This PR was merged into the 4.0-dev branch.
Discussion
----------
[Security] remove support for defining voters that don't implement VoterInterface.
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | yes
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ~
| License | MIT
| Doc PR | ~
Commits
-------
f527790080 [Security] remove support for defining voters that don't implement the VoterInterface interface.
* 3.4:
fixed tests
swiftmailer bridge is gone
respect the API in FirewallContext map
[TwigBundle] add back exception check
Dont call count on non countable object
Fix undefined variable $filesystem
* 3.3:
fixed tests
swiftmailer bridge is gone
respect the API in FirewallContext map
[TwigBundle] add back exception check
Dont call count on non countable object
Fix undefined variable $filesystem
* 3.2:
fixed tests
swiftmailer bridge is gone
[TwigBundle] add back exception check
Dont call count on non countable object
Fix undefined variable $filesystem
* 3.4: (83 commits)
add missing version attribute
Show exception is checked twice in ExceptionController of twig
allow SSI fragments configuration in XML files
Display a better error message when the toolbar cannot be displayed
[SecurityBundle] Add user impersonation info and exit action to the profiler
render hidden _method field in form_rest()
Add Doctrine Cache to dev dependencies to fix failing unit tests.
return fallback locales whenever possible
Fix Predis client cluster with pipeline
[Dotenv] Test load() with multiple paths
[Console] Fix catching exception type in QuestionHelper
Improved the exception page when there is no message
[WebProfilerBundle] Eliminate line wrap on count columnt (routing)
[Profiler][Validator] Add a validator panel in profiler
[Validator] replace hardcoded service id
[Routing] Fix XmlFileLoader exception message
Remove duplicate changelog entries
[DI] Dedup tags when using instanceof/autoconfigure
[Translation] Fix FileLoader::loadResource() php doc
[Serializer] Fix workaround min php version
...
* 3.3: (64 commits)
Show exception is checked twice in ExceptionController of twig
allow SSI fragments configuration in XML files
Display a better error message when the toolbar cannot be displayed
render hidden _method field in form_rest()
Add Doctrine Cache to dev dependencies to fix failing unit tests.
return fallback locales whenever possible
Fix Predis client cluster with pipeline
[Dotenv] Test load() with multiple paths
[Console] Fix catching exception type in QuestionHelper
Improved the exception page when there is no message
[WebProfilerBundle] Eliminate line wrap on count columnt (routing)
[Validator] replace hardcoded service id
[Routing] Fix XmlFileLoader exception message
[DI] Dedup tags when using instanceof/autoconfigure
[Translation] Fix FileLoader::loadResource() php doc
Sessions: configurable "use_strict_mode" option for NativeSessionStorage
[FrameworkBundle] [Command] Clean bundle directory, fixes#23177
fixed CS
[WebProfilerBundle] Fix the icon for the Cache panel
[WebServerBundle] Fix router script path and check existence
...
* 3.2: (42 commits)
Show exception is checked twice in ExceptionController of twig
allow SSI fragments configuration in XML files
Display a better error message when the toolbar cannot be displayed
render hidden _method field in form_rest()
Add Doctrine Cache to dev dependencies to fix failing unit tests.
return fallback locales whenever possible
[Console] Fix catching exception type in QuestionHelper
[WebProfilerBundle] Eliminate line wrap on count columnt (routing)
[Routing] Fix XmlFileLoader exception message
[Translation] Fix FileLoader::loadResource() php doc
Sessions: configurable "use_strict_mode" option for NativeSessionStorage
[FrameworkBundle] [Command] Clean bundle directory, fixes#23177
Reset redirectCount when throwing exception
[TwigBundle] Remove template.xml services when templating is disabled
add content-type header on exception response
Embedding a response that combines expiration and validation, that should not defeat expiration on the combined response
fixed bad merge
Fix two edge cases in ResponseCacheStrategy
[Routing] Expose request in route conditions, if needed and possible
[Routing] Expose request in route conditions, if needed and possible
...
