This PR was merged into the master branch.
Discussion
----------
[Security] Fixed test cases of the Csrf sub-component
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Commits
-------
7c7d86e [Security] Fixed test cases of the Csrf sub-component
This PR was merged into the master branch.
Discussion
----------
[HttpFoundation] added a way to override the Request class
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #7461, #7453
| License | MIT
| Doc PR | symfony/symfony-docs#3021
This is an alternative implementation for #7461.
I've also reverted #7381 and #7390 as these changes are not needed anymore.
Todo:
- [ ] add some tests
Commits
-------
464439d [HttpFoundation] added a way to override the Request class
This PR was submitted for the 2.2 branch but it was merged into the master branch instead (closes#8626).
Discussion
----------
[Console] pass command name automatically if required by the application
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #8625
| License | MIT
| Doc PR |
Commits
-------
50c8050 [Console] pass command name automatically if required by the application
This PR was merged into the master branch.
Discussion
----------
[HttpFoundation] Add a way to avoid the session be written at each request
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no (maybe the DI config ?)
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/3017
Commits
-------
38f02ea [HttpFoundation] Add a way to avoid the session be written at each request
This PR was merged into the master branch.
Discussion
----------
[HttpFoundation] Add a way to avoid the session be written at each request
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no (maybe the DI config ?)
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/3017
Commits
-------
191418d [HttpFoundation] Add a way to avoid the session be written at each request
This PR was merged into the master branch.
Discussion
----------
Decoupled TraceableEventDispatcher from the Profiler
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
This PR removes the Profiler dependency on the TraceableEventDispatcher. That makes things more decoupled and cleaner. This PR also cleans up how profiles are stored; a Profile is now always stored only once.
I've created a `LateDataCollectorInterface` that is implemented for data collector that needs to get information from data that are available very late in the request process (when the request and the response are not even available anymore). The `lateCollect()` method is called just before the profile is stored.
We have 3 data collectors that implement that interface:
* Time: As the traceable event dipsatcher gets inject timing information via the stopwatch about all events (including the `terminate` one), we need to get events from the stopwatch as late as possible.
* Event: The traceable event dispatcher gathers all called listeners to determine non-called ones. To be able to accurately do that for all events (including the `terminate` one), we need to get the data as late as possible.
* Memory: We want to get the memory as late as possible to get the most accurate number as possible
I'm not very happy with the name and as always, better suggestions would be much appreciated.
This is an extract from #9168
Commits
-------
5cedea2 [HttpKernel] added LateDataCollectorInterface
9c4bc9a [HttpKernel] decoupled TraceableEventDispatcher and Profiler
This PR was merged into the master branch.
Discussion
----------
[Security] Added Security\Csrf sub-component with better token generation
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | TODO
**Update September 27, 2013**
This PR simplifies the CSRF mechanism to generate completely random tokens. A random token is generated once per ~~intention~~ token ID and then stored in the session. Tokens are valid until the session expires.
Since the CSRF token generator depends on `StringUtils` and `SecureRandom` from Security\Core, and since Security\Http currently depends on the Form component for token generation, I decided to add a new Security\Csrf sub-component that contains the improved CSRF token generator. Consequences:
* Security\Http now depends on Security\Csrf instead of Form
* Form now optionally depends on Security\Csrf
* The configuration for the "security.secure_random" service and the "security.csrf.*" services was moved to FrameworkBundle to guarantee BC
In the new Security\Csrf sub-component, I tried to improve the naming where I could do so without breaking BC:
* CSRF "providers" are now called "token generators"
* CSRF "intentions" are now called "token IDs", because that's really what they are
##### TODO
- [ ] The documentation needs to be checked for references to the configuration of the application secret. Remarks that the secret is used for CSRF protection need to be removed.
