This PR was merged into the 2.8 branch.
Discussion
----------
[HttpFoundation] Remove support for legacy and risky HTTP headers
| Q | A
| ------------- | ---
| Branch? | 2.8
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Commits
-------
e447e8b921 [HttpFoundation] Remove support for legacy and risky HTTP headers
* 2.8:
[HttpKernel] Fixed invalid REMOTE_ADDR in inline subrequest when configuring trusted proxy with subnet
[HttpFoundation] fixed using _method parameter with invalid type
[Intl] Replace svn with git in the icu data update script
[HttpFoundation] Fix Cookie::isCleared
* 2.8:
Fix Clidumper tests
Enable the fixer enforcing fully-qualified calls for compiler-optimized functions
Apply fixers
Disable the native_constant_invocation fixer until it can be scoped
Update the list of excluded files for the CS fixer
* 2.8:
use brace-style regex delimiters
Fixed typo RecursiveIterator -> RecursiveIteratorIterator
[Validator] make phpdoc of ObjectInitializerInterface interface more accurate
* 2.7:
use brace-style regex delimiters
Fixed typo RecursiveIterator -> RecursiveIteratorIterator
[Validator] make phpdoc of ObjectInitializerInterface interface more accurate
* 2.8:
Another PR template tweak
[PropertyInfo] ReflectionExtractor: give a chance to other extractors if no properties
Clean calls to http_build_query()
[WebProfilerBundle] limit ajax request to 100 and remove the last one
[HttpFoundation] Fix missing "throw" in JsonResponse
Improve the documentation of
Suppress warning from sapi_windows_vt100_support on stream other than STDIO
removed extra-verbose comments
Fixes#26136: Avoid emitting warning in hasParameterOption()
Added a README entry to the PR template
[HttpFoundation] Add x-zip-compressed to MimeTypeExtensionGuesser.
[DI] Add null check for removeChild
* 2.7:
Clean calls to http_build_query()
[HttpFoundation] Fix missing "throw" in JsonResponse
Improve the documentation of
Suppress warning from sapi_windows_vt100_support on stream other than STDIO
removed extra-verbose comments
Fixes#26136: Avoid emitting warning in hasParameterOption()
Added a README entry to the PR template
[HttpFoundation] Add x-zip-compressed to MimeTypeExtensionGuesser.
[DI] Add null check for removeChild
* 2.8:
update test for Twig performance optimizations
[WebProfilerBundle] Increase retry delays between toolbarAction ajax calls
support sapi_windows_vt100_support for php 7.2+
bumped Symfony version to 2.8.35
updated VERSION for 2.8.34
updated CHANGELOG for 2.8.34
bumped Symfony version to 2.7.42
updated VERSION for 2.7.41
update CONTRIBUTORS for 2.7.41
updated CHANGELOG for 2.7.41
[HttpFoundation] Added "null" type on Request::create docblock
Allow trans filter to be safe
* 2.7:
update test for Twig performance optimizations
[WebProfilerBundle] Increase retry delays between toolbarAction ajax calls
support sapi_windows_vt100_support for php 7.2+
bumped Symfony version to 2.7.42
updated VERSION for 2.7.41
update CONTRIBUTORS for 2.7.41
updated CHANGELOG for 2.7.41
[HttpFoundation] Added "null" type on Request::create docblock
Allow trans filter to be safe
* 3.3:
Have weak_vendors ignore deprecations from outside
[HttpFoundation] fixed return type of method HeaderBag::get
[HttpFoundation] Added "resource" type on Request::create docblock
[Process] Skip environment variables with false value in Process
Revert "bug #25789 Enableable ArrayNodeDefinition is disabled for empty configuration (kejwmen)"
Formatting fix in upgrade 3.0 document
don't split lines on carriage returns when dumping
Revert "bug #25851 [Validator] Conflict with egulias/email-validator 2.0 (emodric)"
[DI] compilation perf tweak
[Validator] Conflict with egulias/email-validator 2.0
[Validator] add missing parent isset and add test
* 2.8:
[HttpFoundation] fixed return type of method HeaderBag::get
[HttpFoundation] Added "resource" type on Request::create docblock
Revert "bug #25789 Enableable ArrayNodeDefinition is disabled for empty configuration (kejwmen)"
Formatting fix in upgrade 3.0 document
Revert "bug #25851 [Validator] Conflict with egulias/email-validator 2.0 (emodric)"
[Validator] add missing parent isset and add test
* 2.7:
[HttpFoundation] fixed return type of method HeaderBag::get
[HttpFoundation] Added "resource" type on Request::create docblock
Revert "bug #25789 Enableable ArrayNodeDefinition is disabled for empty configuration (kejwmen)"
Revert "bug #25851 [Validator] Conflict with egulias/email-validator 2.0 (emodric)"
[Validator] add missing parent isset and add test