* 2.8: (40 commits)
Show exception is checked twice in ExceptionController of twig
allow SSI fragments configuration in XML files
Display a better error message when the toolbar cannot be displayed
render hidden _method field in form_rest()
return fallback locales whenever possible
[Console] Fix catching exception type in QuestionHelper
[WebProfilerBundle] Eliminate line wrap on count columnt (routing)
[Routing] Fix XmlFileLoader exception message
[Translation] Fix FileLoader::loadResource() php doc
Sessions: configurable "use_strict_mode" option for NativeSessionStorage
[FrameworkBundle] [Command] Clean bundle directory, fixes#23177
Reset redirectCount when throwing exception
[TwigBundle] Remove template.xml services when templating is disabled
add content-type header on exception response
Embedding a response that combines expiration and validation, that should not defeat expiration on the combined response
Fix two edge cases in ResponseCacheStrategy
[Routing] Expose request in route conditions, if needed and possible
[Routing] Expose request in route conditions, if needed and possible
[Translation][FrameworkBundle] Fix resource loading order inconsistency reported in #23034
[Filesystem] added workaround in Filesystem::rename for PHP bug
...
* 2.7:
Show exception is checked twice in ExceptionController of twig
allow SSI fragments configuration in XML files
Display a better error message when the toolbar cannot be displayed
render hidden _method field in form_rest()
return fallback locales whenever possible
This PR was merged into the 2.8 branch.
Discussion
----------
[Console] Fix catching exception type in QuestionHelper
| Q | A
| ------------- | ---
| Branch? | 2.8
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
When generic exceptions were replaced by domain exceptions in dd17dc00ee one catch statement was missed. The existing code works fine because a `RuntimeException` extends a `\RuntimeException`.
Commits
-------
1c091eb703 [Console] Fix catching exception type in QuestionHelper
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpFoundation] Adds support for the immutable directive in the cache-control header
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #21425
| License | MIT
| Doc PR |
Added support for the immutable directive in the cache-control header, tries to resolve#21425.
Commits
-------
33573c6eb1 Added support for the immutable directive in the cache-control header
* 2.7:
[Routing] Fix XmlFileLoader exception message
Sessions: configurable "use_strict_mode" option for NativeSessionStorage
[FrameworkBundle] [Command] Clean bundle directory, fixes#23177
Reset redirectCount when throwing exception
[TwigBundle] Remove template.xml services when templating is disabled
add content-type header on exception response
Embedding a response that combines expiration and validation, that should not defeat expiration on the combined response
Fix two edge cases in ResponseCacheStrategy
[Routing] Expose request in route conditions, if needed and possible
[Routing] Expose request in route conditions, if needed and possible
[Translation][FrameworkBundle] Fix resource loading order inconsistency reported in #23034
[Filesystem] added workaround in Filesystem::rename for PHP bug
Add tests for ResponseCacheStrategy to document some more edge cases
[HttpFoundation] added missing docs
fixes#21606
[VarDumper] fixes
[Security] fix switch user _exit without having current token
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] fix switch user _exit without having current token
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #22729
| License | MIT
| Doc PR | -
Attempting to `_exit` from a switched user caused an error when not having any token in the storage (for example happens when not logged in + disallowing anonymous users on that firewall):
`[1] Symfony\Component\Debug\Exception\FatalThrowableError: Type error: Argument 1 passed to Symfony\Component\Security\Http\Firewall\SwitchUserListener::getOriginalToken()
must be an instance of Symfony\Component\Security\Core\Authentication\Token\TokenInterface, null given, called in
symfony/symfony/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php on line 164`
Commits
-------
16da6861be [Security] fix switch user _exit without having current token
This PR was merged into the 2.7 branch.