- [ ] Add aliases "csrf_token_generator" and "csrf_token_id" for "csrf_provider" and "intention" in the SecurityBundle configuration
- [x] Make sure `SecureRandom` never blocks for `CsrfTokenGenerator`
Commits
-------
7f02304 [Security] Added missing PHPDoc tag
2e04e32 Updated Composer dependencies to require the Security\Csrf component where necessary
bf85e83 [FrameworkBundle][SecurityBundle] Added service configuration for the new Security CSRF sub-component
2048cf6 [Form] Deprecated the CSRF implementation and added an optional dependency to the Security CSRF sub-component instead
85d4959 [Security] Changed Security HTTP sub-component to depend on CSRF sub-component instead of Form
1bf1640 [Security] Added CSRF sub-component
This PR was merged into the master branch.
Discussion
----------
[Form] Rewrite boolean attributes to match HTML spec
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Same as #7856
> 'The presence of a boolean attribute on an element represents the true value, and the absence of the attribute represents the false value.' - http://www.w3.org/html/wg/drafts/html/master/infrastructure.html#boolean-attribute
This commit modifies widget_container_attributes and widget_attributes so that:
* `true` values render as the attribute name with the attribute name repeated as the value
* `false` values are not rendered
The comparison is strict using sames() in twig.
Previously `false` values would have been rendered as `some-attribute=""` which according to the spec would actually make them a boolean attribute and therefore equal to true.
Commits
-------
b85577b [Form] Improved test coverage of widget_attributes and widget_container_attributes blocks
8e4c2a7 [Form] Rewrite boolean attributes to match HTML spec
This PR was merged into the 2.2 branch.
Discussion
----------
[Form] enforce correct timezone
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | not sure if this is a BC break...
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
I'm using the Form component to handle JSON requests which come from AJAX requests. The JSON is formed by the Angular toJson method
A typical request would be:
```
{
name: "Some name"
start: "2013-08-21T05:00:00.000Z"
end: "2013-08-21T15:00:00.000Z"
}
```
Note that in this case, what I entered in my input boxes are 7:00 for start and 17:00 for end times. As you can see, Angular (or Chrome, I'm not sure), converts this to the "Z" timezone. Since I cannot enforce the correct timezone client side, the timezone will differ from the one configured in the DateTimeType, however, instead of resulting in either an error or a conversion to the correct timezone, I get a datetime object in the wrong timezone, eventually resulting in wrong values in the database.
By checking the required output timezone against the actual timezone of the input datetime object, rather than the expected timezone supplied, this problem is solved.
Commits
-------
b0349a1 [Form] check the required output timezone against the actual timezone of the input datetime object, rather than the expected timezone supplied
* 2.3:
fixed Client when using the terminable event
Fix problem with Windows file links (backslash in JavaScript string)
[Security] fixed wrong phpdoc
[DependencyInjection] Prevented inlining of lazy loaded private service definitions.
[Routing] removed extra argument
[HttpFoundation] Header `HTTP_X_FORWARDED_PROTO` can contain various values Some proxies use `ssl` instead of `https`, as well as Lighttpd mod_proxy allows value chaining (`https, http`, where `https` is always first when request is encrypted).
Added doc comments
Conflicts:
src/Symfony/Component/Routing/Router.php
src/Symfony/Component/Security/Http/Firewall.php
* 2.2:
fixed Client when using the terminable event
Fix problem with Windows file links (backslash in JavaScript string)
[Security] fixed wrong phpdoc
[Routing] removed extra argument
[HttpFoundation] Header `HTTP_X_FORWARDED_PROTO` can contain various values Some proxies use `ssl` instead of `https`, as well as Lighttpd mod_proxy allows value chaining (`https, http`, where `https` is always first when request is encrypted).
Added doc comments
Conflicts:
src/Symfony/Component/HttpFoundation/Request.php
This PR was merged into the 2.2 branch.
Discussion
----------
Fixed client insulation when using the terminable event
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Commits
-------
8c8cf62 fixed Client when using the terminable event
This PR was merged into the master branch.
Discussion
----------
[HttpKernel] added missing argument to listener call
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | na
| License | MIT
| Doc PR | n/a
When calling a listener, the dispatcher now must pass the event name and the dispatcher (see 7852), but the traceable event dispatcher did not do that.
Commits
-------
e26ae45 [HttpKernel] added missing argument to listener call
This PR was submitted for the master branch but it was merged into the 2.2 branch instead (closes#9154).
