* 3.2:
[Security] fix Composer constraint
Provide less state in getRequestFormat
fix test class location
Static code analysis with Php Inspections (EA Extended): dead code dropped, couple bugs fixed
Adding use statement for InvalidArgumentException
* 2.8:
[Security] fix Composer constraint
Provide less state in getRequestFormat
fix test class location
Static code analysis with Php Inspections (EA Extended): dead code dropped, couple bugs fixed
* 2.7:
[Security] fix Composer constraint
Provide less state in getRequestFormat
fix test class location
Static code analysis with Php Inspections (EA Extended): dead code dropped, couple bugs fixed
* 3.2:
Add HEADER_FORWARDED to setTrustedHeaderName docs
Fix phpDoc typo
[FrameworkBundle][Console] JsonDescriptor: Respect original output
Remove dead code
Enable dump() in autoload-dev
add missing functional Serializer test case
* 3.2:
[FrameworkBundle] Ignore AnnotationException exceptions in the AnnotationsCacheWarmer
fixed @return when returning this or static
override property constraints in child class
removed unneeded comment
[Console] improved code coverage of Command class
[FrameworkBundle] Make TemplateController working without the Templating component
[FrameworkBundle] Allow multiple transactions with the same name
Only count on arrays or countables to avoid warnings in PHP 7.2
* 3.1:
fixed @return when returning this or static
override property constraints in child class
removed unneeded comment
[Console] improved code coverage of Command class
[FrameworkBundle] Make TemplateController working without the Templating component
Only count on arrays or countables to avoid warnings in PHP 7.2
* 2.8:
fixed @return when returning this or static
override property constraints in child class
removed unneeded comment
[Console] improved code coverage of Command class
[FrameworkBundle] Make TemplateController working without the Templating component
Only count on arrays or countables to avoid warnings in PHP 7.2
* 2.7:
fixed @return when returning this or static
override property constraints in child class
[Console] improved code coverage of Command class
Only count on arrays or countables to avoid warnings in PHP 7.2
* 3.1:
[Routing] Fail properly when a route parameter name cannot be used as a PCRE subpattern name
[FrameworkBundle] Improve performance of ControllerNameParser
Update documentation link to the component
[HttpFoundation] Add links to RFC-7231
[DI] Initialize properties before method calls
Tag missing internals
[WebProfilerBundle] Dont use request attributes in RouterController
Fix complete config tests
* 2.8:
[Routing] Fail properly when a route parameter name cannot be used as a PCRE subpattern name
[FrameworkBundle] Improve performance of ControllerNameParser
Update documentation link to the component
[HttpFoundation] Add links to RFC-7231
[DI] Initialize properties before method calls
Tag missing internals
[WebProfilerBundle] Dont use request attributes in RouterController
Fix complete config tests
* 2.7:
[Routing] Fail properly when a route parameter name cannot be used as a PCRE subpattern name
[FrameworkBundle] Improve performance of ControllerNameParser
Update documentation link to the component
[HttpFoundation] Add links to RFC-7231
[DI] Initialize properties before method calls
Tag missing internals
[WebProfilerBundle] Dont use request attributes in RouterController
Fix complete config tests
* 2.8:
[DI] minor FileLoaders tests update
[HttpKernel] Revert BC breaking change of Request::isMethodSafe()
[DOMCrawler] Bug fixed
[Process] Do feat test before enabling TTY mode
bumped Symfony version to 2.8.15
updated VERSION for 2.8.14
updated CHANGELOG for 2.8.14
bumped Symfony version to 2.7.22
updated VERSION for 2.7.21
update CONTRIBUTORS for 2.7.21
updated CHANGELOG for 2.7.21
Fix annotation type for $context
[Doctrine][Form] support large integers
* 2.7:
[DI] minor FileLoaders tests update
[HttpKernel] Revert BC breaking change of Request::isMethodSafe()
[DOMCrawler] Bug fixed
[Process] Do feat test before enabling TTY mode
bumped Symfony version to 2.7.22
updated VERSION for 2.7.21
update CONTRIBUTORS for 2.7.21
updated CHANGELOG for 2.7.21
[Doctrine][Form] support large integers
* 3.1:
[Debug] Remove GLOBALS from exception context to avoid endless recursion
[Serializer] Improve test coverage of the MaxDepth annotation
DX: replace @link with @see annotation
bumped min version of Twig to 1.28
* 3.1:
[Routing] Add missing options in docblock
[VarDumper] Fix dumping continuations
[PropertyInfo] Fix an error in PropertyInfoCacheExtractor
[HttpFoundation] fixed Request::getContent() reusage bug
[Form] Skip CSRF validation on form when POST max size is exceeded
Use try-finally where it possible
[DependencyInjection] ContainerBuilder: Remove obsolete definitions
Enhance the phpDoc return types so IDEs can handle the configuration tree.
fixes
Remove 3.0 from branch suggestions for fixes in PR template
[Process] Strengthen Windows pipe files opening (again...)