Discussion
----------
[Routing] Fix XmlFileLoader exception message
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
When an `XmlFileLoader` encounters an unknown tag it throws an exception with message like `Unknown tag "foo" used in file "bar". Expected "default", "requirement" or "option".`. A proper message should be `Unknown tag "foo" used in file "bar". Expected "default", "requirement", "option" or "condition".`
Commits
-------
f6a94cb56f [Routing] Fix XmlFileLoader exception message
This PR was squashed before being merged into the 3.4 branch (closes#22124).
Discussion
----------
Shift responsibility for keeping Date header to ResponseHeaderBag
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
This is an improvement over #22036. It shifts responsibility for preserving a `Date` header to the `ResponseHeaderBag`.
We already have similar logic there for the `Cache-Control` header.
Commits
-------
5d838360f3 Shift responsibility for keeping Date header to ResponseHeaderBag
This PR was merged into the 3.4 branch.
Discussion
----------
[Validator] Adds support to check specific DNS record type for URL
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
URL validation with the `checkDNS` option can time out for some international registrars or for reasons unknown. When the `URL` constraint is implemented, the context may logically allow for a single DNS record type to be checked, which is less prone to timing out. This updates the `checkDNS` option value to be one of any valid for the underlying `checkdnsrr()` method with backwards compatibility for the original boolean value.
Commits
-------
e66d8f1bef [Validator] Adds support to check specific DNS record type for URL
This PR was squashed before being merged into the 3.4 branch (closes#22629).
Discussion
----------
[Security] Trigger a deprecation when a voter is missing the VoterInterface
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | ~
| License | MIT
| Doc PR | ~
Right now it's possible to add voters to the access decision manager that do not have a `VoterInterface`.
- No Interface, no `vote()` method, and it will give a PHP error.
- No Interface, but `vote()` method, it will still work.
- If I don't implement the interface _and_ have no `vote()` method, I will get weird exception that's not meaningful: `Attempted to call an undefined method named "vote" of class "App\Voter\MyVoter".`
This PR will deprecate the ability to use voters without the interface, it will also throw a proper exception when missing the interface _and_ the `vote()` method. Why when using and not when setting? Due to the fact that the voters can be set lazily via the `IteratorArgument`. The SecurityBundle will trigger a deprecation if the interface is not implemented and an exception if there's not even a `vote()` method present (to prevent exceptions at run-time).
This should have full backwards compatibility with 3.3, but give more meaningful errors. The only behavioral difference, might be that the container will throw an exception instead of maybe succeeding in voting when 1 voter would be broken at the end of the list (based on strategy). This case however, will be detected during development and deployment, rather than run-time.
Commits
-------
9c253e1ff6 [Security] Trigger a deprecation when a voter is missing the VoterInterface
This PR was squashed before being merged into the 2.7 branch (closes#23129).
Discussion
----------
Fix two edge cases in ResponseCacheStrategy
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
While reviewing how `ResponseCacheStrategy` calculates the caching-related headers for responses that embed subrequests, I came across two cases that I think are currently implemented incorrectly.
a) When the main response is public and cacheable with an expiration time, but it embeds (via ESI) a controller that does not set any caching-related headers, this embedded response is more constrained. So, the resulting (combined) response must not be cacheable, especially it may not keep the s-maxage.
b) When the main response is public and cacheable with an expiration time, but it embeds (via ESI) a controller that explicitly creates a "private" response, the resulting (combined) response must be private as well.
Commits
-------
c6e8c07e4d Fix two edge cases in ResponseCacheStrategy
This PR was merged into the 3.4 branch.
Discussion
----------
[Yaml] Deprecate using the non-specific tag
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Values tagged with the non-specific tag must not be transformed in an integer, this tag means that they must not be evaluated (see [the spec](http://www.yaml.org/spec/1.2/spec.html#tag/non-specific/)).
I applied this change in https://github.com/symfony/symfony/pull/22762 to comply with the spec.