Discussion
----------
Fix problem with Windows file links (backslash in JavaScript string)
This PR was submitted on the symfony/WebProfilerBundle read-only repository and moved automatically to the main Symfony repository (closessymfony/WebProfilerBundle#5).
When you have set php.ini setting xdebug.file_link_format, under Windows this window.location call here isn't escaped properly, so it results in something like:
```HTML
<span class="sf-toolbar-info-method" onclick="window.location='pstorm://open/?url=file://F:\HtDocs\myproject\src\Foo\Core\Controller\PageController.php&line=28';window.event.stopPropagation();return false;">
pageAction
</span>
```
All backslashes in window.location are treated as escape sequences witch result in an incorrect link:
pstorm://open/?url=file://F:HtDocsmyprojectsrcFooCoreControllerPageController.php&line=28
So clicking this link my IDE (phpStorm) couldn't find that file.
The patch fixes this by escaping the backslashes.
Commits
-------
03c6027 Fix problem with Windows file links (backslash in JavaScript string)
This PR was merged into the master branch.
Discussion
----------
[Filesystem] introduced new Exception base classes
The Filesystem class now throws a ```FileNotFoundException``` if a file could not be found, rather than an basic ```IOException```. The new exception is still a child of the ```IOException```, this way it doesn' t breack BC.
The ```IOException``` now also takes as the first argument an path to the file of interest, which can be used via the ```getPath()``` method.
The switch to the FilesystemInterface will allow you to have an implementation accessing S3 or Dropbox, etc. and still inject it into a classes, which are requiring the Filesystem.
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ~
| Doc PR | symfony/symfony-docs#2947
Commits
-------
c2e43d0 [Filesystem] removed getPath() on Exceptions and cleaned up CS and error messages
785080a [Filesystem] introduced new Exception base classes
This PR was merged into the master branch.
Discussion
----------
[HttpKernel] made the cache key generation configurable for the default HttpCache store
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #9088
| License | MIT
| Doc PR | n/a
Commits
-------
780b77a [HttpKernel] made the cache key generation configurable for the default HttpCache store
This PR was merged into the 2.2 branch.
Discussion
----------
[HttpFoundation] Header `HTTP_X_FORWARDED_PROTO` can contain various values
Header `HTTP_X_FORWARDED_PROTO` can contain various values. Some proxies use `ssl` instead of `https`, as well as Lighttpd mod_proxy allows value chaining (`https, http`, where `https` is always first when request is encrypted).
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Tests pass? | yes
| Fixed tickets | #9101
| License | MIT
Commits
-------
d997443 [HttpFoundation] Header `HTTP_X_FORWARDED_PROTO` can contain various values Some proxies use `ssl` instead of `https`, as well as Lighttpd mod_proxy allows value chaining (`https, http`, where `https` is always first when request is encrypted).
This PR was merged into the master branch.
Discussion
----------
[PropertyAccessor] Throw exception on nonexistant "index" on read access
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | a kind of?
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | 7881
| License | MIT
| Doc PR |
See discussion on issue #7881.
Commits
-------
e73742a [PropertyAccess] Throw exception on nonexistant "index" on read access
* 2.3:
bumped Symfony version to 2.3.6
updated VERSION for 2.3.5
updated CHANGELOG for 2.3.5
Set cost type to integer
bumped Symfony version to 2.2.9
updated VERSION for 2.2.8
updated CHANGELOG for 2.2.8
bumped the version
fixed typo
updated VERSION for 2.2.7
update CONTRIBUTORS for 2.2.7
updated CHANGELOG for 2.2.7
bugix: CookieJar returns cookies with domain "domain.com" for domain "foodomain.com"
fixed HTML5 form attribute handling XPath query
Removed old way of building icu data.
Conflicts:
src/Symfony/Component/HttpKernel/Kernel.php
Pierre-Yves LEBECQ
Alessandro Tagliapietra
Fabien Potencier
Bernhard Schussek
Christian Flothmann
Adrien Brault
Leevi Graham
Thomas Schulz
Christian Gartner
Stephane Escandell