This PR was submitted for the master branch but it was squashed and merged into the 4.4 branch instead.
Discussion
----------
[Twig][Mime] Removed extra quotes in missing package exception message
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
The missing package exception copy had a double quote in the composer command disrupting the ability to copy/paste the command.
> try running "composer require "twig/cssinliner-extra twig/inky-extra"
This PR removes the quote before the package name so it reads:
> try running "composer require twig/cssinliner-extra twig/inky-extra"
Commits
-------
b2c9a6ea91 [Twig][Mime] Removed extra quotes in missing package exception message
This PR was merged into the 4.4 branch.
Discussion
----------
[Workflow] Use a strict comparison when retrieving raw marking in MarkingStore
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix #https://github.com/symfony/symfony/issues/36358
| License | MIT
| Doc PR |
Commits
-------
a00a2f1115 [Workflow] Use a strict comparison when retrieving raw marking in MarkingStore
This PR was merged into the 3.4 branch.
Discussion
----------
[Workflow] Use a strict comparison when retrieving raw marking in MarkingStore
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36358
| License | MIT
| Doc PR |
Commits
-------
aebe8ae163 [Workflow] Use a strict comparison when retrieving raw markin in MarkingStore
* 3.4:
[PropertyAccess] fix tests
[WebProfilerBundle] fix test
remove assertions that can never be reached
[PropertyAccess] Improve message of unitialized property in php 7.4
[HttpFoundation] Fixed session migration with custom cookie lifetime
[Serializer] Remove unused variable
Allow URL-encoded special characters in basic auth part of URLs
[Serializer] Fix unitialized properties (from PHP 7.4.2) when serializing context for the cache key
[Validator] Add missing Ukrainian and Russian translations
No need to reconnect the bags to the session
Support for Content Security Policy style-src-elem and script-src-elem in WebProfiler
[PropertyInfo][ReflectionExtractor] Check the array mutator prefixes last when the property is singular
This PR was merged into the 3.4 branch.
Discussion
----------
[PropertyInfo][ReflectionExtractor] Check the array mutator prefixes last when the property is singular
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | https://github.com/symfony/symfony/issues/36079
| License | MIT
| Doc PR | -
Check the related tickets that have a very descriptive example.
If the property is singular, we should prioritize non array mutator prefixes and do the opposite for plural property. It relies on some guessing but it actually fixes real world scenarios.
Commits
-------
b4df2b9dff [PropertyInfo][ReflectionExtractor] Check the array mutator prefixes last when the property is singular
This PR was merged into the 3.4 branch.
Discussion
----------
[OptionsResolver] remove assertions that can never be reached
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
Commits
-------
112b5de3cf remove assertions that can never be reached
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
[PropertyAccess] Improve message of unitialized property in php 7.4
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36277
| License | MIT
Improve message of unitialized property in php 7.4 ;
Before
You should either initialize it or make it nullable using "?string" instead.
After
You should either initialize it or make it nullable using "?string $var = null" instead.
Commits
-------
3c8bf2d29d [PropertyAccess] Improve message of unitialized property in php 7.4
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
[HttpFoundation] Fixed session migration with custom cookie lifetime
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#28577
| License | MIT
| Doc PR |
This PR adds the fix proposed in https://github.com/symfony/symfony/issues/28577#issuecomment-578052397
Commits
-------
3e824de385 [HttpFoundation] Fixed session migration with custom cookie lifetime
This PR was merged into the 4.4 branch.
Discussion
----------
[HttpKernel][FrameworkBundle] fix compat with Debug component
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36009
| License | MIT
| Doc PR | -
Fixes the issue as described by @stof in #36009
Commits
-------
d5c54c2fa7 [HttpKernel][FrameworkBundle] fix compat with Debug component
This PR was merged into the 4.4 branch.
Discussion
----------
[Routing] Add installation and minimal example to README
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | n/a
| License | MIT
| Doc PR | symfony/symfony-docs#13431
Similair to what I did in #35552, this PR updates the README of the Routing component to include a minimal example and installation command.
Commits
-------
be6612060c Add installation and minimal example to README
This PR was merged into the 3.4 branch.
Discussion
----------
[WebProfilerBundle] Support for Content Security Policy style-src-elem and script-src-elem in WebProfiler
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| License | MIT
If a `style-src-elem` or `script-src-elem` Content Security Policy exist, the WebProfiler Styles or Scripts will be rejected as the nonce is missing.
Commits
-------
7f33f1fa3a Support for Content Security Policy style-src-elem and script-src-elem in WebProfiler
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpFoundation] No need to reconnect the bags to the session after session_regenerate_id
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Bug https://bugs.php.net/70013 was fixed before the release of PHP v7.0
https://3v4l.org/A8YmY
Related to https://github.com/symfony/symfony/pull/15243
Commits
-------
923c24f438 No need to reconnect the bags to the session
This PR was submitted for the master branch but it was merged into the 3.4 branch instead.
Discussion
----------
[Validator] Allow URL-encoded special characters in basic auth part of URLs
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36285
| License | MIT
Special characters in HTTP Basic Auth passwords in an URL need to be url-encoded.
