----------
n/a
n/a
Commits
-------
3b4046e [HttpFoundation] added some missing tests
cefe237 fix parsing of Authorization header
This PR was merged into the 2.3 branch.
Discussion
----------
n/a
n/a
Commits
-------
1ee96a8 Test examples from Drupal SA-CORE-2014-003
5506ee8 Fix potential DoS when parsing HOST
This PR was submitted for the master branch but it was merged into the 2.3 branch instead (closes#11825).
Discussion
----------
fixing yaml indentation
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Commits
-------
3bba329 fixing yaml indentation