This PR was submitted for the master branch but it was merged into the 3.4 branch instead.
Discussion
----------
[Validator] Allow URL-encoded special characters in basic auth part of URLs
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36285
| License | MIT
Special characters in HTTP Basic Auth passwords in an URL need to be url-encoded.
Example: `foo@bar` becomes `foo%40bar`, in an URL: `http://user:foo%40bar@example.org`
The UrlValidator did not allow percent signs in username and password, and this is changed now.
Commits
-------
8a56c506e3 Allow URL-encoded special characters in basic auth part of URLs
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] Track session usage whenever a new token is set
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36208
| License | MIT
| Doc PR | -
When using `anonymous: lazy`, the programatic login using the guard handler is broken. As the `setToken()` does not track usage, the index remains equal.
I tried fixing this more properly in e.g. the `SessionStrategy::onAuthentication` class, but I couldn't get it working (as `$request->hasPreviousSession()` returns false, the session strategy isn't called). `setToken()` can also not be made usage tracking afaics, because it would directly break (`setToken(null)` is called in `ContextListener`).
The current fix does however look really ugly, but I can't find anything better with my minor knowledge of this session usage tracking feature. I'm open for all ideas :)
Commits
-------
8d96dbd08b Track session usage when setting the token
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
[Serializer] Fix unitialized properties (from PHP 7.4.2) when serializing context for the cache key
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix https://github.com/symfony/symfony/issues/35574https://github.com/doctrine/orm/issues/8030
| License | MIT
| Doc PR | N/A
This bug only happens on the following conditions:
- A Doctrine entity (`Book`) having a relation with another entity (`Author`) is used;
- The `Author` entity uses typed properties (PHP 7.4) not initialized;
- The `Serializer` is used with the `Book` in the `OBJECT_TO_POPULATE` key in the context.
For instance:
```php
<?php
declare(strict_types=1);
namespace App\Entity;
use Doctrine\ORM\Mapping as ORM;
/** @ORM\Entity */
class Book
{
/**
* @ORM\ManyToOne(targetEntity="Author")
*/
public Author $author;
public ?string $isbn;
}
```
```php
<?php
declare(strict_types=1);
namespace App\Entity;
use Doctrine\ORM\Mapping as ORM;
/** @ORM\Entity */
class Author
{
public ?string $name;
}
```
Or even:
```php
<?php
declare(strict_types=1);
namespace App\Entity;
use Doctrine\ORM\Mapping as ORM;
/** @ORM\Entity */
class Author
{
private string $name;
public function __construct()
{
$this->name = 'Leo';
}
}
```
If the following is done (it's the case for instance in API Platform when a `PUT` is made):
```php
$serializer->deserialize('{"isbn":"2038717141"}', Book::class, 'json', ['object_to_populate' => $book]);
```
Then there will be the following error:
> Fatal error: Typed property Proxies\__CG__\App\Entity\Author::$ must not be accessed before initialization (in __sleep)
It's because of these lines in the `getCacheKey` method of the `AbstractObjectNormalizer`:
5da141b8d0/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php (L405-L409)
Since the lazy proxyfied relation has a `__sleep` with unitialized properties, the `serialize` method will throw (since https://bugs.php.net/bug.php?id=79002: 846b647953).
I propose to fix this issue by unsetting the `OBJECT_TO_POPULATE` key in the context because I don't think it's useful for determining the attributes of the object.
For the next versions of Symfony, the fix should probably be elsewhere, in the default context.
For instance in Symfony 4.4, instead of:
15edfd39d4/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php (L118)
It should be:
```php
$this->defaultContext[self::EXCLUDE_FROM_CACHE_KEY] = [self::CIRCULAR_REFERENCE_LIMIT_COUNTERS, self::OBJECT_TO_POPULATE];
```
But I'm not sure how it should be merged (another PR maybe?).
Commits
-------
1fafff7c10 [Serializer] Fix unitialized properties (from PHP 7.4.2) when serializing context for the cache key
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
[Validator] Add missing Ukrainian and Russian translations
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | none
| License | MIT
Commits
-------
d43ef4ec92 [Validator] Add missing Ukrainian and Russian translations
This PR was merged into the 4.4 branch.