Commits
-------
60f5046661 [Yaml] Deprecate using the non-specific tag
* 3.2:
[SecurityBundle] Move cache of the firewall context into the request parameters
Fix Usage with anonymous classes
[Workflow] Added more keywords in the composer.json
[Cache] APCu isSupported() should return true when apc.enable_cli=Off
[PropertyAccess] Do not silence TypeErrors from client code.
This PR was squashed before being merged into the 3.3 branch (closes#23088).
Discussion
----------
[FrameworkBundle] Dont set pre-defined esi/ssi services
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | not sure
| Deprecations? | no
| Tests pass? | yes/no
| Fixed tickets | #23080
| License | MIT
| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->
It fixes the issue, but im not sure what's expected if you dont use http cache (solely enabled ssi/esi in config). Before the services were initialized, now they are synthetic as http cache sets them, but thats optional =/
Commits
-------
8c26aab0fe [FrameworkBundle] Dont set pre-defined esi/ssi services
This PR was merged into the 3.4 branch.
Discussion
----------
Consistent error handling in remember me services
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | yes
| BC breaks? | yes
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
RememberMeServices lacked consistent error handling so far making it impossible for implementors to e.g. maintain sufficiently detailed audit logs for remember me errors. Since remember me is a very sensitive area in any application, detailed logging is crucial.
The change proposed allows `loginFail` to optionally take the exception object as a second parameter and uses said exception consistently internally by calling `loginFail` instead of `cancelCookie`.
Commits
-------
eda1888f71 Consistent error handling in remember me services
This PR was squashed before being merged into the 2.7 branch (closes#23092).
Discussion
----------
[Filesystem] added workaround in Filesystem::rename for PHP bug
[Filesystem] added workaround in Filesystem::rename for https://bugs.php.net/bug.php?id=54097
Standard PHP rename() of dirs across devices/mounted filesystems produces confusing copy error & throws IOException in Filesystem::rename. I got it during console cache:clear in the Docker environment. This PR possible fixes https://github.com/symfony/symfony/issues/19851 and other environment related issues.
Workaround is on \rename() fails try to Filesystem::mirror & Filesystem::remove if $origin is directory
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Commits
-------
3ccbc479da [Filesystem] added workaround in Filesystem::rename for PHP bug
This PR was squashed before being merged into the 2.7 branch (closes#23123).
Discussion
----------
Add tests for ResponseCacheStrategy to document some more edge cases
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Adds some test cases for possible combinations of master/subrequest responses to better document behaviour in edge cases. Should now cover the entire `ResponseCacheStrategy`.
I hope 2.7 is the right target branch because having more tests for all releases should be a good thing™️.
Commits
-------
69e84633dd Add tests for ResponseCacheStrategy to document some more edge cases
This PR was merged into the 3.3 branch.
Discussion
----------
[HttpFoundation] add back support for legacy constant values
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Due to the data type change of the `Request::HEADER_` constants in Symfony 3.3 #23067 introduced a small BC break if someone used the old constant values statically instead of referring to the constants themselves.
Commits
-------
fddd754c0a add back support for legacy constant values
This PR was merged into the 2.7 branch.
Discussion
----------
[HttpFoundation] fix for Support for new 7.1 session options
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #21606
| License | MIT
| Doc PR | n/a
Commits
-------
71c1b6f5bffixes#21606
This PR was merged into the 3.4 branch.
Discussion
----------
[Serializer] DateTimeNormalizer: allow to provide timezone
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
| Doc PR | N/A
My own use-case was for denormalization of a csv file provided by a third-party. The datetime format inside does not contain any timezone information, and won't change, but it's established to be UTC (or at least consistent).
So by providing the new `datetime_timezone` option, the returned instance of `\DateTime(Interface)` will properly be set with the expected timezone. (In case the format already supports the time offset, the provided timezone is ignored in favor of the one parsed by the `\DateTime` object)
Regarding normalization, the expected behavior of this feature is to consistently return the same time offset.
