This PR was merged into the 4.4 branch.
Discussion
----------
[Ldap] Add users extraFields in ldap component
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | yes <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #28873, #19329 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | todo when validated, before merge <!-- required for new features -->
As I'm using ldap too in some personal project, It seems that this feature is a really good nice to have IMHO.
Adding the wanted field in the `user_metadata` array transform them as field -> value in the `metadata` field of the user.
Commits
-------
bcfff04797 [Ldap] Add users extra_fields in ldap component
* 4.3:
fix translation domain
tag the FileType service as a form type
don't validate IP addresses from env var placeholders
[Validator] Fix GroupSequenceProvider annotation
[Messenger] fix delay exchange recreation after disconnect
Update ajax security cheat sheet link
Fix AuthenticationException::getToken typehint
* 4.2:
fix translation domain
tag the FileType service as a form type
[Validator] Fix GroupSequenceProvider annotation
Update ajax security cheat sheet link
Fix AuthenticationException::getToken typehint
* 3.4:
fix translation domain
tag the FileType service as a form type
[Validator] Fix GroupSequenceProvider annotation
Update ajax security cheat sheet link
Fix AuthenticationException::getToken typehint
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Fix AuthenticationException::getToken typehint
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
The token may be not set when throwing AuthenticationException.
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against branch 4.4.
- Legacy code removals go to the master branch.
-->
Commits
-------
a9705a0143 Fix AuthenticationException::getToken typehint
* 4.3:
fixed CS
fixed CS
fixed CS
Do not log or call the proxy function when the locale is the same
Added missing required dependencies on psr/cache and psr/container in symfony/cache-contracts and symfony/service-contracts respectively.
[HttpClient] fix closing debug stream prematurely
[Mailer] made code more robust
Restore compatibility with php 5.5
fixed sender/recipients in SMTP Envelope
collect called listeners information only once
[HttpKernel] Remove TestEventDispatcher.
* 4.3:
[Cache] Fixed undefined variable in ArrayTrait
[HttpClient] revert bad logic around JSON_THROW_ON_ERROR
[HttpKernel] Fix handling non-catchable fatal errors
Fix json-encoding when JSON_THROW_ON_ERROR is used
[HttpFoundation] work around PHP 7.3 bug related to json_encode()
[HttpClient] add $response->cancel()
[Security] added support for updated \"distinguished name\" format in x509 authentication
* 4.2:
[HttpKernel] Fix handling non-catchable fatal errors
Fix json-encoding when JSON_THROW_ON_ERROR is used
[HttpFoundation] work around PHP 7.3 bug related to json_encode()
[Security] added support for updated \"distinguished name\" format in x509 authentication
* 3.4:
Fix json-encoding when JSON_THROW_ON_ERROR is used
[HttpFoundation] work around PHP 7.3 bug related to json_encode()
[Security] added support for updated \"distinguished name\" format in x509 authentication
* 4.3:
[Translation] Fixed case sensitivity of lint:xliff command
fix type hint for salt in PasswordEncoderInterface
Simplify code - catch \Throwable capture all exceptions
Collect locale details earlier in the process in TranslationDataCollector
fix typo in PR #31802
update italian validator translation
Add missing translations
[TwigBridge] suggest Translation Component when TranslationExtension is used
* 4.2:
[Translation] Fixed case sensitivity of lint:xliff command
fix type hint for salt in PasswordEncoderInterface
Simplify code - catch \Throwable capture all exceptions
fix typo in PR #31802
update italian validator translation
Add missing translations
* 4.3:
[Security\Core] Make SodiumPasswordEncoder validate BCrypt-ed passwords
[Validator] Fix TimezoneValidator default option
[Messenger] Inject RoutableMessageBus instead of bus locator
[DomCrawler] Fix type error with null Form::$currentUri
[Contracts] Fixed typos
do not enable validator auto mapping by default
[HttpClient] remove unused argument
* 4.3:
[github] Implement the new security policy.
[Finder] fix wrong method call casing
Make tempfile path unique
minor: fix phpdocs in the ldap component
[Process] Fix infinite waiting for stopped process
Use absolute URL for when the profiler's domain differs from the controller's domain which initialises the profiler.
fix phpdoc
[DI] fix using bindings with locators of service subscribers
* 4.2:
[github] Implement the new security policy.
[Finder] fix wrong method call casing
Make tempfile path unique
minor: fix phpdocs in the ldap component
[Process] Fix infinite waiting for stopped process
Use absolute URL for when the profiler's domain differs from the controller's domain which initialises the profiler.
fix phpdoc
[DI] fix using bindings with locators of service subscribers
* 3.4:
[github] Implement the new security policy.
[Finder] fix wrong method call casing
Make tempfile path unique
minor: fix phpdocs in the ldap component
[Process] Fix infinite waiting for stopped process
Use absolute URL for when the profiler's domain differs from the controller's domain which initialises the profiler.
fix phpdoc
[DI] fix using bindings with locators of service subscribers
* 4.3: (22 commits)
[Messenger] Fix incorrect error when symfony/serializer is missing
Allow WrappedListener to describe uncallable listeners.
[HttpClient] fix handling exceptions thrown before first mock chunk
[Filesystem] fix wrong method call casing
[HttpClient] fix test
[Translation] Fixed issue with new vs old TranslatorInterface in TranslationDataCollector
Don't reference symfony/security
[HttpClient] display proper error message on TransportException when curl is used
[FrameworkBundle] fix named autowiring aliases for TagAwareCacheInterface
[Cache] improve logged messages
[FrameworkBundle] improve cs
[Mime][HttpFoundation] Added mime type audio/x-hx-aac-adts
bumped Symfony version to 4.3.0
updated VERSION for 4.3.0-BETA2
updated CHANGELOG for 4.3.0-BETA2
[HttpClient] Only use CURLMOPT_MAX_HOST_CONNECTIONS & CURL_VERSION_HTTP2 if defined
[Security] fixed a fatal error when upgrading from 4.2
[HttpClient] Allow arrays as query parameters
Throws UnrecoverableMessageHandlingException when passed invalid entity manager name for Doctrine middlewares
[Messenger] Make redis Connection::get() non blocking by default
...
