This PR was squashed before being merged into the 4.4 branch (closes#32107).
Discussion
----------
[Validator] Add AutoMapping constraint to enable or disable auto-validation
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #32070, #32015 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | todo
As discussed in #32070 and #32015, it's sometimes mandatory to prevent some classes or properties to be auto mapped (auto-validated). This PR introduces a new constraint, `@AutoMapping` allowing to do exactly that. Examples:
Class:
```php
use Doctrine\ORM\Mapping as ORM;
use Symfony\Component\Validator\Constraints as Assert;
/**
* @ORM\Entity
* @Assert\AutoMapping(false)
*/
class DoctrineLoaderNoAutoMappingEntity
{
/**
* @ORM\Id
* @ORM\Column
*/
public $id;
/**
* @ORM\Column(length=20, unique=true)
*/
public $maxLength;
}
```
Property:
```php
namespace Symfony\Bridge\Doctrine\Tests\Fixtures;
use Doctrine\ORM\Mapping as ORM;
use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
use Symfony\Component\Validator\Constraints as Assert;
/**
* @ORM\Entity
*/
class DoctrineLoaderEntity extends DoctrineLoaderParentEntity
{
/**
* @ORM\Id
* @ORM\Column
*/
public $id;
/**
* @ORM\Column(length=10)
* @Assert\AutoMapping(false)
*/
public $noAutoMapping;
}
```
The rules are the following:
* If the constraint is present on a property, and set to true, auto-mapping is always on, regardless of the config, and of any class level annotation
* If the constraint is present on a property, and set to false, auto-mapping is always off, regardless of the config, and of any class level annotation
* If the constraint is present on a class, and set to true, auto-mapping is always on except if a the annotation has been added to a specific property, and regardless of the config
* If the constraint is present on a class, and set to false, auto-mapping is always off except if a the annotation has been added to a specific property, and regardless of the config
Commits
-------
f6519ce88b [Validator] Add AutoMapping constraint to enable or disable auto-validation
This PR was merged into the 4.3 branch.
Discussion
----------
[TwigBundle][exception] Added missing css variable to highlight line in trace
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
---
To get the yellow background
![image](https://user-images.githubusercontent.com/408368/67779323-c331b880-fa64-11e9-9a2f-97730a89a6d6.png)
Commits
-------
5f19501 [TwigBundle][exception] Added missing css variable to highlight line in trace
This PR was merged into the 4.4 branch.
Discussion
----------
Re-allow to use "tagged" in service definitions
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a
| License | MIT
| Doc PR | n/a
Re-allow to use `tagged` in 4.4 and 5.0. It makes it easier for bundles to support both Symfony 4.3- and Symfony 4.4+.
Needed to make API Platform compatible with Symfony 5 (api-platform/core#3009)
Commits
-------
7b7dc0df9a Re-allow to use "tagged" in service definitions
This PR was merged into the 4.4 branch.
Discussion
----------
[Lock] Add missing lock connection string in FrameworkExtension
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | yes
| Tickets | -
| License | MIT
| Doc PR | TODO
This PR adds support to missing DSN in Lock component
```
framework:
lock: sqlite:/tmp/db
lock: mysql:host=localhost;dbname=test
lock: zookeeper://localhost:2181
```
The PR also removes intermediate "internal" services `.lock_connection.*` in favor of factory `StoreFactory::createStore`. Which remove duplicate code.
This PR also deprecate unused services `lock.store.*` and `lock.store.*.abstract`
Commits
-------
2db24cf582 Add missing lock connection string in FrameworkExtension
This PR was squashed before being merged into the 4.3 branch.
Discussion
----------
[HttpFoundation] Allow to not pass a parameter to Request::isMethodSafe()
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a
| License | MIT
| Doc PR | n/a
This parameter was already deprecated in Symfony 4. Allowing to not pass it in Symfony 4.3 without triggering a deprecation allows to support both HttpFoundation 4.3 and 4.4, otherwise it's not possible.
