* 5.0: (38 commits)
[Security] Check UserInterface::getPassword is not null before calling needsRehash
gracefully handle missing event dispatchers
Fix TokenStorage::reset not called in stateless firewall
[DotEnv] Remove `usePutEnv` property default value
[HttpFoundation] get currently session.gc_maxlifetime if ttl doesnt exists
Set up typo fix
[DependencyInjection] Handle env var placeholders in CheckTypeDeclarationsPass
[Cache] fix memory leak when using PhpArrayAdapter
[Validator] Allow underscore character "_" in URL username and password
[TwigBridge] Update bootstrap_4_layout.html.twig
[DoctrineBridge] Removed QueryBuilder type hint in getLoader()
[FrameworkBundle][SodiumVault] Create secrets directory only when needed
fix parsing negative octal numbers
[String] implement __sleep()/__wakeup() on strings
Fixed translations file dumper behavior
[Routing][ObjectLoader] Remove forgotten deprecation after merge
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
[DependencyInjection] Resolve expressions in CheckTypeDeclarationsPass
[SecurityBundle] Properly escape regex in AddSessionDomainConstraintPass
do not validate passwords when the hash is null
...
* 4.4: (30 commits)
[Security] Check UserInterface::getPassword is not null before calling needsRehash
gracefully handle missing event dispatchers
Fix TokenStorage::reset not called in stateless firewall
[DotEnv] Remove `usePutEnv` property default value
[HttpFoundation] get currently session.gc_maxlifetime if ttl doesnt exists
Set up typo fix
[DependencyInjection] Handle env var placeholders in CheckTypeDeclarationsPass
[Cache] fix memory leak when using PhpArrayAdapter
[Validator] Allow underscore character "_" in URL username and password
[TwigBridge] Update bootstrap_4_layout.html.twig
[FrameworkBundle][SodiumVault] Create secrets directory only when needed
fix parsing negative octal numbers
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
[DependencyInjection] Resolve expressions in CheckTypeDeclarationsPass
[SecurityBundle] Properly escape regex in AddSessionDomainConstraintPass
do not validate passwords when the hash is null
[DI] fix resolving bindings for named TypedReference
[Config] never try loading failed classes twice with ClassExistenceResource
[Mailer] Fix SMTP Authentication when using STARTTLS
[DI] Fix making the container path-independent when the app is in /app
...
This PR was merged into the 4.4 branch.
Discussion
----------
[Mailer] Fix SMTP Authentication when using STARTTLS
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34522
| License | MIT
When the mail server uses STARTTLS, the SMTP Authentication is not performed because the AUTH capabilities are not send during the first EHLO call, but during the second one.
Example of problematic exchange solved by this PR:
```
< 220 mydomain.tld ESMTP Postcow
> EHLO [127.0.0.1]
< 250-mydomain.tld
< 250-PIPELINING
< 250-SIZE 104857600
< 250-ETRN
< 250-STARTTLS
< 250-ENHANCEDSTATUSCODES
< 250-8BITMIME
< 250-DSN
< 250 CHUNKING
> STARTTLS
< 220 2.0.0 Ready to start TLS
> EHLO [127.0.0.1]
< 250-mydomain.tld
< 250-PIPELINING
< 250-SIZE 104857600
< 250-ETRN
< 250-AUTH PLAIN LOGIN
< 250-AUTH=PLAIN LOGIN
< 250-ENHANCEDSTATUSCODES
< 250-8BITMIME
< 250-DSN
< 250 CHUNKING
> MAIL FROM:<noreply@XXX>
< 250 2.1.0 Ok
> RCPT TO:<XXX>
< 554 5.7.1 <XXX>: Client host rejected: Access denied
```
Commits
-------
75b54542ab [Mailer] Fix SMTP Authentication when using STARTTLS
This PR was merged into the 5.1-dev branch.
Discussion
----------
[DependencyInjection] Autowire public typed properties
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| License | MIT
### Description
This PR adds the Autowiring of **public typed properties** in PHP 7.4.
It is only on "public" properties.
It could let people think that services are better injected in "public".
I don't know what to think about it, you?
### How about "private" properties - further thinking
Even if I think that it would be awesome to be able to inject in "private" properties, we discussed it with @nicolas-grekas, and I agree Symfony should not break any standard logic. If the property is private then it is private the DI cannot touch it.
But that could/would remove a lot of boilerplate, and if it is declarative, that might still be something to do.
Maybe we could introduce a new annotation for injection in "private": `@requiredPrivated` ?
Commits
-------
cad7fbb9f7 [DI] Autowire public typed properties
This PR was merged into the 4.4 branch.
Discussion
----------
[DependencyInjection] Handle env var placeholders in CheckTypeDeclarationsPass
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
A case we forgot to handle.
Commits
-------
c3574858b5 [DependencyInjection] Handle env var placeholders in CheckTypeDeclarationsPass
This PR was merged into the 3.4 branch.