* 4.2:
[Console] Fix auto-complete for ChoiceQuestion (multi-select answers)
Translated form, security, validators resources into Belarusian (be)
[WebProfilerBundle] Don't filter submitted IP values
[Intl] Cleanup
bumped Symfony version to 4.2.9
updated VERSION for 4.2.8
updated CHANGELOG for 4.2.8
bumped Symfony version to 3.4.28
updated VERSION for 3.4.27
update CONTRIBUTORS for 3.4.27
updated CHANGELOG for 3.4.27
* 3.4:
[Console] Fix auto-complete for ChoiceQuestion (multi-select answers)
Translated form, security, validators resources into Belarusian (be)
[WebProfilerBundle] Don't filter submitted IP values
bumped Symfony version to 3.4.28
updated VERSION for 3.4.27
update CONTRIBUTORS for 3.4.27
updated CHANGELOG for 3.4.27
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Security] Dispatch an event when "logout user on change" steps in
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #26902 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/11450 <!-- required for new features -->
<!--
Write a short README entry for your feature/bugfix here (replace this comment block.)
This will help people understand your PR and can be used as a start of the Doc PR.
Additionally:
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
-->
This adds a new event when the user has been changed and has been log out from the apps, it allow someone to register to this event and do something with either to token or the refreshedUser.
Commits
-------
40e42183b8 [Security] Dispatch an event when "logout user on change" steps in
* 4.2:
[TwigBridge] Require twig ^1.40|^2.9
[Serializer] Fix tests
Use the apply tag instead of the filter tag
Updated some translation files
[Translator] Preserve default domain when extracting strings from php files
* 3.4:
[TwigBridge] Require twig ^1.40|^2.9
[Serializer] Fix tests
Use the apply tag instead of the filter tag
Updated some translation files
[Translator] Preserve default domain when extracting strings from php files
* 4.2:
Fix url matcher edge cases with trailing slash
[Form] Fix author tag + exception messages
[TwigBridge] Fix deprecation on twig 2.9
Fix left-associative ternary deprecation warnings for PHP 7.4
[Validator] Fixed imprecise translations
[Validator] Add Dutch translations
[Security] Cleanup "Digest nonce has expired." translation
Intercept redirections only for HTML format
[PhpUnitBridge] fix reading phpunit.xml on bootstrap
resolve class name parameters
Fix name and phpdoc of ContainerBuilder::removeBindings
[Intl] Update the ICU data to 64.2
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Security] Add NativePasswordEncoder
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This PR adds a new `NativePasswordEncoder` that defaults to the best available hashing algo to `password_hash()`. Best is determined by "us" or "php", the goal being that this will change in the future as new algos are published.
This provides a native encoder that we should recommend using by default.
Commits
-------
28f7961c55 [Security] Add NativePasswordEncoder
* 4.2:
Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)"
[FrameworkBundle] minor: remove a typo from changelog
[VarDumper] fix tests with ICU 64.1
[VarDumper][Ldap] relax some locally failing tests
[Validator] #30192 Added the missing translations for the Tagalog ("tl") locale.
Make MimeTypeExtensionGuesser case insensitive
Fix get session when the request stack is empty
[Routing] fix trailing slash redirection with non-greedy trailing vars
[FrameworkBundle] decorate the ValidatorBuilder's translator with LegacyTranslatorProxy
* 3.4:
Revert "bug #30423 [Security] Rework firewall's access denied rule (dimabory)"
[FrameworkBundle] minor: remove a typo from changelog
[VarDumper][Ldap] relax some locally failing tests
[Validator] #30192 Added the missing translations for the Tagalog ("tl") locale.
Make MimeTypeExtensionGuesser case insensitive
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Add a separator in the remember me cookie hash
Based on #89
Commits
-------
a29ce2817c [Security] Add a separator in the remember me cookie hash
* 4.2:
fixed bad merge
Show more accurate message in profiler when missing stopwatch
CS Fixes: Not double split with one array argument
[Serializer] Add default object class resolver
Remove redundant animation prefixes
Remove redundant `box-sizing` prefixes
[VarExporter] support PHP7.4 __serialize & __unserialize
Rework firewall access denied rule
MetadataAwareNameConverter: Do not assume that property names are strings
[VarExporter] fix exporting classes with private constructors
fixed CS
Fix missing $extraDirs when open_basedir returns
* 3.4:
Show more accurate message in profiler when missing stopwatch
CS Fixes: Not double split with one array argument
Remove redundant animation prefixes
Remove redundant `box-sizing` prefixes
Rework firewall access denied rule
fixed CS
Fix missing $extraDirs when open_basedir returns
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Rework firewall's access denied rule
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ~~#30099~~, #28229
| License | MIT
| Doc PR |
Follow tickets provided above to reproduce bugs. (there are also some project examples)
~~In addition, I'm looking for someone who knows an answer to [this](https://github.com/symfony/symfony/issues/30099#issuecomment-468693492) regarding rework in this PR.~~
Commits
-------
5790859275 Rework firewall access denied rule
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Security] Add Argon2idPasswordEncoder
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #28093
| License | MIT
| Doc PR | TODO
Currently we have a `Argon2iPasswordEncoder` that may hash passwords using `argon2id` instead of `argon2i` (platform-dependent) which is not good.
This deprecates producing/validating `argon2id` hashed passwords using the `Argon2iPasswordEncoder`, and adds a `Argon2idPasswordEncoder` able to produce/validate `argon2id` hashed passwords only.
