This PR was squashed before being merged into the 2.7 branch (closes#25801).
Discussion
----------
[Router] Skip anonymous classes when loading annotated routes
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #25796
| License | MIT
| Doc PR |
Skip any usage of anonymous classes when parsing files in `AnnotationFileLoader`
Commits
-------
d76a545 [Router] Skip anonymous classes when loading annotated routes
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] Auto-enable CSRF if the component *+ session* are loaded
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/recipes/issues/262
| License | MIT
| Doc PR | -
By binding CSRF and session default state, we provide better DX, but we also provide a way for bundles to enable session on its own: they just need to require "symfony/security-csrf".
Yes, that's a side effect, but I think that's a nice one for 3.4/4.0.
Of course, we might do better in 4.1, but for bug fix only releases, LGTM.
Commits
-------
9e8231f [FrameworkBundle] Automatically enable the CSRF if component *+ session* are loaded
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] Fix fatal error on non string username
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/issues/25612
| License | MIT
| Doc PR | n/a
That's consistent with what #22569 did for the `json_login` listener.
Commits
-------
8f095683d0 [Security] Fix fatal error on non string username
This PR was merged into the 3.3 branch.
Discussion
----------
[Routing] Make sure we only build routes once
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #25746
| License | MIT
| Doc PR | ø
We need to build the collection(s) only once, else the prefix would be duplicated.
Commits
-------
927a75ac3e Make sure we only build once and have one time the prefix when importing routes
* 3.4:
[Console] Add placeholder for line number in console exception fixtures
fix HHVM tests
minor #25752 Don't right trim the deprecation message (alexpott)
This PR was merged into the 3.3 branch.
Discussion
----------
Remove polyfill-util dependency from fullstack and security
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | kinda
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Applies #22709 to the two higher-level packages. I've applied it to 3.3 as that's where that change was merged (though it was `master` as the time); these may actually apply earlier though?
(#16382 was mentioned and applied to 2.8, though is for the serializer which is unrelated? Should have been 3.0 when `StringUtils` was removed?)
Commits
-------
939efd59b9 Remove polyfill-util dependency from fullstack and security
This PR was submitted for the 3.4 branch but it was squashed and merged into the 3.3 branch instead (closes#25752).
Discussion
----------
Don't right trim the deprecation message
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | maybe yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->
<!--
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
- Replace this comment by a description of what your PR is solving.
-->
The PhpUnit bridge lists deprecation messages after a test. In order to do this it outputs the message but it right trims the message - removing any fullstops. This is unexpected. It does this to add the number of time the message appears but this is not really necessary because the number of the times a deprecation message is triggered and from where is added below.
Commits
-------
0b03631 Don't right trim the deprecation message
* 3.4:
fix merge
fixed wrong description in a phpdoc
19 digits VISA card numbers are valid
Add missing @ in phpdoc return statement
Don't right trim the deprecation message
[HttpKernel] Fixed test name
[Debug] prevent infinite loop with faulty exception handlers
[FrameworkBundle] fix tests
Prefer composer install instead for using Symfony Installer
Add the missing `enabled` session attribute
[HttpKernel] Turn bad hosts into 400 instead of 500
* 3.3:
fix merge
fixed wrong description in a phpdoc
19 digits VISA card numbers are valid
Add missing @ in phpdoc return statement
Don't right trim the deprecation message
[HttpKernel] Fixed test name
[Debug] prevent infinite loop with faulty exception handlers
Add the missing `enabled` session attribute
[HttpKernel] Turn bad hosts into 400 instead of 500
* 2.8:
fixed wrong description in a phpdoc
19 digits VISA card numbers are valid
[HttpKernel] Fixed test name
[Debug] prevent infinite loop with faulty exception handlers
Add the missing `enabled` session attribute
[HttpKernel] Turn bad hosts into 400 instead of 500
* 2.7:
fixed wrong description in a phpdoc
19 digits VISA card numbers are valid
[HttpKernel] Fixed test name
[Debug] prevent infinite loop with faulty exception handlers
Add the missing `enabled` session attribute
[HttpKernel] Turn bad hosts into 400 instead of 500
* 3.4: (26 commits)
[Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR
[HttpKernel] Fix session handling: decouple "save" from setting response "private"
swap filter/function and package names
[HttpFoundation] Always call proxied handler::destroy() in StrictSessionHandler
[HttpKernel] Fix compile error when a legacy container is fresh again
Add tests for the HttpKernel request collector and redirection via cookies
Uses cookies to track the requests redirection
Tweaked some styles in the profiler tables
Add type string to docblock for Process::setInput()
[Security] Fail gracefully if the security token cannot be unserialized from the session
[Form] AbstractLayoutTest - fix DOMDocument casing
Run simple-phpunit with --no-suggest option
[FrameworkBundle] Fix using "annotations.cached_reader" in after-removing passes
bumped Symfony version to 3.4.4
updated VERSION for 3.4.3
updated CHANGELOG for 3.4.3
bumped Symfony version to 3.3.16
updated VERSION for 3.3.15
updated CHANGELOG for 3.3.15
bumped Symfony version to 2.8.34
...
