This PR was merged into the 3.4 branch.
Discussion
----------
[WebProfilerBundle] Support for Content Security Policy style-src-elem and script-src-elem in WebProfiler
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| License | MIT
If a `style-src-elem` or `script-src-elem` Content Security Policy exist, the WebProfiler Styles or Scripts will be rejected as the nonce is missing.
Commits
-------
7f33f1fa3a Support for Content Security Policy style-src-elem and script-src-elem in WebProfiler
This PR was squashed before being merged into the 5.1-dev branch.
Discussion
----------
[Messenger] Add a \Throwable argument in RetryStrategyInterface methods
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fix#36182
| License | MIT
This allows to define new retry strategies based on the exceptions thrown during the last handling.
Commits
-------
5fa9d68e8b [Messenger] Add a \Throwable argument in RetryStrategyInterface methods
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpFoundation] No need to reconnect the bags to the session after session_regenerate_id
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Bug https://bugs.php.net/70013 was fixed before the release of PHP v7.0
https://3v4l.org/A8YmY
Related to https://github.com/symfony/symfony/pull/15243
Commits
-------
923c24f438 No need to reconnect the bags to the session
This PR was submitted for the master branch but it was merged into the 3.4 branch instead.
Discussion
----------
[Validator] Allow URL-encoded special characters in basic auth part of URLs
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36285
| License | MIT
Special characters in HTTP Basic Auth passwords in an URL need to be url-encoded.
Example: `foo@bar` becomes `foo%40bar`, in an URL: `http://user:foo%40bar@example.org`
The UrlValidator did not allow percent signs in username and password, and this is changed now.
Commits
-------
8a56c506e3 Allow URL-encoded special characters in basic auth part of URLs
This PR was submitted for the 5.0 branch but it was merged into the 5.1-dev branch instead.
Discussion
----------
[Form] action allows only strings
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | ...
| License | MIT
| Doc PR | ...
On updating an old project that had actions to null it's caused me a type-hint error. With that, we can quickly identify where the problem is
Commits
-------
e861500ce8 [Form] action allows only strings
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] Track session usage whenever a new token is set
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36208
| License | MIT
| Doc PR | -
When using `anonymous: lazy`, the programatic login using the guard handler is broken. As the `setToken()` does not track usage, the index remains equal.
I tried fixing this more properly in e.g. the `SessionStrategy::onAuthentication` class, but I couldn't get it working (as `$request->hasPreviousSession()` returns false, the session strategy isn't called). `setToken()` can also not be made usage tracking afaics, because it would directly break (`setToken(null)` is called in `ContextListener`).
The current fix does however look really ugly, but I can't find anything better with my minor knowledge of this session usage tracking feature. I'm open for all ideas :)
Commits
-------
8d96dbd08b Track session usage when setting the token
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
[Serializer] Fix unitialized properties (from PHP 7.4.2) when serializing context for the cache key
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix https://github.com/symfony/symfony/issues/35574https://github.com/doctrine/orm/issues/8030
| License | MIT
| Doc PR | N/A
This bug only happens on the following conditions:
- A Doctrine entity (`Book`) having a relation with another entity (`Author`) is used;
- The `Author` entity uses typed properties (PHP 7.4) not initialized;
- The `Serializer` is used with the `Book` in the `OBJECT_TO_POPULATE` key in the context.
For instance:
```php
<?php
declare(strict_types=1);
namespace App\Entity;
use Doctrine\ORM\Mapping as ORM;
/** @ORM\Entity */
class Book
{
/**
* @ORM\ManyToOne(targetEntity="Author")
*/
public Author $author;
public ?string $isbn;
}
```
```php
<?php
declare(strict_types=1);
namespace App\Entity;
use Doctrine\ORM\Mapping as ORM;
/** @ORM\Entity */
class Author
{
public ?string $name;
}
```
Or even:
```php
<?php
declare(strict_types=1);
namespace App\Entity;
use Doctrine\ORM\Mapping as ORM;
/** @ORM\Entity */
class Author
{
private string $name;
public function __construct()
{
$this->name = 'Leo';
}
}
```
If the following is done (it's the case for instance in API Platform when a `PUT` is made):
```php
$serializer->deserialize('{"isbn":"2038717141"}', Book::class, 'json', ['object_to_populate' => $book]);
```
Then there will be the following error:
> Fatal error: Typed property Proxies\__CG__\App\Entity\Author::$ must not be accessed before initialization (in __sleep)
It's because of these lines in the `getCacheKey` method of the `AbstractObjectNormalizer`:
5da141b8d0/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php (L405-L409)
Since the lazy proxyfied relation has a `__sleep` with unitialized properties, the `serialize` method will throw (since https://bugs.php.net/bug.php?id=79002: 846b647953).
I propose to fix this issue by unsetting the `OBJECT_TO_POPULATE` key in the context because I don't think it's useful for determining the attributes of the object.
For the next versions of Symfony, the fix should probably be elsewhere, in the default context.
For instance in Symfony 4.4, instead of:
15edfd39d4/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php (L118)
It should be:
```php
$this->defaultContext[self::EXCLUDE_FROM_CACHE_KEY] = [self::CIRCULAR_REFERENCE_LIMIT_COUNTERS, self::OBJECT_TO_POPULATE];
```
But I'm not sure how it should be merged (another PR maybe?).
Commits
-------
1fafff7c10 [Serializer] Fix unitialized properties (from PHP 7.4.2) when serializing context for the cache key
This PR was merged into the 5.1-dev branch.