#EUFOSSA
Commits
-------
0c82173b24 [Security] Add Argon2idPasswordEncoder
* 4.2: (45 commits)
[Form] various minor fixes
Ensure the parent process is always killed
bugfix: the terminal state was wrong and not reseted
[Console] Fix inconsistent result for choice questions in non-interactive mode
Define null return type for Constraint::getDefaultOption()
[Routing] Fix: annotation loader ignores method's default values
[HttpKernel] Fix DebugHandlersListener constructor docblock
Skip Glob brace test when GLOB_BRACE is unavailable
bumped Symfony version to 4.2.6
updated VERSION for 4.2.5
updated CHANGELOG for 4.2.5
bumped Symfony version to 3.4.25
updated VERSION for 3.4.24
update CONTRIBUTORS for 3.4.24
updated CHANGELOG for 3.4.24
[EventDispatcher] cleanup
fix testIgnoredAttributesInContext
Re-generate icu 64.1 data
Improve PHPdoc / IDE autocomplete for config tree builder
[Bridge][Twig] DebugCommand - fix escaping and filter
...
Instead of deprecating the interface it is sufficient to deprecate its
getReachableRoles() method and add a new getReachableRoleNames() method
in Symfony 5.
* 4.2:
[Phpunit] fixed support for PHP 5.3
Response prepare method update
[Workflow] Added missing license header
Fix case when multiple loaders are providing paths for the same namespace
Check if Client exists when test.client does not exist, to provide clearer exception message
throw TypeErrors to prepare for type hints in 5.0
[Form] Preventing validation of children if parent with Valid constraint has no validation groups
[Form] Added ResetInterface to CachingFactoryDecorator
Remove deprecated usage
[Tests] fixed compatbility of assertEquals(): void
Fixed usage of TranslatorInterface in form extension (fixes#30591)
[Intl][4.2] Fix test
[Intl] Fix test
[Validator] Add the missing translations for the Arabic (ar) locale
[Intl] Add compile binary
Fix DebugCommand when chain loader is involved
[Form] Fixed some phpdocs
This PR was merged into the 4.3-dev branch.
Discussion
----------
[EventDispatcher] swap arguments of dispatch() to allow registering events by FQCN
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
PR green and ready. From UPGRADE files:
EventDispatcher
---------------
* The signature of the `EventDispatcherInterface::dispatch()` method should be updated to `dispatch($event, string $eventName = null)`, not doing so is deprecated
HttpKernel
----------
* Renamed `FilterControllerArgumentsEvent` to `ControllerArgumentsEvent`
* Renamed `FilterControllerEvent` to `ControllerEvent`
* Renamed `FilterResponseEvent` to `ResponseEvent`
* Renamed `GetResponseEvent` to `RequestEvent`
* Renamed `GetResponseForControllerResultEvent` to `ViewEvent`
* Renamed `GetResponseForExceptionEvent` to `ExceptionEvent`
* Renamed `PostResponseEvent` to `TerminateEvent`
Security
---------
* The `ListenerInterface` is deprecated, turn your listeners into callables instead.
* The `Firewall::handleRequest()` method is deprecated, use `Firewall::callListeners()` instead.
Commits
-------
75369dabb8 [EventDispatcher] swap arguments of dispatch() to allow registering events by FQCN
* 4.2:
Fix Cache error while using anonymous class
[Cache] fix LockRegistry
Update validators.cs.xlf
Make translations consistent with other translations.
Correct language code for ukrainian language in security translations.
Fix return type of Request::getRequestFormat
[Cache] Fix perf when using RedisCluster by reducing roundtrips to the servers
* 3.4:
Make translations consistent with other translations.
Correct language code for ukrainian language in security translations.
Fix return type of Request::getRequestFormat
[Cache] Fix perf when using RedisCluster by reducing roundtrips to the servers
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Security] deprecate the Role and SwitchUserRole classes
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #20824
| License | MIT
| Doc PR | symfony/symfony-docs#11047
In #20801, we deprecated the `RoleInterface`. The next logical step would be to also deprecate the `Role` class. However, we currently have the `SwitchUserRole` class (a sub-class of `Role`) that acts as an indicator to check whether or not the authenticated user switched to another user.
This PR proposes an alternative solution to the usage of the special `SwitchUserRole` class by storing the original token inside the `UsernamePasswordToken`. This PR is not complete, but rather acts as a proof of concept of how we could get rid of the `Role` and the `SwitchUserRole` classes.
Please share your opinions whether you think this is a valid approach and I will be happy to finalise the PR.
Commits
-------
d7aaa615b9 deprecate the Role and SwitchUserRole classes
* 4.2: (26 commits)
Apply php-cs-fixer rule for array_key_exists()
[Cache] fix warming up cache.system and apcu
[Security] Change FormAuthenticator if condition
handles multi-byte characters in autocomplete
speed up tests running them without debug flag
[Translations] added missing Croatian validators
Fix getItems() performance issue with RedisCluster (php-redis)
[VarDumper] Keep a ref to objects to ensure their handle cannot be reused while cloning
IntegerType: reject submitted non-integer numbers
be keen to newcomers
[HttpKernel] Fix possible infinite loop of exceptions
fixed CS
[Validator] Added missing translations for Afrikaans
do not validate non-submitted form fields in PATCH requests
Update usage example in ArrayInput doc block.
[Console] Prevent ArgvInput::getFirstArgument() from returning an option value
[Validator] Fixed duplicate UUID
fixed CS
[EventDispatcher] Fix unknown priority
Avoid mutating the Finder when building the iterator
...
* 3.4: (24 commits)
Apply php-cs-fixer rule for array_key_exists()
[Security] Change FormAuthenticator if condition
handles multi-byte characters in autocomplete
speed up tests running them without debug flag
[Translations] added missing Croatian validators
Fix getItems() performance issue with RedisCluster (php-redis)
[VarDumper] Keep a ref to objects to ensure their handle cannot be reused while cloning
IntegerType: reject submitted non-integer numbers
be keen to newcomers
[HttpKernel] Fix possible infinite loop of exceptions
fixed CS
[Validator] Added missing translations for Afrikaans
do not validate non-submitted form fields in PATCH requests
Update usage example in ArrayInput doc block.
[Console] Prevent ArgvInput::getFirstArgument() from returning an option value
[Validator] Fixed duplicate UUID
fixed CS
[EventDispatcher] Fix unknown priority
Avoid mutating the Finder when building the iterator
[Validator] Add the missing translations for the Greek (el) locale
...