[Cache] Handle unserialize() failures gracefully
Fix#19531 [Form] DateType fails parsing when midnight is not a valid time
* 2.8:
[Routing] Add missing options in docblock
[VarDumper] Fix dumping continuations
[HttpFoundation] fixed Request::getContent() reusage bug
[Form] Skip CSRF validation on form when POST max size is exceeded
Enhance the phpDoc return types so IDEs can handle the configuration tree.
fixes
Remove 3.0 from branch suggestions for fixes in PR template
[Process] Strengthen Windows pipe files opening (again...)
Fix#19531 [Form] DateType fails parsing when midnight is not a valid time
* 2.7:
[Routing] Add missing options in docblock
[VarDumper] Fix dumping continuations
[HttpFoundation] fixed Request::getContent() reusage bug
[Form] Skip CSRF validation on form when POST max size is exceeded
Enhance the phpDoc return types so IDEs can handle the configuration tree.
fixes
Remove 3.0 from branch suggestions for fixes in PR template
[Process] Strengthen Windows pipe files opening (again...)
Fix#19531 [Form] DateType fails parsing when midnight is not a valid time
* 3.1:
[VarDumper] Fix dumping jsons casted as arrays
PassConfig::getMergePass is not an array
Revert "bug #19114 [HttpKernel] Dont close the reponse stream in debug (nicolas-grekas)"
[Serializer] Include the format in the cache key
Fix the retrieval of the last username when using forwarding
[Yaml] Fix PHPDoc of the Yaml class
[HttpFoundation] Add OPTIONS and TRACE to the list of safe methods
Update getAbsoluteUri() for query string uris
Conflicts:
src/Symfony/Component/DependencyInjection/Compiler/PassConfig.php
src/Symfony/Component/HttpFoundation/Tests/RequestTest.php
* 3.0:
[VarDumper] Fix dumping jsons casted as arrays
PassConfig::getMergePass is not an array
Revert "bug #19114 [HttpKernel] Dont close the reponse stream in debug (nicolas-grekas)"
Fix the retrieval of the last username when using forwarding
[Yaml] Fix PHPDoc of the Yaml class
[HttpFoundation] Add OPTIONS and TRACE to the list of safe methods
Update getAbsoluteUri() for query string uris
Conflicts:
src/Symfony/Component/Yaml/Yaml.php
* 2.8:
[VarDumper] Fix dumping jsons casted as arrays
PassConfig::getMergePass is not an array
Revert "bug #19114 [HttpKernel] Dont close the reponse stream in debug (nicolas-grekas)"
Fix the retrieval of the last username when using forwarding
[Yaml] Fix PHPDoc of the Yaml class
[HttpFoundation] Add OPTIONS and TRACE to the list of safe methods
Update getAbsoluteUri() for query string uris
* 2.7:
[VarDumper] Fix dumping jsons casted as arrays
PassConfig::getMergePass is not an array
Revert "bug #19114 [HttpKernel] Dont close the reponse stream in debug (nicolas-grekas)"
Fix the retrieval of the last username when using forwarding
[Yaml] Fix PHPDoc of the Yaml class
[HttpFoundation] Add OPTIONS and TRACE to the list of safe methods
Update getAbsoluteUri() for query string uris
This PR was squashed before being merged into the 2.7 branch (closes#18688).
Discussion
----------
[HttpFoundation] Warning when request has both Forwarded and X-Forwarded-For
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | symfony/symfony-docs#6526
Emit a warning when a request has both a trusted Forwarded header and a trusted X-Forwarded-For header, as this is most likely a misconfiguration which causes security issues.
Commits
-------
ee8842f [HttpFoundation] Warning when request has both Forwarded and X-Forwarded-For
* 3.0:
fixed CS
fixed CS
fixed form tests
[Console] Fix formatting of SymfonyStyle::comment()
[Form] fix post max size translation type extension for >= 2.8
removed dots at the end of @param and @return
fixed typo
* 2.8:
fixed CS
fixed form tests
[Console] Fix formatting of SymfonyStyle::comment()
[Form] fix post max size translation type extension for >= 2.8
removed dots at the end of @param and @return
fixed typo