Commits
-------
c10a780afb [Serializer] DateTimeNormalizer: allow to provide timezone
This PR was merged into the 3.4 branch.
Discussion
----------
[DI] Reference instead of inline for array-params
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
- [x] Tests to be written.
This PR is part of my "container on a diet" quest.
When big array parameters are resolved, they create data duplication in the dumped container. This is even worse when the same big array parameters are used several times.
Even though OPcache stores static arrays in shared memory (php7), it does not deduplicate them (it does for strings.)
Instead of inlining arrays, this PR leverages the `$this->parameters` property when possible.
Commits
-------
7c3d0c7a46 [DI] Reference instead of inline for array-params
This PR was merged into the 3.2 branch.
Discussion
----------
[PropertyAccess] Do not silence TypeErrors from client code.
| Q | A
| ------------- | ---
| Branch? | 3.2
| Bug fix? | yes
| New feature? | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Fixes TypeError silencing in `setValue()` when said error is thrown inside setter/adder/etc.
An example is given in the included test, but more real-life story is botched accessors for a many-to-one association on a Doctrine entity:
```php
class B {
function setA(A $a) { ... } // forgotten "= null" here
}
class A {
function removeB(B $b) {
if ($this->bs->contains($b)) {
$this->bs->removeElement($b);
$b->setA(null); // TypeError thrown
}
return $this;
}
}
```
No error is shown to the user, even though removing doesn't work.
This bug is not present in 2.7 & 2.8.
Commits
-------
45b961de2e [PropertyAccess] Do not silence TypeErrors from client code.
This PR was merged into the 3.2 branch.
Discussion
----------
[PropertyAccess] Fix Usage with anonymous classes
| Q | A
| ------------- | ---
| Branch? | 3.2
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #23136
| License | MIT
Replace forbidden characters in the the class names of Anonymous Classes in form of
"class@anonymous /symfony/src/Symfony/Component/PropertyAccess/Tests/PropertyAccessorTest.php0x7f3f5f267ad5"
Wrapped in eval to avoid PHP parsing errors < 7 and using `rawurlenceode` for perf reasons
Thanks @nicolas-grekas for the help and patience. Let me know if anything is missing.
Commits
-------
3f7fd432df Fix Usage with anonymous classes
This PR was merged into the 3.3 branch.
Discussion
----------
[Config] Fix ** GlobResource on Windows
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #23103
| License | MIT
| Doc PR | -
We cannot tell Finder to use RecursiveDirectoryIterator::UNIX_PATHS so we have to fix paths on Windows.
Commits
-------
44955bea53 [Config] Fix ** GlobResource on Windows
* 3.3:
[TwigBundle] Add Doctrine Cache to dev dependencies
[Yaml] Fix linting yaml with constants as keys
[Routing] Revert the change in [#b42018] with respect to Routing/Route.php
* 3.4:
[FrameworkBundle] Deprecate useless --no-prefix option
Add Doctrine Cache to dev dependencies to fix failing unit tests.
Give info about called security listeners in profiler
Fix the usage of FrameworkBundle in debug mode without Stopwatch
Replace forbidden characters in the the class names of Anonymous Classes in form of
"class@anonymous /symfony/src/Symfony/Component/PropertyAccess/Tests/PropertyAccessorTest.php0x7f3f5f267ad5"
Wrapped in eval to avoid PHP parsing errors < 7
This PR was merged into the 2.7 branch.
Discussion
----------
[FormBuilderInterface] Fixed PHPdoc return references
| Q | A
| ------------- | ---
| Branch? | 2.7 and higher
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | N/A (phpdoc)
| License | MIT
In a case where the method `createFormBuilder()` was used where the methods `add()` and `getForm()` were chained onto it, the final resulting object was no longer a FormBuilder object as the `add()` and `remove()` methods was using a return variable that didn't work.
Should reference `self` as interfaces do not have a `$this` object.