* 3.3:
[Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR
Tweaked some styles in the profiler tables
Add type string to docblock for Process::setInput()
[Security] Fail gracefully if the security token cannot be unserialized from the session
[Form] AbstractLayoutTest - fix DOMDocument casing
Run simple-phpunit with --no-suggest option
[FrameworkBundle] Fix using "annotations.cached_reader" in after-removing passes
bumped Symfony version to 3.3.16
updated VERSION for 3.3.15
updated CHANGELOG for 3.3.15
bumped Symfony version to 2.8.34
updated VERSION for 2.8.33
updated CHANGELOG for 2.8.33
bumped Symfony version to 2.7.41
updated VERSION for 2.7.40
update CONTRIBUTORS for 2.7.40
updated CHANGELOG for 2.7.40
* 2.8:
[Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR
Tweaked some styles in the profiler tables
[Security] Fail gracefully if the security token cannot be unserialized from the session
[Form] AbstractLayoutTest - fix DOMDocument casing
bumped Symfony version to 2.8.34
updated VERSION for 2.8.33
updated CHANGELOG for 2.8.33
bumped Symfony version to 2.7.41
updated VERSION for 2.7.40
update CONTRIBUTORS for 2.7.40
updated CHANGELOG for 2.7.40
* 2.7:
[Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR
[Security] Fail gracefully if the security token cannot be unserialized from the session
[Form] AbstractLayoutTest - fix DOMDocument casing
bumped Symfony version to 2.7.41
updated VERSION for 2.7.40
update CONTRIBUTORS for 2.7.40
updated CHANGELOG for 2.7.40
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpKernel] Fix session handling: decouple "save" from setting response "private"
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Fixes https://github.com/symfony/symfony/pull/25583#issuecomment-355717344 from @Tobion, and provides extra laziness for the "session" service, related to https://github.com/symfony/recipes/pull/333.
(deps=high failure will be fixed by merging to upper branches.)
Commits
-------
f8727b8827 [HttpKernel] Fix session handling: decouple "save" from setting response "private"
This PR was merged into the 2.7 branch.
Discussion
----------
[Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | no
| License | MIT
| Doc PR | no
<!--
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
- Replace this comment by a description of what your PR is solving.
-->
Php function json_encode/decode with option JSON_PARTIAL_OUTPUT_ON_ERROR return result on error, but if have is error json_last_error() always return error code even if there is a result and it is not false. Because of this is impossible set JSON_PARTIAL_OUTPUT_ON_ERROR option across variable $context.
Current fix solves this problem.
Verification on the false is completely correct, since json_encode / decode returns false only on error if not set JSON_PARTIAL_OUTPUT_ON_ERROR option.
Such have a problem e.g when encoding data is not utf-8 (emoji from facebook).
Commits
-------
e7e410b [Serializer] Fixed throwing exception with option JSON_PARTIAL_OUTPUT_ON_ERROR
This PR was merged into the 3.4 branch.
Discussion
----------
[TwigBridge] swap filter/function and package names
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Error message was `Did you forget to run "composer require symfony/csrf_token"? Unknown function "form" in "Security/Pages/login.html".` and will now be `Did you forget to run "composer require symfony/form"? Unknown function "csrf_token" in "Security/Pages/login.html".`
Commits
-------
9db699bd8d swap filter/function and package names
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpKernel] Add tests for request collector and cookie redirection
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes (#25719)
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | ø
Not that I felt bad doing a PR without tests (#25719) but this one adds tests to be sure we stabilize this cookie-based redirection.
