This PR was submitted for the 4.2 branch but it was squashed and merged into the 4.3 branch instead (closes#32455).
Discussion
----------
[HttpFoundation] Clear invalid session cookie
| Q | A
| ------------- | ---
| Branch? | 4.2 (actually maybe should also go to 3.4, see below)
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | TODO
| Fixed tickets |
| License | MIT
| Doc PR | not required
Currently, invalid session cookies are not cleaned up.
If the session is empty, the `AbstractSessionHandler::write()` destroys the session. If a new session has been started in the current process (meaning `session_start()` has sent the `Set-Cookie` header) then the `AbstractSessionHandler` will make sure this cookie is not sent to the client. If, however, `session_start()` did not send a cookie (meaning there was already a valid session ID in your request cookie), the `AbstractSessionHandler` will clear the session cookie (send a 0-lifetime cookie).
If, however, the request does contain a session ID cookie but it is not valid, `session_start()` will send a new cookie which is then again cleared by the `AbstractSessionHandler`. But it will not clear the old cookie sent by the request.
Here's a more complex example of what happens in the code flow when a user logs out and we regenerate a new session id for security reasons:
1. You have no `PHPSESSID` cookie yet.
2. You log into the system, you get a new `PHPSESSID` assigned. Let's go for session ID `1`.
3. You log out of the system, for security reasons you get session ID `2` regenerated.
4. The `AbstractSessionListener` pops in and calls `->save()` on your session handler.
5. The `NativeSessionStorage` calls the `StrictSessionHandler` (in fact the abstract parent, `AbstractSessionHandler`) which `write()`s the session data. In case the session data is empty, it will actually `destroy()` the session which means it will invalidate the session cookie. In that case, however, it won't send a 0-lifetime cookie because `$cookie = SessionUtils::popSessionCookie($this->sessionName, $sessionId);` will **not** return `null`. That is because after regeneration we actually do have a `Set-Cookie: PHPSESSID=2` header present.
6. This means, our `PHPSESSID=1` cookie is never deleted.
Why is this a problem?
Well, we have an invalid cookie that remains floating around forever. Loads of reverse proxies consider requests with cookies as being private and thus disable caching.
I'm not sure this is the correct fix here but it felt like the only place we can do this because it has to happen during or after `$session->save()`.
Looking for feedback first before we finish this with tests etc.
Regarding Symfony 3.4: Not sure how this is affected because there's not even a `SessionUtils` class so I'd prefer to leave that fix to somebody who feels more comfortable with that code base 😄
/cc @aschempp
Commits
-------
b22a7263b9 [HttpFoundation] Clear invalid session cookie
This PR was merged into the 4.4 branch.
Discussion
----------
[DoctrineBridge] Invokable event listeners
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/11992
Invokable Doctrine entity listeners will likely be supported in the next version of the DoctrineBundle (cf https://github.com/doctrine/DoctrineBundle/pull/989).
I think it would also be great to support it for Doctrine event listeners.
Commits
-------
47e872a826 [DoctrineBridge] Allow invokable event listeners
This PR was merged into the 4.4 branch.
Discussion
----------
[Validator] Allow objects implementing __toString() to be used as violation messages
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | I didn't see a doc on violations to update, but I'm happy to do documentation if somone can suggest the best place to do it.
Currently in the Drupal project we use Translatable Markup object to hold most strings and currently pass them in as Constraint Violation messages. In Symfony 3 this works but with the added typehinting in Symfony 4, these markup objects are rendered into strings at the time of the violation creation. This causes any html in the message string to be considered unsafe by twig later in our rendering process. This pr explicitly allows objects implementing a __toString() method to be used as violation messages, and the violation will save and return the original stringable object.
See https://www.drupal.org/project/drupal/issues/3029540 For our Drupal issue on the subject.
Commits
-------
79f4dcd2dc [Validator] Allow objects implementing __toString() to be used as violation messages
This PR was merged into the 3.4 branch.
Discussion
----------
[Serializer] Fix negative DateInterval
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #33052
| License | MIT
| Doc PR | NA
This PR adds support for negative and signed DateInterval
Commits
-------
abb8a676ba Fix negative DateInterval
This PR was merged into the 4.3 branch.
Discussion
----------
[VarDumper] Fix test patern to handle callstack with/without return typehint
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #32844
| License | MIT
| Doc PR | NA
The TestCase::tearDownAfterClass methods does not always have the same signature which change the output of the reflection. This use another methods for testing
Commits
-------
feaadd1c0b Fix tst patern to handle callstack with/without return typehint
This PR was merged into the 3.4 branch.