Commits
-------
2f350d1d38 Fixed PHPdoc return references in FormBuilderInterface
* 3.4:
[FrameworkBundle] removed doctrine/cache as a dependency
drop hard dependency on the Stopwatch component
Fix the conditional definition of the SymfonyTestsListener
[DI] Fix keys resolution in ResolveParameterPlaceHoldersPass
[FrameworkBundle] Fix colliding service ids
[FrameworkBundle] deprecated validator.mapping.cache.doctrine.apc
remove now useless condition
Lazy load security listeners
[EventDispatcher] Remove dead code in WrappedListener
[Process] Deprecate ProcessBuilder
Fix non-dumped voters in security panel
search case insensitive
[VarDumper] Cyclic searching dumps
[Yaml] Remove line number in deprecation notices
[SecurityBundle] Made 2 service aliases private
Automatically enable the routing annotation loader
[FrameworkBundle] KernelTestCase: deprecate not using KERNEL_CLASS
* 3.3:
Fix the conditional definition of the SymfonyTestsListener
[DI] Fix keys resolution in ResolveParameterPlaceHoldersPass
[EventDispatcher] Remove dead code in WrappedListener
Fix non-dumped voters in security panel
[Yaml] Remove line number in deprecation notices
[SecurityBundle] Made 2 service aliases private
This PR was squashed before being merged into the 2.7 branch (closes#22931).
Discussion
----------
SCA with Php Inspections (EA Extended): 2.7
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Static Code Analysis with Php Inspections (EA Extended): dead code and control flow tweaks.
Commits
-------
598ae56cc9 SCA with Php Inspections (EA Extended): 2.7
This PR was merged into the 3.4 branch.
Discussion
----------
Automatically enable the routing annotation loader
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | yes <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | there's probably one but I didn't find it
| License | MIT
| Doc PR |
Thanks to fqcn services, most of the time, we don't need the SensioFrameworkExtraBundle to use `@Route`.
So I suggest to automatically enable it when annotations are enabled. This way we could simplify https://github.com/symfony/recipes/blob/master/symfony/framework-bundle/3.3/etc/routing.yaml#L5.
Note: I added priority support for routing loaders to make sure sensio loaders are executed before ours.
Commits
-------
c2f796fa15 Automatically enable the routing annotation loader
* 2.7:
bumped Symfony version to 2.7.30
Cache ipCheck
updated VERSION for 2.7.29
update CONTRIBUTORS for 2.7.29
updated CHANGELOG for 2.7.29
show unique inherited roles
This PR was merged into the 2.7 branch.
Discussion
----------
Cache ipCheck (2.7)
In our app we use trusted proxies. Using Blackfire we found `IpUtils::checkIp` was being called 454 times taking 3.15ms.
Caching the result saves those 3ms.
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Commits
-------
bcb80569cb Cache ipCheck
* 3.4:
[MonologBridge] Do not silence errors in ServerLogHandler::formatRecord
bumped Symfony version to 3.3.3
updated VERSION for 3.3.2
updated CHANGELOG for 3.3.2
[HttpKernel][Debug] Fix missing trace on deprecations collected during bootstrapping & silenced errors
[PropertyInfo] Made ReflectionExtractor's prefix lists instance variables
* 3.3:
[MonologBridge] Do not silence errors in ServerLogHandler::formatRecord
bumped Symfony version to 3.3.3
updated VERSION for 3.3.2
updated CHANGELOG for 3.3.2
[HttpKernel][Debug] Fix missing trace on deprecations collected during bootstrapping & silenced errors
This PR was merged into the 3.4 branch.
Discussion
----------
[PropertyInfo] Made ReflectionExtractor's prefix lists instance variables
| Q | A
| ------------- | ---
| Branch? | `3.4`
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
This PR makes `ReflectionExtractor`'s mutator/accessor prefixes instance variables in order to be able to override them to change its behavior.