Discussion
----------
[MonologBridge] Fix $level type
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets |
| License | MIT
Monolog accepts both level names like 'info' or int constants. The parent constructor will normalize it to an int. https://github.com/Seldaek/monolog/blob/master/src/Monolog/Handler/AbstractHandler.php#L53
Note that this may need to be applied on more handlers here I did not check, if someone feels like going over them all please feel free.
Commits
-------
c2a1781eb4 Fix $level type
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
[Validator] Add missing Ukrainian and Russian translations
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | none
| License | MIT
Commits
-------
d43ef4ec92 [Validator] Add missing Ukrainian and Russian translations
This PR was merged into the 4.4 branch.
Discussion
----------
[Security][Http][SwitchUserListener] Ignore all non existent username protection errors
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | https://github.com/symfony/symfony/issues/36174
| License | MIT
| Doc PR | -
Since we generate the non existent username blindly, it can lead to Doctrine exceptions or any other exception.
We can catch all exceptions here but I guess it reduces the protection since the SQL query was not executed?
Alternative: we can only catch Doctrine DriverException (in addition to the existing AuthenticationException) and only silent the reported error codes?
Commits
-------
42311d5c29 [Security][Http][SwitchUserListener] Ignore all non existent username protection errors
This PR was merged into the 5.1-dev branch.
Discussion
----------
[Config] Improve the deprecation features by handling package and version
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | yes
| Tickets | https://github.com/orgs/symfony/projects/1#card-32681032
| License | MIT
| Doc PR | TODO
Commits
-------
f4de76dba0 [Config] Improve the deprecation features by handling package and version
This PR was merged into the 5.1-dev branch.
Discussion
----------
[DependencyInjection] Deprecate ContainerInterface aliases
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| Deprecations? | yes
| Tickets | -
| License | MIT
| Doc PR | -
Defining those aliases makes it harder to detect problems when you use `!tagged_locator` or any service locator with autowiring since the global service container is always injected. Moreover, should we encourage passing the global service container easily? Shouldn't it be more "explicit"? I think that by default, those aliases should not exist.
However, that means we will have to reintroduce code to hook the global service container in our own code base since some part rely on it (~~eg: FWB AbstractController::setContainer~~). WDYT? 🤷♂
Commits
-------
6162ca8e40 [DependencyInjection] Deprecate ContainerInterface aliases
This PR was merged into the 5.1-dev branch.
Discussion
----------
[DependencyInjection] Fix alias deprecations with package and version
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Firstly, this PR fixes the alias dump by the XmlDumper to be consistent with stof comment in the inital PR (the message is the node content) - it is the case for deprecated services. Otherwise, we need to add the "message" attribute in the XSD.
Secondly, it fixes the arguments when the deprecation is actually triggered as well as two related tests.
Commits
-------
5ee5654171 [DependencyInjection] Fix alias deprecations with package and version
* 5.0:
Fix wrong namespaces
Fix wrong namespaces
Fix the reporting of deprecations in twig:lint
forward multiple attributes voting flag
bumped Symfony version to 5.0.8
updated VERSION for 5.0.7
updated CHANGELOG for 5.0.7
bumped Symfony version to 4.4.8
updated VERSION for 4.4.7
updated CHANGELOG for 4.4.7
[Validator] Fixed calling getters before resolving groups
[HttpKernel][LoggerDataCollector] Prevent keys collisions in the sanitized logs processing
* 4.4:
Fix wrong namespaces
Fix wrong namespaces
Fix the reporting of deprecations in twig:lint
forward multiple attributes voting flag
bumped Symfony version to 4.4.8
updated VERSION for 4.4.7
updated CHANGELOG for 4.4.7
[Validator] Fixed calling getters before resolving groups
[HttpKernel][LoggerDataCollector] Prevent keys collisions in the sanitized logs processing
This PR was squashed before being merged into the 5.1-dev branch.
Discussion
----------
[FrameworkBundle] Deprecate flashbag and attributebag services
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| Deprecations? | yes
| Tickets | Related to [#10557](https://github.com/symfony/symfony/issues/10557)
| Related to PR | #36063
| License | MIT
FlashBag and AttributeBag are data objects and so should not be available via the service container. The preferred method for accessing these objects is via
`$session->getFlashBag()` or `$session->getAttributeBag()`
Commits
-------
f9b52fe55e [FrameworkBundle] Deprecate flashbag and attributebag services
This PR was merged into the 5.1-dev branch.
Discussion
----------
[DI] Improve the deprecation features by handling package and version
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | yes
| Tickets |
| License | MIT
| Doc PR | TODO
Improve the deprecation feature of the Dependency Injection component, by handling the `package` + `since_version`
Before
```yaml
services:
LegacyService:
deprecated: 'The %service_id% is deprecated, use NewService instead'
```
now:
```yaml
services:
LegacyService:
deprecated:
message: 'The %service_id% is deprecated, use NewService instead'
package: 'my/package'
since_version: '1.2'
```
TODO:
- [x] update UPGRADE
Commits
-------
f10413cf34 [DependencyInjection] improve the deprecation features by handling package+version info
This PR was merged into the 5.1-dev branch.
Discussion
----------
[HttpFoundation][HttpKernel][Security] Improve UnexpectedSessionUsageException backtrace
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets |
| License | MIT
| Doc PR |
Improve `UnexceptedSessionUsageException` backtrace so that it leads to the place in the userland where it was told to use session.
Commits
-------
1e1d332c7c Improve UnexcpectedSessionUsageException backtrace
This PR was squashed before being merged into the 5.1-dev branch.
Discussion
----------
[FrameworkBundle] Dump kernel extension configuration
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | #34756
| License | MIT
If the kernel is a container extension and defines a configuration, the `config:dump-reference` will now be able to dump it.
Commits
-------
2ccafb1eb3 [FrameworkBundle] Dump kernel extension configuration