This PR was submitted for the 4.2 branch but it was squashed and merged into the 4.3 branch instead (closes#32455).
Discussion
----------
[HttpFoundation] Clear invalid session cookie
| Q | A
| ------------- | ---
| Branch? | 4.2 (actually maybe should also go to 3.4, see below)
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | TODO
| Fixed tickets |
| License | MIT
| Doc PR | not required
Currently, invalid session cookies are not cleaned up.
If the session is empty, the `AbstractSessionHandler::write()` destroys the session. If a new session has been started in the current process (meaning `session_start()` has sent the `Set-Cookie` header) then the `AbstractSessionHandler` will make sure this cookie is not sent to the client. If, however, `session_start()` did not send a cookie (meaning there was already a valid session ID in your request cookie), the `AbstractSessionHandler` will clear the session cookie (send a 0-lifetime cookie).
If, however, the request does contain a session ID cookie but it is not valid, `session_start()` will send a new cookie which is then again cleared by the `AbstractSessionHandler`. But it will not clear the old cookie sent by the request.
Here's a more complex example of what happens in the code flow when a user logs out and we regenerate a new session id for security reasons:
1. You have no `PHPSESSID` cookie yet.
2. You log into the system, you get a new `PHPSESSID` assigned. Let's go for session ID `1`.
3. You log out of the system, for security reasons you get session ID `2` regenerated.
4. The `AbstractSessionListener` pops in and calls `->save()` on your session handler.
5. The `NativeSessionStorage` calls the `StrictSessionHandler` (in fact the abstract parent, `AbstractSessionHandler`) which `write()`s the session data. In case the session data is empty, it will actually `destroy()` the session which means it will invalidate the session cookie. In that case, however, it won't send a 0-lifetime cookie because `$cookie = SessionUtils::popSessionCookie($this->sessionName, $sessionId);` will **not** return `null`. That is because after regeneration we actually do have a `Set-Cookie: PHPSESSID=2` header present.
6. This means, our `PHPSESSID=1` cookie is never deleted.
Why is this a problem?
Well, we have an invalid cookie that remains floating around forever. Loads of reverse proxies consider requests with cookies as being private and thus disable caching.
I'm not sure this is the correct fix here but it felt like the only place we can do this because it has to happen during or after `$session->save()`.
Looking for feedback first before we finish this with tests etc.
Regarding Symfony 3.4: Not sure how this is affected because there's not even a `SessionUtils` class so I'd prefer to leave that fix to somebody who feels more comfortable with that code base 😄
/cc @aschempp
Commits
-------
b22a7263b9 [HttpFoundation] Clear invalid session cookie
This PR was merged into the 4.4 branch.
Discussion
----------
[DoctrineBridge] Invokable event listeners
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/11992
Invokable Doctrine entity listeners will likely be supported in the next version of the DoctrineBundle (cf https://github.com/doctrine/DoctrineBundle/pull/989).
I think it would also be great to support it for Doctrine event listeners.
Commits
-------
47e872a826 [DoctrineBridge] Allow invokable event listeners
This PR was merged into the 4.4 branch.
Discussion
----------
[Validator] Allow objects implementing __toString() to be used as violation messages
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | I didn't see a doc on violations to update, but I'm happy to do documentation if somone can suggest the best place to do it.
Currently in the Drupal project we use Translatable Markup object to hold most strings and currently pass them in as Constraint Violation messages. In Symfony 3 this works but with the added typehinting in Symfony 4, these markup objects are rendered into strings at the time of the violation creation. This causes any html in the message string to be considered unsafe by twig later in our rendering process. This pr explicitly allows objects implementing a __toString() method to be used as violation messages, and the violation will save and return the original stringable object.
See https://www.drupal.org/project/drupal/issues/3029540 For our Drupal issue on the subject.
Commits
-------
79f4dcd2dc [Validator] Allow objects implementing __toString() to be used as violation messages
This PR was merged into the 3.4 branch.
Discussion
----------
[Serializer] Fix negative DateInterval
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #33052
| License | MIT
| Doc PR | NA
This PR adds support for negative and signed DateInterval
Commits
-------
abb8a676ba Fix negative DateInterval
This PR was merged into the 5.0-dev branch.
Discussion
----------
[HttpKernel] Lower EOL date
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
| Doc PR | N/A
This PR implements the changes described in https://symfony.com/blog/symfony-maintenance-changes-for-standard-releases:
> Symfony 5.0 will be the first release to implement the change: EOM and EOL dates will be July 2020.
Commits
-------
88f52a1719 Lower EOL date.
This PR was merged into the 5.0-dev branch.