* 4.2:
[Console] Fix command testing with missing inputs
[Validator] Sync no/nb translation files
[Translation] Added a script to display the status of translations
[Validator] Added missing translations for Norwegian (\"no\") locale #30179
[Security\Guard] bump lowest version of security-core
[TwigBridge] Fix test
Remove unnecessary ProgressBar stdout writes (fixes flickering)
[Validator] improve translations for albanian ("sq") locale
[VarDumper] fix serializing Stub instances
[Validator] Added missing use statement for UnexpectedTypeException
Don't resolve the Deprecation error handler mode until a deprecation is triggered
bug #30245 fix lost namespace in eval (fizzka)
fix lost namespace in eval
[Twig] removed usage of non-namespaced classes
added missing dot
Update validators.lt.xlf
#30172 Add the missing validation translations for the Luxembourgish …
[Debug][ErrorHandler] Preserve next error handler
* 3.4:
[Console] Fix command testing with missing inputs
[Validator] Sync no/nb translation files
[Translation] Added a script to display the status of translations
[Validator] Added missing translations for Norwegian (\"no\") locale #30179
[Security\Guard] bump lowest version of security-core
* 4.2: (25 commits)
Add missing ID_id validators translation
fixed CS
Added missing translations in validators.tr.xlf
Update validators.es.xlf
Update validators.hu.xlf
[Validator] Add the missing translations for the Welsh (cy) locale
[Validator] Add missing DE validator translations
[Validator] Add the missing translations for the Dutch (nl) locale
Add missing PL translation
Add missing translations.
Add missing translations for IT to Validator
minor #30184 [Validator] Add the missing translations for the Russian (ru) locale (antonch1989)
[Validator] Add the missing translations for the Arabic (ar) locale
add_missing_translations_for_portuguese : [Validator] Add the missing translations for the Portuguese ("pt") locale
[Validator] Add the missing translations for the French (fr) locale
[Validator] Add some missing contents to the English translation
use PropertyAccessorInterface instead of PropertyAccessor
Fix KernelTestCase compatibility for PhpUnit 8 (bis)
add xabbuh as code owner of the Form component
[Validator] Added a missing translation
...
* 3.4: (25 commits)
Add missing ID_id validators translation
fixed CS
Added missing translations in validators.tr.xlf
Update validators.es.xlf
Update validators.hu.xlf
[Validator] Add the missing translations for the Welsh (cy) locale
[Validator] Add missing DE validator translations
[Validator] Add the missing translations for the Dutch (nl) locale
Add missing PL translation
Add missing translations.
Add missing translations for IT to Validator
minor #30184 [Validator] Add the missing translations for the Russian (ru) locale (antonch1989)
[Validator] Add the missing translations for the Arabic (ar) locale
add_missing_translations_for_portuguese : [Validator] Add the missing translations for the Portuguese ("pt") locale
[Validator] Add the missing translations for the French (fr) locale
[Validator] Add some missing contents to the English translation
use PropertyAccessorInterface instead of PropertyAccessor
Fix KernelTestCase compatibility for PhpUnit 8 (bis)
add xabbuh as code owner of the Form component
[Validator] Added a missing translation
...
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Declare exceptions that are already thrown by implementations
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #29650
| License | MIT
| Doc PR |
Adding exception declarations for PasswordEncoderInterface. I think it's a matter of opinion whether this change is a BC break. The BC promise doesn't cover such a case; I'd see it as a BC break to add exceptions in general, but in this case it's more of a "documentation" issue, as most implementations of the interface have been throwing those exceptions for years.
Commits
-------
f4cc30b72b Declare exceptions that are already thrown by implementations
* 4.2:
[DI] Fix dumping Doctrine-like service graphs
fix serialization workaround in CustomUserMessageAuthenticationException
PHPUnit Bridge: Rollback to traditional array syntax.
[Form] fix some docblocks and type checks
* 3.4:
[DI] Fix dumping Doctrine-like service graphs
fix serialization workaround in CustomUserMessageAuthenticationException
PHPUnit Bridge: Rollback to traditional array syntax.
[Form] fix some docblocks and type checks
* 4.2:
[Routing] dont redirect routes with greedy trailing vars with no explicit slash
skip native serialize among child and parent serializable objects
[Routing] backport tests from 4.1
[MonologBridge] Remove unused local variable
Remove unreachable code
Add PackageNameTest to ConfigurationTest also add in the changelog the corresponding entry to this PR
Support use of hyphen in asset package name
Fix format strings for deprecation notices
Remove a harmless duplicate array key from VarDumper
[VarDumper] Fixed search bar
Remove gendered pronouns
Replace gender by eye color in tests
[Security] dont do nested calls to serialize()
* 4.1:
[Routing] dont redirect routes with greedy trailing vars with no explicit slash
skip native serialize among child and parent serializable objects
[Routing] backport tests from 4.1
[MonologBridge] Remove unused local variable
Remove unreachable code
Add PackageNameTest to ConfigurationTest also add in the changelog the corresponding entry to this PR
Support use of hyphen in asset package name
Remove gendered pronouns
Replace gender by eye color in tests
[Security] dont do nested calls to serialize()
* 3.4:
skip native serialize among child and parent serializable objects
[Routing] backport tests from 4.1
Add PackageNameTest to ConfigurationTest also add in the changelog the corresponding entry to this PR
Support use of hyphen in asset package name
Remove gendered pronouns
Replace gender by eye color in tests
[Security] dont do nested calls to serialize()
* 4.2:
Bump phpunit bridge cache id
[appveyor] fix create-project phpunit
Fix HttpKernel Debug requirement
Fix heredoc
use final annotation to allow mocking the class
synchronise the form builder docblock
Grammar fix in exception message
fix tests
forward the parse error to the calling code
Avoid dots in generated class names.
