This PR was merged into the 5.2 branch.
Discussion
----------
[Security] more defensive PasswordMigratingListener
| Q | A
| ------------- | ---
| Branch? | 5.2 (bug not here in 5.1.x)
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#39262
| License | MIT
| Doc PR | /
This proposed fix makes `PasswordMigratingListener` code more robust. It should handle Passports which does not contain an `UserBadge`, as it is not enforced by `UserPassportInterface`. Developers should be free to implement different passports with different badges (as I did on my own project), and it shouldn't lead to a crash in *frameworkland*.
The issue became apparent in 5.2.0 exactly, as `PasswordMigratingListener` is now called in (almost) every login, as `PasswordUpgradeBadge` is automatically added.
Commits
-------
0222ed3a32 [Security] fix#39262, more defensive PasswordMigratingListener
This PR was merged into the 5.2 branch.
Discussion
----------
[Security] fix#39249, default entry_point compiler pass was returning too early
| Q | A
| ------------- | ---
| Branch? | 5.2 (bug introduced in 5.2.0, after RC2)
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#39249
| License | MIT
| Doc PR | N/A
A `return` instead of `continue` was making compiler pass return after the first firewall. Hence subsequents firewalls never had a default entrypoint set.
This issue would occur with all firewalls, with any type of authenticator, though I saw it first with `http_basic` - because it is a bit more opaque and harder to debug.
Commits
-------
c3778050bd [Security] fix#39249, default entry_point compiler pass was returning too early
This PR was merged into the 5.1 branch.
Discussion
----------
[DomCrawler] Fix small typos in changelog
| Q | A
| ------------- | ---
| Branch? | 5.1
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix #... <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
Fixing a small typos in CHANGELOG.
As these typos were introduced in 5.0 but that version is no longer maintained, I target 5.1.
Following https://github.com/symfony/symfony/pull/39231
Commits
-------
529bbaf0a9 Fix small typos
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] remove return type definition in order to avoid type juggling
| Q | A
| ------------- | ---
| Branch? |4.4 <!-- see below -->
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix#39205 <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead -->
| License | MIT
| Doc PR | <!-- required for new features -->
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/releases):
- Always add tests and ensure they pass.
- Never break backward compatibility (see https://symfony.com/bc).
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too.)
- Features and deprecations must be submitted against branch 5.x.
-->
Everything described with details inrelated ticket
Commits
-------
668431fc09 remove return type definition in order to avoid type juggling
* 5.2:
Added additional file existence check on temporary file cleanup for dumpFile method
fix lexing inline sequences/mappings with trailing whitespaces
Added test for issue 39229
Bump Symfony version to 5.2.1
Update VERSION for 5.2.0
Update CHANGELOG for 5.2.0
[Security] [DX] Automatically add PasswordUpgradeBadge + default support() impl in AbstractFormLoginAuthenticator
[Console] Enable hyperlinks in Konsole/Yakuake
* 5.1:
Added additional file existence check on temporary file cleanup for dumpFile method
fix lexing inline sequences/mappings with trailing whitespaces
Added test for issue 39229
[Console] Enable hyperlinks in Konsole/Yakuake
* 4.4:
Added additional file existence check on temporary file cleanup for dumpFile method
fix lexing inline sequences/mappings with trailing whitespaces
Added test for issue 39229
[Console] Enable hyperlinks in Konsole/Yakuake
This PR was merged into the 4.4 branch.
Discussion
----------
[Console] Re-enable hyperlinks in Konsole/Yakuake
| Q | A
| ------------- | ---
| Branch? | 4.4 <!-- see below -->
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix#31809 <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead -->
| License | MIT
Hyperlinks feature was broken in KDE's Konsole/Yakuake (#31809) and thus disabled by #31849.
But the feature has been recently [implemented](https://invent.kde.org/utilities/konsole/-/merge_requests/138), and is about to be released in KDE 20.12 on December 10th 2020, see [release notes](https://community.kde.org/Releases/20.12_Release_Notes#Konsole).
Tested in RC version and seems to be working fine. The feature is disabled by default (as per security concerns), but even when disabled, it just gracefully don't show the links.
Commits
-------
728edf36bf [Console] Enable hyperlinks in Konsole/Yakuake
This PR was merged into the 4.4 branch.
Discussion
----------
[Filesystem] File existence check before calling unlink method
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | https://github.com/symfony/symfony/issues/39235
| License | MIT
| Doc PR | symfony/symfony-docs#...
Added additional file existence check on temporary file cleanup for `Filesystem::dumpFile()` method.
Commits
-------
520a10c221 Added additional file existence check on temporary file cleanup for dumpFile method
This PR was squashed before being merged into the 5.2 branch.
Discussion
----------
[Security] [DX] Automatically add PasswordUpgradeBadge + default support() impl in AbstractFormLoginAuthenticator
| Q | A
| ------------- | ---
| Branch? | 5.2 (hopefully? sorry to keep pushing the barrier here)
| Bug fix? | no
| New feature? | yes (sort of)
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
These are 2 suggestions we found while implementing `make:auth` for the new system (https://github.com/symfony/maker-bundle/pull/736):
Impact on a custom login form authenticator ([as generated by the new maker](https://github.com/symfony/maker-bundle/pull/736/files#diff-528164b6c24778d5e81fa3819b0552f0e68a9fea33c7d3446a012f3da7d0af60)):
* **Automatically add `PasswordUpgradeBadge`** if there is a user password with valid password credentials.
```diff
// ...
return new Passport(
new UserBadge($userIdentifier),
new PasswordCredentials($password),
[
- new PasswordUpgradeBadge($password),
new CsrfTokenBadge('authenticate', $csrf),
]
)
```
Note that this does not automatically migrate all passwords: it still relies on `PasswordUpgraderInterface` to be implemented on the user loader/provider.
* **Add default implementation of `AbstractFormLoginAuthenticator::support()`**
```diff
- public function supports(Request $request): ?bool
- {
- return self::LOGIN_ROUTE === $request->attributes->get('_route')
- && $request->isMethod('POST');
- }
```
cc @weaverryan @jrushlow
Commits
-------
27450c0bb4 [Security] [DX] Automatically add PasswordUpgradeBadge + default support() impl in AbstractFormLoginAuthenticator
* 5.2:
Bump Symfony version to 5.1.10
Update VERSION for 5.1.9
Update CHANGELOG for 5.1.9
Bump Symfony version to 4.4.18
Update VERSION for 4.4.17
Update CHANGELOG for 4.4.17
* 5.1:
Bump Symfony version to 5.1.10
Update VERSION for 5.1.9
Update CHANGELOG for 5.1.9
Bump Symfony version to 4.4.18
Update VERSION for 4.4.17
Update CHANGELOG for 4.4.17