Needed to make API Platform compatible with Symfony 5 (https://github.com/api-platform/core/pull/3009)
Commits
-------
e819256ea0 [HttpFoundation] Allow to not pass a parameter to Request::isMethodSafe()
This PR was merged into the 4.4 branch.
Discussion
----------
[Lock][Cache] Allows URL DSN in PDO adapters
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | TODO
This PR duplicate a feature from PdoSessionHandler that convert URL DSN ( ie. mysql://localhost/test) into PDO DSN (ie. mysql:host=localhost;dbname=test)
that would ease configuration by using the same well-known variable
```
framework:
lock: '%env(DATABASE_URL)%'
```
note: I applied the same change on Cache component for consistency.
Commits
-------
474daf976e Allows URL DSN in Lock and Cache
This PR was squashed before being merged into the 4.4 branch (closes#34151).
Discussion
----------
[DomCrawler] normalizeWhitespace should be true by default
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a
| License | MIT
| Doc PR | n/a
According to the [DOM](https://www.w3.org/TR/DOM-Level-3-Core/core.html#Text3-isElementContentWhitespace) and [WebDriver](https://www.w3.org/TR/webdriver/#get-element-text) specs, browsers always return the normalized text. In Panther, because of WebDriver, it's not even possible without dirty hacks to retrieve the "non normalized" text.
For compatibility with Panther it's mandatory to set this new parameter (introduced in 4.4) to `true` by default.
I propose to change the default value to true in 5.0, it has the benefit of:
* being spec-compliant (in 5.0, text will be normalized by default)
* being cleaner when using Panther (`$node->text()` instead of `$node->text(null, true)`, passing true is mandatory because Panther doesn't support retrieving the non-normalized text)
For backward compatible with 4.x versions, if no argument is passed and the returned text isn't the same than the normalized one, a notice is triggered.
Commits
-------
54d46eef67 [DomCrawler] normalizeWhitespace should be true by default
This PR was squashed before being merged into the 4.3 branch (closes#33828).
Discussion
----------
[DoctrineBridge] Auto-validation must work if no regex are passed
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a
| License | MIT
| Doc PR | n/a
Backport of https://github.com/symfony/symfony/pull/32107/files#r295762928.
This behavior if faulty, if no regex are passed, autvalidation must be triggered, [as done in `PropertyInfoLoader`](https://github.com/symfony/symfony/blob/4.3/src/Symfony/Component/Validator/Mapping/Loader/PropertyInfoLoader.php#L50).
Commits
-------
5ed7d6c759 [DoctrineBridge] Auto-validation must work if no regex are passed
This PR was merged into the 4.4 branch.
Discussion
----------
[ErrorRenderer] Security fix: hide sensitive error messages
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a
| License | MIT
| Doc PR | n/a
This PR fixes a security issue. Exception messages must not be displayed except when debugging, because they can contain sensitive data including credentials.
For instance, PDO and Doctrine throw exception with message such as `The details are: SQLSTATE[HY000] [1045] Access denied for user 'root'@'db.example.com' (using password: NO)` revealing internal details about the infrastructure usful for an attacker.
Also, I still think that ErrorRenderer should be removed in favor of using the Serializer directly (see https://github.com/symfony/symfony/pull/33650#issuecomment-534441889). I'll try to open some PRs to do that in tomorrow.
Commits
-------
d7d7f22 [ErrorRenderer] Security fix: hide sensitive error messages
This PR was merged into the 4.3 branch.
Discussion
----------
[OptionsResolver] Fix an error message to be more accurate
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#30432
| License | MIT
| Doc PR | -
Follow-up https://github.com/symfony/symfony/pull/30442 for 4.3
Commits
-------
1be68a752a Fix an error message to be more accurate
* 4.3:
[OptionsResolve] Revert change in tests for a not-merged change in code
[HttpClient] fix handling of 3xx with no Location header - ignore Content-Length when no body is expected
[Workflow] Made the configuration more robust for the 'property' key
[Security/Core] make NativePasswordEncoder use sodium to validate passwords when possible
#30432 fix an error message
fix paths to detect code owners
[HttpClient] ignore the body of responses to HEAD requests
[Validator] Ensure numeric subpaths do not cause errors on PHP 7.4
[SecurityBundle] Fix wrong assertion
Remove unused local variables in tests
[Yaml][Parser] Remove the getLastLineNumberBeforeDeprecation() internal unused method
Make sure to collect child forms created on *_SET_DATA events
[WebProfilerBundle] Improve display in Email panel for dark theme
do not render errors for checkboxes twice
This PR was merged into the 3.4 branch.