Discussion
----------
Fix deprecation test on master
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #32844
| License | MIT
| Doc PR | NA
Fix PHPUnit 8 deprecations in master branch
nb: `master` should have been identical to `4.4` but a part of code have been migrated in #31899
Commits
-------
d2f7c6c19c Fix deprecation test on master
This PR was merged into the 4.3 branch.
Discussion
----------
[VarDumper] Fix test patern to handle callstack with/without return typehint
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #32844
| License | MIT
| Doc PR | NA
The TestCase::tearDownAfterClass methods does not always have the same signature which change the output of the reflection. This use another methods for testing
Commits
-------
feaadd1c0b Fix tst patern to handle callstack with/without return typehint
This PR was merged into the 3.4 branch.
Discussion
----------
Replace warning by isolated test
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #32844
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
Failing test introduced in PHP 7.4 (fatal error) were skiped with a warning exception.
This PR un tests is isolated process in order to correctly flag the test without stoping the test suite.
I kept a comment to the original bug in order to easily remove theme
Commits
-------
9c45a8e093 Replace warning by isolated test
This PR was merged into the 5.0-dev branch.
Discussion
----------
Remove ForwardCompatTestTrait
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | no
| New feature? | no
| BC breaks? | yes
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | NA
| License | MIT
| Doc PR | NA
Removes ForwardCompatTestTrait not needed anymore, and use the PHPUnit 8 signature on methods `setUp` and `tearDown`
Commits
-------
242786cf98 Remove ForwardCompatTestTrait
This PR was merged into the 4.4 branch.
Discussion
----------
[HttpFoundation] deprecate HeaderBag::get() returning an array and add all($key) instead
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | maybe <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #31317 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | todo <!-- required for new features -->
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against branch 4.4.
- Legacy code removals go to the master branch.
-->
the $first param has been deprecated in the get methid
and we are adding a $key parameter to all to get all values from a key as arrays
Do we deprecated the get method ? if so this will be a little bigger in terms of changes.
Commits
-------
2c5a8f1bdf [HttpFoundation] deprecate using $first in get and added key in all
This PR was squashed before being merged into the 5.0-dev branch (closes#32525).
Discussion
----------
[Intl][5.0] Add parameters type-hints
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | continuation of https://github.com/symfony/symfony/pull/24722 and checks for #32179
| License | MIT
| Doc PR | N/A
This PR replaces docblocks by type hints in the Intl component considering #32179. Some docblocks without valuable information got also removed.
Commits
-------
ce79f4bc64 [Intl][5.0] Add parameters type-hints
This PR was merged into the 5.0-dev branch.
Discussion
----------
[HttpKernel] [5.0] Replace docblocks by type-hints
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | continuation of https://github.com/symfony/symfony/pull/24722 and checks for #32179
| License | MIT
| Doc PR | N/A
This PR replaces docblocks by type hints in the HttpKernel component considering #32179. Some docblocks without valuable information got also removed.
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against branch 4.4.
- Legacy code removals go to the master branch.
-->
Commits
-------
9e570a2082 [Http-Kernel][5.0] Add type-hints
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpKernel] Fix s-maxage=3 transient test
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | NA
| License | MIT
| Doc PR | NA
sometime the http server returns a `s-maxage=3` header (https://travis-ci.org/symfony/symfony/jobs/569326531)
This PR fixes tests to allow both 2 and 3
Commits
-------
f019b5214d Fix s-maxage=3 transient test
This PR was merged into the 5.0-dev branch.
Discussion
----------
[Console] add missing type hints
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | part of #32179
| License | MIT
| Doc PR |
Fix missing types from #32318
Commits
-------
180c497ae7 [Console] add missing type hints
* 4.4:
Improve some URLs
cleanup remaining param and internal Intl FulLTransformer
[HttpClient] fix data loss when streaming as a PHP resource
Fix test compatibility with 4.x components
[Cache] cs fix
This PR was merged into the 4.4 branch.
Discussion
----------
[HttpClient] fix data loss when streaming as a PHP resource
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
I've just experienced failures like:
> StreamWrapper::stream_read - read 822 bytes more data than requested (9014 read, 8192 max) - excess data will be lost
This fixes it.
Commits
-------
99884e63b5 [HttpClient] fix data loss when streaming as a PHP resource
This PR was squashed before being merged into the 3.4 branch (closes#32800).
Discussion
----------
Improve some URLs
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | N/A <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | N/A <!-- required for new features -->
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against branch 4.4.
- Legacy code removals go to the master branch.
-->
Commits
-------
fab17a4487 Improve some URLs