Example: `foo@bar` becomes `foo%40bar`, in an URL: `http://user:foo%40bar@example.org`
The UrlValidator did not allow percent signs in username and password, and this is changed now.
Commits
-------
8a56c506e3 Allow URL-encoded special characters in basic auth part of URLs
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] Track session usage whenever a new token is set
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36208
| License | MIT
| Doc PR | -
When using `anonymous: lazy`, the programatic login using the guard handler is broken. As the `setToken()` does not track usage, the index remains equal.
I tried fixing this more properly in e.g. the `SessionStrategy::onAuthentication` class, but I couldn't get it working (as `$request->hasPreviousSession()` returns false, the session strategy isn't called). `setToken()` can also not be made usage tracking afaics, because it would directly break (`setToken(null)` is called in `ContextListener`).
The current fix does however look really ugly, but I can't find anything better with my minor knowledge of this session usage tracking feature. I'm open for all ideas :)
Commits
-------
8d96dbd08b Track session usage when setting the token
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
[Serializer] Fix unitialized properties (from PHP 7.4.2) when serializing context for the cache key
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix https://github.com/symfony/symfony/issues/35574https://github.com/doctrine/orm/issues/8030
| License | MIT
| Doc PR | N/A
This bug only happens on the following conditions:
- A Doctrine entity (`Book`) having a relation with another entity (`Author`) is used;
- The `Author` entity uses typed properties (PHP 7.4) not initialized;
- The `Serializer` is used with the `Book` in the `OBJECT_TO_POPULATE` key in the context.
For instance:
```php
<?php
declare(strict_types=1);
namespace App\Entity;
use Doctrine\ORM\Mapping as ORM;
/** @ORM\Entity */
class Book
{
/**
* @ORM\ManyToOne(targetEntity="Author")
*/
public Author $author;
public ?string $isbn;
}
```
```php
<?php
declare(strict_types=1);
namespace App\Entity;
use Doctrine\ORM\Mapping as ORM;
/** @ORM\Entity */
class Author
{
public ?string $name;
}
```
Or even:
```php
<?php
declare(strict_types=1);
namespace App\Entity;
use Doctrine\ORM\Mapping as ORM;
/** @ORM\Entity */
class Author
{
private string $name;
public function __construct()
{
$this->name = 'Leo';
}
}
```
If the following is done (it's the case for instance in API Platform when a `PUT` is made):
```php
$serializer->deserialize('{"isbn":"2038717141"}', Book::class, 'json', ['object_to_populate' => $book]);
```
Then there will be the following error:
> Fatal error: Typed property Proxies\__CG__\App\Entity\Author::$ must not be accessed before initialization (in __sleep)
It's because of these lines in the `getCacheKey` method of the `AbstractObjectNormalizer`:
5da141b8d0/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php (L405-L409)
Since the lazy proxyfied relation has a `__sleep` with unitialized properties, the `serialize` method will throw (since https://bugs.php.net/bug.php?id=79002: 846b647953).
I propose to fix this issue by unsetting the `OBJECT_TO_POPULATE` key in the context because I don't think it's useful for determining the attributes of the object.
For the next versions of Symfony, the fix should probably be elsewhere, in the default context.
For instance in Symfony 4.4, instead of:
15edfd39d4/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php (L118)
It should be:
```php
$this->defaultContext[self::EXCLUDE_FROM_CACHE_KEY] = [self::CIRCULAR_REFERENCE_LIMIT_COUNTERS, self::OBJECT_TO_POPULATE];
```
But I'm not sure how it should be merged (another PR maybe?).
Commits
-------
1fafff7c10 [Serializer] Fix unitialized properties (from PHP 7.4.2) when serializing context for the cache key
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
[Validator] Add missing Ukrainian and Russian translations
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | none
| License | MIT
Commits
-------
d43ef4ec92 [Validator] Add missing Ukrainian and Russian translations
This PR was merged into the 4.4 branch.
Discussion
----------
[Security][Http][SwitchUserListener] Ignore all non existent username protection errors
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | https://github.com/symfony/symfony/issues/36174
| License | MIT
| Doc PR | -
Since we generate the non existent username blindly, it can lead to Doctrine exceptions or any other exception.
We can catch all exceptions here but I guess it reduces the protection since the SQL query was not executed?
Alternative: we can only catch Doctrine DriverException (in addition to the existing AuthenticationException) and only silent the reported error codes?
Commits
-------
42311d5c29 [Security][Http][SwitchUserListener] Ignore all non existent username protection errors
Nicolas Grekas
Mike Milano
Artem Lopata
oesteve
Ryan Weaver
Ivan Grigoriev
Jules Pietri
Michel Bardelmeijer
Grégoire Pineau
Antonio Pauletich
Christian Flothmann
Fabien Potencier
Laurent Masforné
Guite
Kévin Dunglas
Christian Weiske
Alan Poulain
Serhiy Lunak
Wouter de Jong
Thomas Calvet
rosier
ampaze