This PR was merged into the 2.3 branch.
Discussion
----------
[HttpFoundation] Fix to prevent magic bytes injection in JSONP responses... (CVE-2014-4671)
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no*
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
| Doc PR | N/A
| CVE Ticket | [CVE-2014-4671](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4671)
| See Also | [Rosetta Flash](http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/)
\* Unless you are parsing the response string manually, which you really shouldn't do anyway
**THIS IS A SECURITY FIX AND SHOULD BE MERGED SHORTLY**
This fix prevents attacks vectors where third-party browser plugins depends on ASCII magic bytes in order to execute a plugin. This is currently exploited with Flash using a carefully crafted JSONP response, allowing the execution of random SWF data from a domain with a vulnerable JSONP endpoint.
This security issue is mitigated by adding an empty comment right before the callback parameter. This does not affect the execution of the JSONP callback.
Commits
-------
6af3d05 [HttpFoundation] Fix to prevent magic bytes injection in JSONP responses (Prevents CVE-2014-4671)
This PR was merged into the 2.3 branch.
Discussion
----------
[2.3] [Validator] Fix UserPassword validator translation
| Q | A
| ------------- | ---
| Fixed tickets | None
| License | MIT
Fixes the UserPassword translation message only for 2.3 as discussed in symfony/symfony#11383.
Commits
-------
73d50ed Fix UserPassword validator translation
This PR was merged into the 2.3 branch.
Discussion
----------
Remove Spaceless Blocks from Twig Form Templates
In favor of using Twig's whitespace control operators. See #11277
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11277
| License | MIT
| Doc PR |
Per @fabpot and @stof's requests in #11278, this is a PR for the 2.3 branch.
Commits
-------
8f9ed3e Remove Spaceless Blocks from Twig Form Templates
This PR was merged into the 2.3 branch.
Discussion
----------
[2.3][HttpFoundation] Fix wrong assertion in Response test
| Q | A
| ------------- | ---
| Bug fix? | kinda
| New feature? | no
| BC breaks? | no
| Tests pass? | yes
| License | MIT
Commits
-------
3d63f80 [HttpFoundation] Fix wrong assertion in Response test
This PR was submitted for the master branch but it was merged into the 2.3 branch instead (closes#9719).
Discussion
----------
[TwigBundle] fix configuration tree for paths
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #8171
| License | MIT
| Doc PR | na
This is a joint effort with @mdavis1982 and @cordoval 👶 pairing up and warming for hacking day in Warsaw
Commits
-------
9aa88e4 added regression test
4201d41 fix issue #8171 on configuration tree for twig extension -- pairing up with @cordoval
This PR was merged into the 2.3 branch.
Discussion
----------
[2.3][Form] Cleanup & fix phpdocs
| Q | A
| ------------- | ---
| Bug fix? | kinda
| New feature? | no
| BC breaks? | no
| Tests pass? | yes
| License | MIT
This PR was done mostly cause of reports about invalid/not supported types/variables in phpstorm/scrutinizer-ci, and after I started fixing I noticed more problems in those phpdocs so I have cleanedup them a bit.
Commits
-------
a67bc76 [2.3][Form] Cleanup & fix phpdocs
This PR was submitted for the master branch but it was merged into the 2.3 branch instead (closes#11244).
Discussion
----------
[HttpFoundation] Remove body-related headers when sending the response, if body is empty
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
I've updated the implementation for informational and 204 or 304 responses. They will now, as they have no content, not return headers like `content-type` or `content-length`.
I'm unsure about `content-length` - we could also set it hardcoded to zero ... but I thought, that (because the specs say that it just can't have a response-body) the system should not return anything here.
Commits
-------
9dbe89d [HttpFoundation] Remove content-related headers if content is empty
This PR was merged into the 2.3 branch.
Discussion
----------
remove defaults from PHPUnit configuration
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | --
| License | MIT
| Doc PR | --
Follow-up to #11329.
Commits
-------
afc4930 removed defaults from PHPUnit configuration
This PR was merged into the 2.3 branch.
Discussion
----------
add XSD to PHPUnit configuration
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | --
| License | MIT
| Doc PR | --
The syntax check functionality has been removed in PHPUnit 3.6 already. But there's no Composer constraint for PHPUnit, so you can never know which version will actually be used to run tests. Let me know what you think.
Commits
-------
84b5581 added XSD to PHPUnit configuration
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpKernel] Ensure the storage exists before purging it in ProfilerTest
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11319
| License | MIT
| Doc PR | None
Commits
-------
eb63270 bug #11319 [HttpKernel] Ensure the storage exists before purging it in ProfilerTest
This PR was merged into the 2.3 branch.
Discussion
----------
Simplified the Travis test command
There is no reason to turn a failure into a different failure. And this will avoid Travis to say that the "false" command failed.
Commits
-------
e8d01c9 Simplified the Travis test command
This PR was submitted for the 2.5 branch but it was merged into the 2.3 branch instead (closes#11238).
Discussion
----------
[Translation] Added unescaping of ids in PoFileLoader
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Although it is not directly described in gettext docs, _msgid_ should be unescaped too. The other reason to unescape _msgid_ is symmetry between ```PoFileLoader``` and ```PoFileDumper```. The dumper escapes both _msgid_ and _msgstr_ values, but the loader unescapes only _msgstr_.
Commits
-------
816a4a9 [Translation] Added unescaping of ids in PoFileLoader
This PR was submitted for the master branch but it was merged into the 2.3 branch instead (closes#11246).
Discussion
----------
[Validator] updated italian translations
Commits
-------
b74afe0 updated italian translation for validation messages
This PR was merged into the 2.3 branch.
Discussion
----------
[DomCrawler] Fix Link docblocks and formatting
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
re #11194
Commits
-------
5cbe13e [DomCrawler] Fix docblocks and formatting.
This PR was squashed before being merged into the 2.3 branch (closes#11194).
Discussion
----------
[DomCrawler] Remove the query string and the anchor of the uri of a link
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ~
| License | MIT
| Doc PR | ~
Commits
-------
fe5d2d1 [DomCrawler] Remove the query string and the anchor of the uri of a link
This PR was submitted for the 2.5 branch but it was merged into the 2.3 branch instead (closes#11272).
Discussion
----------
[Console] Make sure formatter is the same.
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
The parent constructor will create a new formatter if the $formatter parameter is null.
This fix avoids that the formatter becomes 2 different instances in $this and $this->stderr, if null was passed to the constructor.
Commits
-------
64328d9 [Console] Make sure formatter is the same
The parent constructor will create a new formatter if the $formatter parameter is null
This fix avoids that the formatter becomes 2 different instances in $this and $this->stderr
This PR was submitted for the 2.4 branch but it was merged into the 2.3 branch instead (closes#11259).
Discussion
----------
[Config] Fixed failed config schema loads due to libxml_disable_entity_loader usage
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11258
| License | MIT
| Doc PR | N/A
PR #10493 helped this issue, but it can still affect users that:
1. Have libxml_disable_entity_loader set to true by default.
2. Experience libxml_disable_entity_loader php bug https://bugs.php.net/bug.php?id=64938
I used the same approach used in the DI xml validation.
https://github.com/symfony/symfony/blob/master/src/Symfony/Component/DependencyInjection/Loader/XmlFileLoader.php#L452
Commits
-------
de2bef5 Fixed failed config schema loads due to libxml_disable_entity_loader usage.