Commits
-------
7b4f5a15e7 Add tests for the HttpKernel request collector and redirection via cookies
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpFoundation] Always call proxied handler::destroy() in StrictSessionHandler
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Noticed by @jpauli: the native file session handler needs a call to `destroy()` to remove session files, even for new empty sessions.
Commits
-------
e5e2d5ddd2 [HttpFoundation] Always call proxied handler::destroy() in StrictSessionHandler
This PR was merged into the 3.3 branch.
Discussion
----------
[FrameworkBundle] Fix using "annotations.cached_reader" in after-removing passes
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #25695
| License | MIT
| Doc PR | -
When `annotation_reader` is instantiated in an after-removing pass, it gets the real cache provider, instead of the dummy one that should be provided during compilation of the container.
This situation is found in e.g. `JMS\AopBundle\DependencyInjection\Compiler\PointcutMatchingPass`.
A workaround before next release could be to "get" the `annotation_reader` service somewhere before (like in a regular compiler pass of your own.)
Commits
-------
f66f9a7b37 [FrameworkBundle] Fix using "annotations.cached_reader" in after-removing passes
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] Fail gracefully if the security token cannot be unserialized from the session
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
If the security token in the session can't be unserialized, an `E_NOTICE` is issued. This prevents it (and provides a better log message if it's not even a `__PHP_Incomplete_Class`).
This is similar to #24731, but I saw it triggered when changing OAuth library (https://github.com/elifesciences/journal/pull/824), so the token class itself no longer exists. (I want to avoid having to manually invalidate all sessions, as not all sessions use that token class.)
Commits
-------
053fa43add [Security] Fail gracefully if the security token cannot be unserialized from the session
This PR was submitted for the 3.4 branch but it was squashed and merged into the 3.3 branch instead (closes#25585).
Discussion
----------
Add type string to docblock for Process::setInput()
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | none
| License | MIT
| Doc PR | none
Add `string` as valid `$input` for `Process::setInput()`. Since `getInput()` will also return as string and the internal method `ProcessUtils::validateInput()` will accept a string, this should be a viable input type.
Commits
-------
e3de68f2 Add type string to docblock for Process::setInput()
This PR was squashed before being merged into the 3.4 branch (closes#25685).
Discussion
----------
Use triggering file to determine weak vendors if when the test is run in a separate process
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md files -->
| Tests pass? | I think so
| Fixed tickets | #25684
| License | MIT
| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->
<!--
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
- Replace this comment by a description of what your PR is solving.
-->
Commits
-------
3830577 Use triggering file to determine weak vendors if when the test is run in a separate process
* 3.4:
Remove randomness from dumped containers
fixed messages to be explicit about the package needed to be installed
[FrameworkBundle] Fix recommended composer command (add vendor)
[WebProfilerBundle] set the var in the right scope
[TwigBundle] fix lowest dep
[HttpKernel] Disable CSP header on exception pages
Use the default host even if context is empty and fallback to relative URL if empty host
Proposing Flex-specific error messages in the controller shortcuts
This PR was merged into the 3.4 branch.
Discussion
----------
Remove randomness from dumped containers
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
With this PR, the generated container is immutable by cache clearing: it doesn't contain any random string anymore (well, third party bundles can add random things back, but at least core doesn't).
Since the class+file name of the container is based on a hash of its content, it means that they are now stable also. This should help fix some edge cases/race conditions during cache clears/rebuilds.
(fabbot failure is false positive)
Commits
-------
14dd5d1dbd Remove randomness from dumped containers
This PR was merged into the 3.4 branch.
Discussion
----------
Fix fixed messages to be explicit about the package needed to be installed
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
<!--
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
- Replace this comment by a description of what your PR is solving.
-->
Commits
-------
e8bc099 fixed messages to be explicit about the package needed to be installed
This PR was squashed before being merged into the 3.4 branch (closes#25678).
Discussion
----------
[WebProfilerBundle] set the var in the right scope
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This PR fixes the bug when displaying the toolbar. The variable "has_time_events" was not created in the scope of the toolbar.
Commits
-------
3e9780df59 [WebProfilerBundle] set the var in the right scope