[Debug][DebugClassLoader] Match more cases for final, deprecated and internal classes / methods extends
ensure compatibility with older PHPUnit mocks
[Security] Do not mix usage of password_*() functions and sodium_*() ones
* 4.1:
Bump phpunit bridge cache id
[appveyor] fix create-project phpunit
Fix HttpKernel Debug requirement
Fix heredoc
use final annotation to allow mocking the class
synchronise the form builder docblock
Grammar fix in exception message
fix tests
forward the parse error to the calling code
[Debug][DebugClassLoader] Match more cases for final, deprecated and internal classes / methods extends
ensure compatibility with older PHPUnit mocks
[Security] Do not mix usage of password_*() functions and sodium_*() ones
* 3.4:
Bump phpunit bridge cache id
[appveyor] fix create-project phpunit
Fix HttpKernel Debug requirement
Fix heredoc
use final annotation to allow mocking the class
synchronise the form builder docblock
Grammar fix in exception message
fix tests
forward the parse error to the calling code
[Debug][DebugClassLoader] Match more cases for final, deprecated and internal classes / methods extends
ensure compatibility with older PHPUnit mocks
[Security] Do not mix usage of password_*() functions and sodium_*() ones
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Do not mix password_*() API with libsodium one
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | n/a
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Argon2IPasswordEncoder uses native `password_hash()` and `password_verify()` functions if the current PHP installation embeds Argon2 support (>=7.2, compiled `--with-password-argon2`).
Otherwise, it fallbacks to the libsodium extension.
This was fine at time the encoder was introduced, but meanwhile libsodium changed the algorithm used by `sodium_crypto_pwhash_str()` which is now argon2id, that goes outside of the scope of the encoder which was designed to deal with `argon2i` only.
Nothing we can do as databases may already contain passwords hashed with argon2id, the encoder must keep validating those.
However, the PHP installation may change as time goes by, and could suddenly embed the Argon2 core integration. In this case, the encoder would use the `password_verify()` function which would fail in case the password was not hashed using argon2i.
This PR prevents it by detecting that argon2id was used, avoiding usage of `password_verify()`.
See https://github.com/jedisct1/libsodium-php/issues/194 and https://github.com/symfony/symfony/issues/28093 for references.
Patch cannot be tested as it is platform dependent.
Side note: I'm currently working on a new implementation for 4.3 that will properly supports argon2id (which has been added to the PHP core sodium integration in 7.3) and argon2i, distinctively.
Commits
-------
d6cfde94b4 [Security] Do not mix usage of password_*() functions and sodium_*() ones
* 3.4:
fixed CS
fixed short array CS in comments
fixed CS in ExpressionLanguage fixtures
fixed CS in generated files
fixed CS on generated container files
fixed CS on Form PHP templates
fixed CS on YAML fixtures
fixed fixtures
switched array() to []
* 4.2:
update years in license files
Fix: Adjust DocBlock
\"ParserTest->getParserTestData()\" -> only some more tests
access the container getting it from the kernel
Replace slave and master by replica and primary
Fix erasing cookies issue
[Lock] Pedantic improvements for lock
[EventDispatcher] Fixed phpdoc on interface
update year in license files
[VarExporter] fix exporting array indexes
[SecurityBundle] Fix traceable voters
[Console] Fix help text for single command applications
Fix random test failure on lock
improve error message when using test client without the BrowserKit component
Fixed minor typos in an error message
[Event Dispatcher] fixed 29703: TraceableEventDispatcher reset now sets callStack to null with test to dispatch after reset.
Fixed minor typos
Fix: Method can also return null
[Stopwatch] Fixed phpdoc for category name
* 4.1:
Fix: Adjust DocBlock
\"ParserTest->getParserTestData()\" -> only some more tests
access the container getting it from the kernel
[Lock] Pedantic improvements for lock
[EventDispatcher] Fixed phpdoc on interface
update year in license files
[Console] Fix help text for single command applications
Fix random test failure on lock
improve error message when using test client without the BrowserKit component
[Event Dispatcher] fixed 29703: TraceableEventDispatcher reset now sets callStack to null with test to dispatch after reset.
Fixed minor typos
Fix: Method can also return null
[Stopwatch] Fixed phpdoc for category name
* 3.4:
Fix: Adjust DocBlock
\"ParserTest->getParserTestData()\" -> only some more tests
[Lock] Pedantic improvements for lock
[EventDispatcher] Fixed phpdoc on interface
update year in license files
[Console] Fix help text for single command applications
Fix random test failure on lock
improve error message when using test client without the BrowserKit component
[Event Dispatcher] fixed 29703: TraceableEventDispatcher reset now sets callStack to null with test to dispatch after reset.
Fixed minor typos
Fix: Method can also return null
[Stopwatch] Fixed phpdoc for category name
* 4.2:
[Twig] Remove spaces to fix whitespace in tags
[Twig] Replace for-loops with blocks for attributes
fixed CS
[Tests] Change to willThrowException
[Console] fix PHPDoc in Command
Update FileLoaderLoadException.php
Fix wrong calls to clearstatcache
Add Vietnamese translation for validators
Allow running PHPUnit with "xdebug.scream" ON
[VarDumper] Add descriptors tests
[Cache] fix bad optim
[Yaml] detect circular references
[DI] fix reporting bindings on overriden services as unused
[Routing] minor fix or previous PR
* 4.2:
[Routing] fix trailing slash redirections involving a trailing var
[EventDispatcher] Revers event tracing order
[Security] Prefer clone over unserialize(serialize()) for user refreshment
[Console] OutputFormatter: move strtolower to createStyleFromString
Adjust tests to work in the armhf architecture. Fixes#29281.
Vietnamese translations improvement
[Form] Fixed FormErrorIterator class phpdoc
Renamed test controller from Controller to TestController so it doesn't show up in the IDE autocomplete.
Don't use he in docs when its not needed
EventSubscriberInterface isn't a man
Fix undefined variable in cache ArrayTrait
fixed public directory of web server and assets install when configured in composer.json
* 4.1:
[Routing] fix trailing slash redirections involving a trailing var
[EventDispatcher] Revers event tracing order
[Security] Prefer clone over unserialize(serialize()) for user refreshment
[Console] OutputFormatter: move strtolower to createStyleFromString
Adjust tests to work in the armhf architecture. Fixes#29281.