* 3.3:
[appveyor] set memory_limit=-1
[Router] Skip anonymous classes when loading annotated routes
Fixed Request::__toString ignoring cookies
Make sure we only build once and have one time the prefix when importing routes
[Security] Fix fatal error on non string username
* 2.8:
[appveyor] set memory_limit=-1
[Router] Skip anonymous classes when loading annotated routes
Fixed Request::__toString ignoring cookies
[Security] Fix fatal error on non string username
* 2.7:
[appveyor] set memory_limit=-1
[Router] Skip anonymous classes when loading annotated routes
Fixed Request::__toString ignoring cookies
[Security] Fix fatal error on non string username
* 3.3:
fixed some deprecation messages
fixed some deprecation messages
fixed some deprecation messages
fixed some deprecation messages
[2.7][DX] Use constant message contextualisation for deprecations
* 3.3:
Add application/ld+json format associated to json
[HttpFoundation] Fix false-positive ConflictingHeadersException
[WebServerBundle] Fix escaping of php binary with arguments
Error handlers' $context should be optional as it's deprecated
[Serializer] Correct typing mistake in DocBlock
[Config] Fix closure CS
PHP CS Fixer: use PHPUnit Migration ruleset
Update MemcachedTrait.php
[Bridge/PhpUnit] thank phpunit/phpunit
[Process] Fix setting empty env vars
[Process] Dont use getenv(), it returns arrays and can introduce subtle breaks accros PHP versions
[WebServerBundle] fix a bug where require would not require the good file because of env
[Console] Commands with an alias should not be recognized as ambiguous
* 3.3:
[Serializer] Fix extra attributes when no group specified
[Intl] Make intl-data tests pass and save language aliases again
[Console] Fix CommandTester::setInputs() docblock
[Serializer] readd default argument value
[VarDumper] fix trailling comma when dumping an exception
Remove useless docblocks
[FrameworkBundle] Fix docblocks
[PropertyInfo] Remove useless docblocks
* 3.3: (22 commits)
[Routing] Fix resource miss
[Security] Fixed auth provider authenticate() cannot return void
declare argument type
[FrameworkBundle][Serializer] Move normalizer/encoders definitions to xml file & remove unnecessary checks
streamed response should return $this
$isClientIpsVali is not used
content can be a resource
Adding the Form default theme files to be warmed up in Twig's cache
Remove BC Break label from `NullDumper` class
Username and password in basic auth are allowed to contain '.'
Remove obsolete PHPDoc from UriSigner
[Serializer] YamlEncoder: throw if the Yaml component isn't installed
[Serializer] ObjectNormalizer: throw if PropertyAccess isn't installed
[PropertyInfo] Add support for the iterable type
pdo session fix
Fixed pathinfo calculation for requests starting with a question mark. - fix bad conflict resolving issue - port symfony/symfony#21968 to 3.3+
Fixed unsetting from loosely equal keys OrderedHashMap
add DOMElement as return type in Crawler::getIterator to support foreach support in ide
Fixed mistake in exception expectation
[Debug] Fix same vendor detection in class loader
...
* 2.8:
[Routing] Fix resource miss
[Security] Fixed auth provider authenticate() cannot return void
declare argument type
streamed response should return $this
content can be a resource
Adding the Form default theme files to be warmed up in Twig's cache
* 2.7:
[Security] Fixed auth provider authenticate() cannot return void
declare argument type
streamed response should return $this
content can be a resource
* 3.3: (23 commits)
Tests and fix for issue in array model data in EntityType field with multiple=true
[Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
removed useless PHPDoc
[Form] Fix FormInterface::submit() annotation
[PHPUnitBridge] don't remove when set to empty string
PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
HttpCache does not consider ESI resources in HEAD requests
Fix translation for "This field was not expected"
[Routing] Enhance Route(Collection) docblocks
Added improvement for accuracy in MoneyToLocalizedStringTransformer.
Removed unused private property
Use correct verb form in the pull request template
Use PHP_MAXPATHLEN in Filesystem.
Added null as explicit return type (?TokenInterface)
[FrameworkBundle] Fix Routing\DelegatingLoader
Render all line breaks according to the exception message
[Form] Fix phpdoc
[DI] remove confusing code
[Form] Fixed GroupSequence with "constraints" option
[Validator] Clarify UUID validator behavior
...