Discussion
----------
[Cache] fix memory leak when using PhpArrayAdapter
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34687
| License | MIT
| Doc PR | -
Thanks to @adrienfr, I've been able to understand what causes this massive memory leak when using `PhpArrayAdapter`:
![image](https://user-images.githubusercontent.com/243674/70262187-303b1b00-1794-11ea-9fcb-21ae29c31ff0.png)
When tests run, a new kernel is booted for each test case. This means a new instance of `PhpArrayAdapter` is created, which means it loads its state again and again using `include` for e.g. `annotations.php` in this example.
The first obvious thing is that we see this doing `compile::*`: this means PHP is parsing the same file again and again. But shouldn't opcache prevent this? Well, it's disabled by default because `opcache.enable_cli=0`. To prove the point, here is a comparison with the same tests run with `php -dopcache.enable_cli=1`. The comparison is swapped, but you'll get it:
![image](https://user-images.githubusercontent.com/243674/70262616-fb7b9380-1794-11ea-81c3-6fea0145a63b.png)
But that's not over: because of https://bugs.php.net/76982 (see #32236 also), we still have a memory leak when the included file contains closures. And this one does.
This PR fixes the issue by storing the return value of the include statement into a static property. This fits the caching model of `PhpArrayAdapter`: it's a read-only storage for system caches - i.e. its content is immutable.
Commits
-------
4194c4c56d [Cache] fix memory leak when using PhpArrayAdapter
This PR was merged into the 5.0 branch.
Discussion
----------
[String] implement __sleep()/__wakeup() on strings
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
This resets the transient ignoreCase state on unserialized instances.
Commits
-------
416e40d943 [String] implement __sleep()/__wakeup() on strings
This PR was merged into the 5.0 branch.
Discussion
----------
[String] inline Latin-ASCII rules
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34751
| License | MIT
| Doc PR | -
Makes the component a bit more portable.
Commits
-------
976a938736 [String] inline Latin-ASCII rules
* 4.3:
[DotEnv] Remove `usePutEnv` property default value
Set up typo fix
[Validator] Allow underscore character "_" in URL username and password
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
do not validate passwords when the hash is null
[DI] fix resolving bindings for named TypedReference
[DI] Fix making the container path-independent when the app is in /app
Allow copy instead of symlink for ./link script
[FrameworkBundle] resolve service locators in `debug:*` commands
bumped Symfony version to 4.3.10
updated VERSION for 4.3.9
updated CHANGELOG for 4.3.9
bumped Symfony version to 3.4.37
updated VERSION for 3.4.36
update CONTRIBUTORS for 3.4.36
updated CHANGELOG for 3.4.36
Add test on ServerLogHandler
* 3.4:
[Validator] Allow underscore character "_" in URL username and password
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
do not validate passwords when the hash is null
[DI] Fix making the container path-independent when the app is in /app
Allow copy instead of symlink for ./link script
[FrameworkBundle] resolve service locators in `debug:*` commands
bumped Symfony version to 3.4.37
updated VERSION for 3.4.36
update CONTRIBUTORS for 3.4.36
updated CHANGELOG for 3.4.36
This PR was merged into the 4.4 branch.
Discussion
----------
[DependencyInjection] Resolve expressions in CheckTypeDeclarationsPass
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | https://github.com/symfony/symfony/issues/34752
| License | MIT
| Doc PR | -
One more case we forgot 😅
Commits
-------
b6c5a54cfd [DependencyInjection] Resolve expressions in CheckTypeDeclarationsPass
This PR was merged into the 5.0 branch.
Discussion
----------
[Routing][ObjectLoader] Remove forgotten deprecation after merge
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
https://github.com/symfony/symfony/pull/34621 needs to be gone on 5.0. We want to throw here. I think it was forgotten when merging in 5.0.
Commits
-------
4e60b9db22 [Routing][ObjectLoader] Remove forgotten deprecation after merge
* 4.4:
Fixed translations file dumper behavior
When set, get secret from config variable
[FrameworkBundle] Set the parameter bag as resolved in ContainerLintCommand
[SecurityBundle] Fix switch_user provider configuration handling
* 5.0:
[Security/Core] Fix checking for SHA256/SHA512 passwords
[Cache][Lock] fix tests
bumped Symfony version to 5.0.2
updated VERSION for 5.0.1
updated CHANGELOG for 5.0.1
bumped Symfony version to 4.4.2
updated VERSION for 4.4.1
updated CHANGELOG for 4.4.1
* 4.4:
[Security/Core] Fix checking for SHA256/SHA512 passwords
[Cache][Lock] fix tests
bumped Symfony version to 4.4.2
updated VERSION for 4.4.1
updated CHANGELOG for 4.4.1
This PR was merged into the 5.1-dev branch.
Discussion
----------
Deprecate *Response::create() methods
| Q | A
| ------------- | ---
| Branch? | master <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | yes <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a<!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | -
The `::create()` methods of the `Response` class hierarchy are not needed anymore in modern PHP versions as we can use parenthesis around the new operator. So `Response::create()->...()` is equivalent to `(new Response)->...()`.
Let's deprecate the static method. It's also good as the first parameter type changes depending on the sub-class.