Vietnamese translations improvement
[Form] Fixed FormErrorIterator class phpdoc
Renamed test controller from Controller to TestController so it doesn't show up in the IDE autocomplete.
Don't use he in docs when its not needed
EventSubscriberInterface isn't a man
fixed public directory of web server and assets install when configured in composer.json
* 3.4:
[EventDispatcher] Revers event tracing order
[Security] Prefer clone over unserialize(serialize()) for user refreshment
[Console] OutputFormatter: move strtolower to createStyleFromString
Adjust tests to work in the armhf architecture. Fixes#29281.
Vietnamese translations improvement
[Form] Fixed FormErrorIterator class phpdoc
Renamed test controller from Controller to TestController so it doesn't show up in the IDE autocomplete.
Don't use he in docs when its not needed
EventSubscriberInterface isn't a man
fixed public directory of web server and assets install when configured in composer.json
* 4.2: (27 commits)
[VarExporter] dont call userland code with uninitialized objects
Fix typos in doc blocks
[Debug] ignore underscore vs backslash namespaces in DebugClassLoader
[TwigBridge][Form] Prevent multiple rendering of form collection prototypes
[FrameworkBundle] fix describing routes with no controllers
[DI] move RegisterServiceSubscribersPass before DecoratorServicePass
Update ValidationListener.php
[Yaml] ensures that the mb_internal_encoding is reset to its initial value
[Messenger] Restore message handlers laziness
[WebLink] Fixed documentation link
[Security] getTargetPath of TargetPathTrait must return string or null
[Hackday][Serializer] Deserialization ignores argument type hint from phpdoc for array in constructor argument
Optimize perf by replacing call_user_func with dynamic vars
[Cache] Fix dsn parsing
[Routing] fix dumping same-path routes with placeholders
[WebProfilerBundle][TwigBundle] CSS fixes
Add a docblock for FormFactoryInterface
[Security] defer log message in guard authenticator
[Validator] Added IBAN format for Vatican City State
merge conflicts
...
* 4.1:
Fix typos in doc blocks
[Debug] ignore underscore vs backslash namespaces in DebugClassLoader
[TwigBridge][Form] Prevent multiple rendering of form collection prototypes
[FrameworkBundle] fix describing routes with no controllers
[DI] move RegisterServiceSubscribersPass before DecoratorServicePass
Update ValidationListener.php
[Yaml] ensures that the mb_internal_encoding is reset to its initial value
[WebLink] Fixed documentation link
[Security] getTargetPath of TargetPathTrait must return string or null
[Hackday][Serializer] Deserialization ignores argument type hint from phpdoc for array in constructor argument
Optimize perf by replacing call_user_func with dynamic vars
[Routing] fix dumping same-path routes with placeholders
[Security] defer log message in guard authenticator
[Validator] Added IBAN format for Vatican City State
merge conflicts
filter out invalid Intl values
filter out invalid language values
[Validator] Fixed grouped composite constraints
[Form] Filter arrays out of scalar form types
Fix HeaderBag::get phpdoc
* 3.4:
[Debug] ignore underscore vs backslash namespaces in DebugClassLoader
[TwigBridge][Form] Prevent multiple rendering of form collection prototypes
[FrameworkBundle] fix describing routes with no controllers
[DI] move RegisterServiceSubscribersPass before DecoratorServicePass
Update ValidationListener.php
[Yaml] ensures that the mb_internal_encoding is reset to its initial value
[WebLink] Fixed documentation link
[Security] getTargetPath of TargetPathTrait must return string or null
[Hackday][Serializer] Deserialization ignores argument type hint from phpdoc for array in constructor argument
[Security] defer log message in guard authenticator
merge conflicts
Fix HeaderBag::get phpdoc
This PR was squashed before being merged into the 3.4 branch (closes#29408).
Discussion
----------
[Security] getTargetPath of TargetPathTrait must return string or null
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes (possible bug)
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
Since the return type is string the default return value must be also string.
Commits
-------
8d4b787dd9 [Security] getTargetPath of TargetPathTrait must return string or null
* 4.2:
[Security\Http] detect bad redirect targets using backslashes
[Form] Filter file uploads out of regular form types
Fix CI
minor #28258 [travis] fix composer.lock invalidation for deps=low (nicolas-grekas)
[travis] fix composer.lock invalidation for PRs patching several components
[travis] fix composer.lock invalidation for deps=low
minor #28199 [travis][appveyor] use symfony/flex to accelerate builds (nicolas-grekas)
[travis] ignore ordering when validating composer.lock files for deps=low
minor #28146 [travis] cache composer.lock files for deps=low (nicolas-grekas)
fix ci
[travis] fix requiring mongodb/mongodb before composer up
minor #28114 [travis] merge "same Symfony version" jobs in one (nicolas-grekas)
[2.7] Make CI green
updated VERSION for 2.7.49
updated CHANGELOG for 2.7.49
[HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer
[HttpFoundation] Remove support for legacy and risky HTTP headers
updated VERSION for 2.7.48
update CONTRIBUTORS for 2.7.48
updated CHANGELOG for 2.7.48
* 4.1:
[Security\Http] detect bad redirect targets using backslashes
[Form] Filter file uploads out of regular form types
Fix CI
minor #28258 [travis] fix composer.lock invalidation for deps=low (nicolas-grekas)
[travis] fix composer.lock invalidation for PRs patching several components
[travis] fix composer.lock invalidation for deps=low
minor #28199 [travis][appveyor] use symfony/flex to accelerate builds (nicolas-grekas)
[travis] ignore ordering when validating composer.lock files for deps=low
minor #28146 [travis] cache composer.lock files for deps=low (nicolas-grekas)
fix ci
[travis] fix requiring mongodb/mongodb before composer up
minor #28114 [travis] merge "same Symfony version" jobs in one (nicolas-grekas)
[2.7] Make CI green
updated VERSION for 2.7.49