Discussion
----------
[SecurityBundle] correct types for default arguments for firewall configs
| Q | A
| ------------- | ---
| Branch? | 3.4 (and forward)
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | n/a
| License | MIT
| Doc PR | n/a
Up until now, the default template arguments in the `security.firewall.config` abstract service definition have been each defined (aside from the argument for `$listeners` which is given a `collection` type) in the XML as
```xml
<argument />
```
which resolves to an empty string, despite that some of the arguments are typed to being either `bool` or `array|null` on the `Symfony\Bundle\SecurityBundle\Security\FirewallConfig` class itself.
This wouldn't be so much of a problem if the child definitions that use this as a template overrode all the arguments every time, but in the case of firewall configs that mark security as _not_ being enabled, [only the first few arguments are overwritten](https://github.com/symfony/symfony/blob/3.4/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php#L349-L352), so firewall config objects that do not have security enabled are instantiated by the DI container with parameters with some of the wrong types.
In general this wouldn't be an issue, as firewalls with security not enabled would not usually be consumed in a context where further security-related config were needed, but there is a case in `Symfony\Bundle\SecurityBundle\DataCollector\SecurityDataCollector` where the method `getSwitchUser()` on the firewall config object [can be called](https://github.com/symfony/symfony/blob/3.4/src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php#L181) without checking first whether the firewall has security enabled, which leads to an exception being thrown:
```
Symfony\Component\Debug\Exception\ContextErrorException
Warning: Illegal string offset 'parameter'
in vendor/symfony/symfony/src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php (line 184)
```
which is down to the firewall config being set with an empty string rather than `null` (in which case the logic here would function as expected).
It seemed most appropriate as a fix (especially given possible introduction of scalar type hints in the future) to apply types to the default arguments so that it was no longer possible to instantiate a firewall config object with parameters of unexpected types.
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Always add tests and ensure they pass.
- Never break backward compatibility (see https://symfony.com/bc).
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too.)
- Features and deprecations must be submitted against branch 4.4.
- Legacy code removals go to the master branch.
-->
Commits
-------
6b7044fc01 [SecurityBundle] correct types for default arguments for firewall configs
* 3.4:
#30432 fix an error message
fix paths to detect code owners
[Validator] Ensure numeric subpaths do not cause errors on PHP 7.4
Remove unused local variables in tests
Make sure to collect child forms created on *_SET_DATA events
do not render errors for checkboxes twice
This PR was merged into the 4.3 branch.
Discussion
----------
[Workflow] Made the configuration more robust for the 'property' key
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34092
| License | MIT
| Doc PR |
Commits
-------
0c31ff007e [Workflow] Made the configuration more robust for the 'property' key
This PR was merged into the 4.3 branch.
Discussion
----------
[HttpClient] fix handling of 3xx with no Location header - ignore Content-Length when no body is expected
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
A `304` is the final response code.
This PR implements the same logic as curl.
Commits
-------
50a88c59f6 [HttpClient] fix handling of 3xx with no Location header - ignore Content-Length when no body is expected
This PR was merged into the 4.3 branch.
Discussion
----------
[Security/Core] make NativePasswordEncoder use sodium to validate passwords when possible
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
sodium implementations are always faster, let's use them when possible. This also allows validating argon2 passwords when bcrypt is configured as the main one, making migrations possible.
Commits
-------
799a2eae2d [Security/Core] make NativePasswordEncoder use sodium to validate passwords when possible