Commits
-------
58e733b49e [PropertyInfo] Made ReflectionExtractor's prefix lists instance variables
* 3.4:
[TwigBridge] Fix namespaced classes
bumped Symfony version to 3.3.2
updated VERSION for 3.3.1
updated CHANGELOG for 3.3.1
[DependencyInjection] Fix named args support in ChildDefinition
[Cache] Fallback to positional when keyed results are broken
[HttpFoundation][FrameworkBundle] Revert "trusted proxies" BC break
[Cache] MemcachedAdapter not working with TagAwareAdapter
Remove closure-proxy leftovers
fix used class name in deprecation message
[DependencyInjection] Use more clear message when unused environment variables detected
[Form][Profiler] Fixes form collector triggering deprecations
mitigate BC break with empty trusted_proxies
[Profiler] Never wrap in code excerpts
[Form][FrameworkBundle] Remove non-existing arg for data_collector.form
explain that a role can be an instance of Role
[Cache] fix Redis scheme detection
Implement ServiceSubscriberInterface in optional cache warmers
Deprecate passing a concrete service in optional cache warmers
mix attr options between type-guess options and user options
* 3.3:
[TwigBridge] Fix namespaced classes
bumped Symfony version to 3.3.2
updated VERSION for 3.3.1
updated CHANGELOG for 3.3.1
[DependencyInjection] Fix named args support in ChildDefinition
[Cache] Fallback to positional when keyed results are broken
[HttpFoundation][FrameworkBundle] Revert "trusted proxies" BC break
[Cache] MemcachedAdapter not working with TagAwareAdapter
Remove closure-proxy leftovers
[DependencyInjection] Use more clear message when unused environment variables detected
[Form][Profiler] Fixes form collector triggering deprecations
mitigate BC break with empty trusted_proxies
[Profiler] Never wrap in code excerpts
[Form][FrameworkBundle] Remove non-existing arg for data_collector.form
explain that a role can be an instance of Role
[Cache] fix Redis scheme detection
mix attr options between type-guess options and user options
* 3.2:
[TwigBridge] Fix namespaced classes
[Cache] MemcachedAdapter not working with TagAwareAdapter
[DependencyInjection] Use more clear message when unused environment variables detected
mix attr options between type-guess options and user options
This PR was merged into the 3.3 branch.
Discussion
----------
[HttpFoundation][FrameworkBundle] Revert "trusted proxies" BC break
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Basically reverts #22238 + cleanups some comments + adds missing syncing logic in setTrustedHeaderName.
The reason for this proposal is that the BC break can go un-noticed until prod, *even if you have proper CI*. That's because your CI may not replicate exactly what your prod have (ie a reverse proxy), so that maybe only prod has a trusted-proxies configuration. I realized this while thinking about #23049: it made this situation even more likely, by removing an opportunity for you to notice the break before prod.
The reasons for the BC break are still valid and all of this is security-related. But the core security issue is already fixed. The remaining issue still exists (an heisenbug related to some people having both Forwarded and X-Forwarded-* set for some reason), but deprecating might still be enough.
WDYT? (I'm sure everyone is going to be happy with the BC break reversal, but I'm asking for feedback from people who actually could take the time to *understand* and *balance* the rationales here, thanks :) )
Commits
-------
2132333059 [HttpFoundation][FrameworkBundle] Revert "trusted proxies" BC break
This PR was merged into the 3.3 branch.
Discussion
----------
[Cache] Fallback to positional when keyed results are broken
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Works around https://github.com/krakjoe/apcu/issues/247 ~~and https://github.com/facebook/hhvm/issues/7867~~
Commits
-------
28aaa8eb05 [Cache] Fallback to positional when keyed results are broken
This PR was squashed before being merged into the 3.3 branch (closes#22981).
Discussion
----------
[DependencyInjection] Fix named args support in ChildDefinition
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Following @Tobion's review of #21383.
Commits
-------
1ab3e413d4 [DependencyInjection] Fix named args support in ChildDefinition