updated CHANGELOG for 2.7.49
[HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer
[HttpFoundation] Remove support for legacy and risky HTTP headers
updated VERSION for 2.7.48
update CONTRIBUTORS for 2.7.48
updated CHANGELOG for 2.7.48
* 3.4:
[Security\Http] detect bad redirect targets using backslashes
[Form] Filter file uploads out of regular form types
Fix CI
minor #28258 [travis] fix composer.lock invalidation for deps=low (nicolas-grekas)
[travis] fix composer.lock invalidation for PRs patching several components
[travis] fix composer.lock invalidation for deps=low
minor #28199 [travis][appveyor] use symfony/flex to accelerate builds (nicolas-grekas)
[travis] ignore ordering when validating composer.lock files for deps=low
minor #28146 [travis] cache composer.lock files for deps=low (nicolas-grekas)
fix ci
[travis] fix requiring mongodb/mongodb before composer up
minor #28114 [travis] merge "same Symfony version" jobs in one (nicolas-grekas)
[2.7] Make CI green
updated VERSION for 2.7.49
updated CHANGELOG for 2.7.49
[HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer
[HttpFoundation] Remove support for legacy and risky HTTP headers
updated VERSION for 2.7.48
update CONTRIBUTORS for 2.7.48
updated CHANGELOG for 2.7.48
* 2.8:
[Security\Http] detect bad redirect targets using backslashes
[Form] Filter file uploads out of regular form types
Fix CI
minor #28258 [travis] fix composer.lock invalidation for deps=low (nicolas-grekas)
[travis] fix composer.lock invalidation for PRs patching several components
[travis] fix composer.lock invalidation for deps=low
minor #28199 [travis][appveyor] use symfony/flex to accelerate builds (nicolas-grekas)
[travis] ignore ordering when validating composer.lock files for deps=low
minor #28146 [travis] cache composer.lock files for deps=low (nicolas-grekas)
fix ci
[travis] fix requiring mongodb/mongodb before composer up
minor #28114 [travis] merge "same Symfony version" jobs in one (nicolas-grekas)
[2.7] Make CI green
updated VERSION for 2.7.49
updated CHANGELOG for 2.7.49
[HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer
[HttpFoundation] Remove support for legacy and risky HTTP headers
updated VERSION for 2.7.48
update CONTRIBUTORS for 2.7.48
updated CHANGELOG for 2.7.48
* 2.7:
[Security\Http] detect bad redirect targets using backslashes
[Form] Filter file uploads out of regular form types
Fix CI
minor #28258 [travis] fix composer.lock invalidation for deps=low (nicolas-grekas)
[travis] fix composer.lock invalidation for PRs patching several components
[travis] fix composer.lock invalidation for deps=low
minor #28199 [travis][appveyor] use symfony/flex to accelerate builds (nicolas-grekas)
[travis] ignore ordering when validating composer.lock files for deps=low
minor #28146 [travis] cache composer.lock files for deps=low (nicolas-grekas)
fix ci
[travis] fix requiring mongodb/mongodb before composer up
minor #28114 [travis] merge "same Symfony version" jobs in one (nicolas-grekas)
[2.7] Make CI green
updated VERSION for 2.7.49
updated CHANGELOG for 2.7.49
[HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer
[HttpFoundation] Remove support for legacy and risky HTTP headers
updated VERSION for 2.7.48
update CONTRIBUTORS for 2.7.48
updated CHANGELOG for 2.7.48
* 4.1:
[Form] Hardened test suite for empty data
Bump phpunit XSD version to 5.2
[Fwb][EventDispatcher][HttpKernel] Fix getClosureScopeClass usage to describe callables
Add required key attribute
* 3.4:
[Form] Hardened test suite for empty data
Bump phpunit XSD version to 5.2
[Fwb][EventDispatcher][HttpKernel] Fix getClosureScopeClass usage to describe callables
Add required key attribute
Some attributes being used in the phpunit configuration files, namely
failOnRisky and failOnWarning were introduced in phpunit 5.2.0. The
Composer configuration shows that tests should run with old versions of
phpunit, but phpunit only validates the configuration against the XSD
since phpunit 7.2.0.
These changes can be tested as follows:
wget http://schema.phpunit.de/5.2/phpunit.xsd
xargs xmllint --schema phpunit.xsd 1>/dev/null
find src -name phpunit.xml.dist| xargs xmllint --schema phpunit.xsd 1>/dev/null
See 7e06a82806
See 46e3745a03/composer.json (L98)
* 4.1:
SCA: removed unused variables
Remove duplicate condition
fix useless space in docblock
remove unneeded tearDown method
[Intl] Update the ICU data to 63.1
[FrameworkBundle] Fix broken exception message
[Messenger] send using the routing_key for AMQP transport
also clean away the NO_AUTO_CACHE_CONTROL_HEADER if we have no session
[TwigBundle] Fix usage of TwigBundle without FrameworkBundle
Revert "fixed CS"
[Serializer] Reduce class discriminator overhead
Skip empty proxy code
[Security] Fix "exclude-from-classmap"
[Security] Removed unsed trait import
[Config] Fix @method annotation
add missing double-quotes to extra_fields output message
[DI] Default undefined env to empty string during compile
Convert InsufficientAuthenticationException to HttpException
The "/Tests/" directory doesn't exist in the Security Component, tests are located within the Security components folders and none of the tests were being excluded in an --classmap-authoritative dump of the autoload.
* 4.1: (27 commits)
Added the Code of Conduct file
do not override custom access decision configs
[Security] Do not deauthenticate user when the first refreshed user has changed
fix a return type hint
invalidate stale commits for PRs too
add missing cache prefix seed attribute to XSD
fix command description
Fix class documentation
[Validator] Add a missing translation
[FrameworkBundle] Fix 3.4 tests
[DI] fix dumping inline services again
Rename consumer to receiver
Register messenger before the profiler
Fix phpdocs
[EventDispatcher] Remove template method in test case
Added LB translation for #27993 (UUID validator message translation)
Replace deprecated validateValue with validate
[FWBundle] Automatically enable PropertyInfo when using Flex
[Process] fix locking of pipe files on Windows
Correct PHPDoc type for float ttl
...