Commits
-------
ebb13e7c99 Deprecate *Response::create() methods
This PR was squashed before being merged into the 5.0 branch (closes#34539).
Discussion
----------
[Notifier] Add telegram tests
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | See #33687
| License | MIT
Adds tests for the Telegram bridge of the Notifier component. Not sure if this is the right way to go, but would love some feedback.
#SymfonyHackday
Commits
-------
3b4d83cb4a [Notifier] Add telegram tests
This PR was squashed before being merged into the 5.0 branch (closes#34549).
Discussion
----------
[Notifier] Add Slack bridge tests
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | See #33687
| License | MIT
Adds tests for the Slack bridge of the Notifier component.
#SymfonyHackday
Commits
-------
626fdaa9a4 [Notifier] Add Slack bridge tests
* 5.0:
[DI] auto-register singly implemented interfaces by default
[DI] fix overriding existing services with aliases for singly-implemented interfaces
remove service when base class is missing
do not depend on the QueryBuilder from the ORM
[Security/Http] call auth listeners/guards eagerly when they "support" the request
[Messenger] add tests to FailedMessagesShowCommand
Fix the translation commands when a template contains a syntax error
[Security] Fix clearing remember-me cookie after deauthentication
[Validator] Update Slovenian translations
[HttpClient] remove conflict rule with HttpKernel that prevents using the component in Symfony 3.4
[Config][ReflectionClassResource] Handle parameters with undefined constant as their default values
Fix compatibility with Monolog 2
fix dumping number-like string parameters
Fix CI
[Console] Fix autocomplete multibyte input support
[Config] don't break on virtual stack frames in ClassExistenceResource
more robust initialization from request
Changing the multipart form-data behavior to use the form name as an array, which makes it recognizable as an array by PHP on the $_POST globals once it is coming from the HttpClient component
* 4.4:
[DI] auto-register singly implemented interfaces by default
[DI] fix overriding existing services with aliases for singly-implemented interfaces
remove service when base class is missing
do not depend on the QueryBuilder from the ORM
[Security/Http] call auth listeners/guards eagerly when they "support" the request
[Messenger] add tests to FailedMessagesShowCommand
Fix the translation commands when a template contains a syntax error
[Security] Fix clearing remember-me cookie after deauthentication
[Validator] Update Slovenian translations
[HttpClient] remove conflict rule with HttpKernel that prevents using the component in Symfony 3.4
[Config][ReflectionClassResource] Handle parameters with undefined constant as their default values
fix dumping number-like string parameters
Fix CI
[Console] Fix autocomplete multibyte input support
[Config] don't break on virtual stack frames in ClassExistenceResource
more robust initialization from request
Changing the multipart form-data behavior to use the form name as an array, which makes it recognizable as an array by PHP on the $_POST globals once it is coming from the HttpClient component
* 4.3:
[Messenger] add tests to FailedMessagesShowCommand
Fix the translation commands when a template contains a syntax error
[Security] Fix clearing remember-me cookie after deauthentication
[Validator] Update Slovenian translations
[Config][ReflectionClassResource] Handle parameters with undefined constant as their default values
fix dumping number-like string parameters
Fix CI
[Console] Fix autocomplete multibyte input support
[Config] don't break on virtual stack frames in ClassExistenceResource
more robust initialization from request
This PR was merged into the 3.4 branch.
Discussion
----------
more robust initialization from request
Request::getPort is declared as int|string but can actually return null.
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
I discovered this problem with a functional test where i dispatch the RequestEvent with a `new Request()`. This used to work in symfony 4 and now triggers an error `Argument 1 passed to Symfony\Component\Routing\RequestContext::setHttpPort() must be of the type int, null given`
In regular web requests, this should probably never happen, but it seems to me if Request is not robust, the RequestContext should be robust about it.
Commits
-------
c6ed0f0208 more robust initialization from request
This PR was merged into the 4.4 branch.
Discussion
----------
[Security/Http] call auth listeners/guards eagerly when they "support" the request
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34614, Fix#34679
| License | MIT
| Doc PR | -
This fixes the form authenticator linked to #34614.
Since laziness is here to provide compatibility with HTTP caching, it should be disabled when the request cannot be cached.
Tests don't pass yet, but I'm on the path to something here.
The PR now introduces a new `AbstractListener` that splits the handling logic in two:
- `supports(Request): ?bool` is always called eagerly and tells whether the listener matches the request for an earger call or a lazy call
- `authenticate(RequestEvent)` does the rest of the job when `supports()` allows so - lazily or not depending on the return value of `supports()`.
Of course, this remains compatible with non-lazy logics, see `AbstractListener::__invoke()`.
Commits
-------
b20ebe6b90 [Security/Http] call auth listeners/guards eagerly when they "support" the request
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Fix clearing remember-me cookie after deauthentication
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#26379
| License | MIT
| Doc PR | -
If you are using the `remember_me` listener and the refreshed user is deauthenticated, you are still logged in because the remember-me cookie does not get cleared.
This fixes it.
Commits
-------
d625a73705 [Security] Fix clearing remember-me cookie after deauthentication