Discussion
----------
Replace warning by isolated test
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #32844
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
Failing test introduced in PHP 7.4 (fatal error) were skiped with a warning exception.
This PR un tests is isolated process in order to correctly flag the test without stoping the test suite.
I kept a comment to the original bug in order to easily remove theme
Commits
-------
9c45a8e093 Replace warning by isolated test
This PR was merged into the 4.4 branch.
Discussion
----------
[HttpFoundation] deprecate HeaderBag::get() returning an array and add all($key) instead
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | maybe <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #31317 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | todo <!-- required for new features -->
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against branch 4.4.
- Legacy code removals go to the master branch.
-->
the $first param has been deprecated in the get methid
and we are adding a $key parameter to all to get all values from a key as arrays
Do we deprecated the get method ? if so this will be a little bigger in terms of changes.
Commits
-------
2c5a8f1bdf [HttpFoundation] deprecate using $first in get and added key in all
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpKernel] Fix s-maxage=3 transient test
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | NA
| License | MIT
| Doc PR | NA
sometime the http server returns a `s-maxage=3` header (https://travis-ci.org/symfony/symfony/jobs/569326531)
This PR fixes tests to allow both 2 and 3
Commits
-------
f019b5214d Fix s-maxage=3 transient test
This PR was merged into the 4.4 branch.
Discussion
----------
[HttpClient] fix data loss when streaming as a PHP resource
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
I've just experienced failures like:
> StreamWrapper::stream_read - read 822 bytes more data than requested (9014 read, 8192 max) - excess data will be lost
This fixes it.
Commits
-------
99884e63b5 [HttpClient] fix data loss when streaming as a PHP resource
This PR was squashed before being merged into the 3.4 branch (closes#32800).
Discussion
----------
Improve some URLs
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | N/A <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | N/A <!-- required for new features -->
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against branch 4.4.
- Legacy code removals go to the master branch.
-->
Commits
-------
fab17a4487 Improve some URLs
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle][TwigBridge] Fix test compatibility with 4.x components
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | NA
| License | MIT
| Doc PR | NA
our symfony Tests extends other component's tests. By being compatible with symfony 4.x we now extends class that have return type signature which is not doable in branch 3.4 because of support of php 5.5. (see https://travis-ci.org/symfony/symfony/jobs/569345176)
This PR replaces setup and teardown by `@after` and `@before` annotation in order to keep the same behavior and compatibility
Commits
-------
bb3cb64e64 Fix test compatibility with 4.x components
This PR was merged into the 4.3 branch.
Discussion
----------
Fix deprecations on 4.3
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #32844
| License | MIT
| Doc PR | NA
Fix deprecations in branch 4.3
note: remaining deprecation `assertStringContainsString` will be fixed in #32977
* [ ] fix tests in branch 3.4 in #32981
Commits
-------
8fd16a6bee Fix deprecation on 4.3
This PR was merged into the 4.3 branch.
Discussion
----------
Disable typehint patch on PHPUnit
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #32844
| License | MIT
| Doc PR | NA
This PR removes the `SYMFONY_PHPUNIT_REMOVE_RETURN_TYPEHINT` patch and adds a `: void` typehint on `setup` and `tearDown` methods in order to be compatible with PHPUnit 8
Commits
-------
a5af6c4cd7 Disable phpunit typehint patch on 4.3 branch
This PR was merged into the 4.3 branch.
Discussion
----------
Make HttpClientTestCase compatible with PHPUnit8
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #32844
| License | MIT
| Doc PR | NA
the abstract class `HttpClientTestCase` may be extends by end user and execute by both PHPUnit 8 and bellow. Adding a return typehint on it will force all users extending it to add it too and would be a BC Break.
Note. I don't know how to trigger a deprecation here and help user to add it.
Commits
-------
55daf15353 Fix compatibility with PHPUnit 8
* 3.4:
consistently throw NotSupportException
[HttpKernel] Clarify error handler restoring process again
[Intl] fix nullable phpdocs and useless method visibility of internal class
Resilience against file_get_contents() race conditions.
This PR was merged into the 4.4 branch.
Discussion
----------
remove some more useless phpdocs
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
Fix some leftovers from #32974 and #32786
Commits
-------
9be4d171e0 remove some more useless phpdocs
This PR was merged into the 3.4 branch.
Discussion
----------
[Intl] fix nullable phpdocs and useless method visibility of internal class
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets |
| License | MIT
| Doc PR |
Fix stuff found in #32525
Commits
-------
63b71b5ade [Intl] fix nullable phpdocs and useless method visibility of internal class