* 3.4: (21 commits)
Added the Code of Conduct file
do not override custom access decision configs
[Security] Do not deauthenticate user when the first refreshed user has changed
invalidate stale commits for PRs too
add missing cache prefix seed attribute to XSD
fix command description
Fix class documentation
[Validator] Add a missing translation
[FrameworkBundle] Fix 3.4 tests
[DI] fix dumping inline services again
Fix phpdocs
[EventDispatcher] Remove template method in test case
Added LB translation for #27993 (UUID validator message translation)
Replace deprecated validateValue with validate
[FWBundle] Automatically enable PropertyInfo when using Flex
[Process] fix locking of pipe files on Windows
Correct PHPDoc type for float ttl
bumped Symfony version to 3.4.18
updated VERSION for 3.4.17
updated CHANGELOG for 3.4.17
...
This PR was squashed before being merged into the 3.4 branch (closes#28072).
Discussion
----------
[Security] Do not deauthenticate user when the first refreshed user has changed
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Currently the token is deauthenticated when the first refreshed user has changed. In theory, a second user provider could find a user that is the same than the user stored in the token.
Also, the deauthentication is currently affected by the order of the user providers in the security.yaml and IMHO it does not make sense.
Commits
-------
95dce67 [Security] Do not deauthenticate user when the first refreshed user has changed
* 4.1: (21 commits)
[php_cs] disable fopen_flags
[DI] fix error in dumped container
[CS] Remove unused variables passed to closures
[DI] fix dumping setters before their inlined instances
[CS] Remove empty comment
[CS] Enforces null type hint on last position in phpDocs
[CS] Use combined assignment operators when possible
Fix a typo in error messages
Don't return early as this bypasses the auto exit feature
[Console] Add missing null to input values allowed types
[PHPUnitBridge] Fix microtime() format
bumped Symfony version to 4.1.6
updated VERSION for 4.1.5
updated CHANGELOG for 4.1.5
bumped Symfony version to 3.4.17
updated VERSION for 3.4.16
updated CHANGELOG for 3.4.16
bumped Symfony version to 2.8.47
update CONTRIBUTORS for 2.8.46
updated VERSION for 2.8.46
...
* 3.4:
[php_cs] disable fopen_flags
[DI] fix error in dumped container
[CS] Remove unused variables passed to closures
[DI] fix dumping setters before their inlined instances
[CS] Remove empty comment
[CS] Enforces null type hint on last position in phpDocs
[CS] Use combined assignment operators when possible
Fix a typo in error messages
Don't return early as this bypasses the auto exit feature
[Console] Add missing null to input values allowed types
[PHPUnitBridge] Fix microtime() format
bumped Symfony version to 3.4.17
updated VERSION for 3.4.16
updated CHANGELOG for 3.4.16
bumped Symfony version to 2.8.47
update CONTRIBUTORS for 2.8.46
updated VERSION for 2.8.46
updated CHANGELOG for 2.8.46
* 2.8:
[php_cs] disable fopen_flags
[CS] Remove unused variables passed to closures
[CS] Remove empty comment
[CS] Enforces null type hint on last position in phpDocs
[CS] Use combined assignment operators when possible
Fix a typo in error messages
[Console] Add missing null to input values allowed types
[PHPUnitBridge] Fix microtime() format
bumped Symfony version to 2.8.47
update CONTRIBUTORS for 2.8.46
updated VERSION for 2.8.46
updated CHANGELOG for 2.8.46
* 4.1:
[Console] simplified code
removed useless phpdoc
improve docblocks around group sequences
[Cache] prevent getting older entries when the version key is evicted
[WebProfilerBundle] added a note in the README
[Yaml] Skip parser test with root user
[Filesystem] Skip tests on readable file when run with root user
[FWBundle] Fix an error in WebTestCase::createClient's PHPDoc
[HttpFoundation][Security] forward locale and format to subrequests
[Console] Send the right exit code to console.terminate listeners
[HttpFoundation] fix hidding warnings from session handlers
Caching missed templates on cache warmup
* 3.4:
[Console] simplified code
removed useless phpdoc
improve docblocks around group sequences
[Cache] prevent getting older entries when the version key is evicted
[WebProfilerBundle] added a note in the README
[Yaml] Skip parser test with root user
[Filesystem] Skip tests on readable file when run with root user
[FWBundle] Fix an error in WebTestCase::createClient's PHPDoc
[HttpFoundation][Security] forward locale and format to subrequests
[Console] Send the right exit code to console.terminate listeners
[HttpFoundation] fix hidding warnings from session handlers
Caching missed templates on cache warmup
* 2.8:
improve docblocks around group sequences
[WebProfilerBundle] added a note in the README
[Filesystem] Skip tests on readable file when run with root user
[FWBundle] Fix an error in WebTestCase::createClient's PHPDoc
[HttpFoundation][Security] forward locale and format to subrequests
[Console] Send the right exit code to console.terminate listeners
Caching missed templates on cache warmup
This PR was merged into the 4.2-dev branch.
Discussion
----------
[HttpFoundation] make cookies auto-secure when passing them $secure=null + plan to make it and samesite=lax the defaults in 5.0
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #26731
| License | MIT
| Doc PR | -
By creating Cookie instances using `null` for the `$secure` argument, this PR allows making cookies inherit their "secure" attribute from the request.
This PR also adds a forward to make $secure=null and samesite=lax the defaults in Symfony 5.0:
- either define all constructor's arguments explicitly
- or use the new `Cookie::create()` factory
Commits
-------
9493cfd5f2 [HttpFoundation] make cookies auto-secure when passing them $secure=null + plan to make it and samesite=lax the defaults in 5.0
* 4.1:
[DI] configure inlined services before injecting them when dumping the container
Consistently throw exceptions on a single line
fix fopen calls
Update .editorconfig
* 3.4:
[DI] configure inlined services before injecting them when dumping the container
Consistently throw exceptions on a single line
fix fopen calls
Update .editorconfig