Discussion
----------
[Security][Http][SwitchUserListener] Ignore all non existent username protection errors
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | https://github.com/symfony/symfony/issues/36174
| License | MIT
| Doc PR | -
Since we generate the non existent username blindly, it can lead to Doctrine exceptions or any other exception.
We can catch all exceptions here but I guess it reduces the protection since the SQL query was not executed?
Alternative: we can only catch Doctrine DriverException (in addition to the existing AuthenticationException) and only silent the reported error codes?
Commits
-------
42311d5c29 [Security][Http][SwitchUserListener] Ignore all non existent username protection errors
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpKernel][LoggerDataCollector] Prevent keys collisions in the sanitized logs processing
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | https://github.com/symfony/symfony/issues/36159
| License | MIT
| Doc PR | -
`$sanitizedLogs` is used with numeric and "associative" keys. To prevent collisions when the message is a number, we can simply prepend all messages with a random letter (so we avoid a behavior refactor). It doesn't matter since they key is only used for the processing, it is dropped at the end.
Commits
-------
79fe888072 [HttpKernel][LoggerDataCollector] Prevent keys collisions in the sanitized logs processing
This PR was merged into the 4.4 branch.
Discussion
----------
Fix the reporting of deprecations in twig:lint
| Q | A
| ------------- | ---
| Branch? | 4.4 (the `--show-deprecations` option does not exist in 3.4)
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | n/a
| License | MIT
| Doc PR | n/a
- ensure that the message is rendered when the line detection fails and we end up with 0 as line number (the implementation also deals with -1 which is sometimes used by Twig for errors when it does not know the line, even though this should not happen for compile-time errors).
- fix the detection of the line number when the number is at the end of the sentence, which happens for the deprecation of filters for instance.
Commits
-------
c329ca7e01 Fix the reporting of deprecations in twig:lint
- ensure that the message is rendered when the line detection fails and
we end up with 0 as line number (the implementation also deals with -1
which is sometimes used by Twig for errors when it does not know the
line, even though this should not happen for compile-time errors).
- fix the detection of the line number when the number is at the end of
the sentence, which happens for the deprecation of filters for
instance.
* 3.4:
Fix versions
[Security/Http] Allow setting cookie security settings for delete_cookies
[FrameworkBundle] revert to legacy wiring of the session when circular refs are detected
bumped Symfony version to 3.4.40
updated VERSION for 3.4.39
update CONTRIBUTORS for 3.4.39
updated CHANGELOG for 3.4.39
update Italian translation
[Validator] Add missing Hungarian translations
[Validator] Add the missing translations for the Arabic (ar) locale
[Validator] Add missing vietnamese translations
[Console] Fix OutputStream for PHP 7.4
add German translations
bug #36157 [Validator] Assert Valid with many groups
[Validator] Add missing Lithuanian translations
Fixed some typos
Add french "at least" constraint translations
This PR was merged into the 3.4 branch.
Discussion
----------
[Security/Http] Allow setting cookie security settings for delete_cookies
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix https://github.com/symfony/symfony/pull/36243#discussion_r399646893
| License | MIT
| Doc PR | tbd
Similar to #36173 and #36175. This is needed for Chrome 80 compatibility.
My only question is whether we should introduce these specific settings, or somehow fetch them from `framework.session`?
Commits
-------
a696d1f3af [Security/Http] Allow setting cookie security settings for delete_cookies
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] revert to legacy wiring of the session when circular refs are detected
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36063
| License | MIT
| Doc PR | -
As introduced and reported in the linked PR.
Commits
-------
35644cf8dd [FrameworkBundle] revert to legacy wiring of the session when circular refs are detected
This PR was merged into the 4.4 branch.
Discussion
----------
[DomCrawler] Fix BC break in assertions breaking Panther
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a
| License | MIT
| Doc PR | n/a
#35899 introduces a BC break: browsers aren't able to retrieve the non-normalized version of a text. According to the HTML spec, whitespaces are always normalized. Because of this patch, these assertions doesn't work with Panther anymore.
Also, this change probably hurts other users because getting the non-normalized version is almost never expected. (I'm in favor of **not** supporting retrieving the non-normalized version at all, for consistency with browsers and the spec, but it's another topic).
Commits
-------
7af07c889e [DomCrawler] Fix BC break in assertions breaking Panther