This PR was merged into the 2.3 branch.
Discussion
----------
[HttpFoundation] Fix to prevent magic bytes injection in JSONP responses... (CVE-2014-4671)
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no*
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
| Doc PR | N/A
| CVE Ticket | [CVE-2014-4671](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4671)
| See Also | [Rosetta Flash](http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/)
\* Unless you are parsing the response string manually, which you really shouldn't do anyway
**THIS IS A SECURITY FIX AND SHOULD BE MERGED SHORTLY**
This fix prevents attacks vectors where third-party browser plugins depends on ASCII magic bytes in order to execute a plugin. This is currently exploited with Flash using a carefully crafted JSONP response, allowing the execution of random SWF data from a domain with a vulnerable JSONP endpoint.
This security issue is mitigated by adding an empty comment right before the callback parameter. This does not affect the execution of the JSONP callback.
Commits
-------
6af3d05 [HttpFoundation] Fix to prevent magic bytes injection in JSONP responses (Prevents CVE-2014-4671)
This PR was squashed before being merged into the 2.5 branch (closes#11284).
Discussion
----------
[Console] Remove estimated field from debug_nomax
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11281
| License | MIT
| Doc PR |
Commits
-------
2ac1bb4 [Console] Remove estimated field from debug_nomax
This PR was merged into the 2.3 branch.
Discussion
----------
[2.3] [Validator] Fix UserPassword validator translation
| Q | A
| ------------- | ---
| Fixed tickets | None
| License | MIT
Fixes the UserPassword translation message only for 2.3 as discussed in symfony/symfony#11383.
Commits
-------
73d50ed Fix UserPassword validator translation
This PR was merged into the 2.6-dev branch.
Discussion
----------
Allow xdebug.file_link_format from php ini to work when xdebug extension is not loaded
Q | A
----------------- | ---------------
Bug fix? | yes
New feature? | no
BC breaks? | no
Deprecations? | no
Tests pass? | yes
Fixed tickets | #11081
License | MIT
Doc PR | N/A
Complete the PR https://github.com/symfony/symfony/pull/11081
Commits
-------
8b2397c Applyied code review
97e07d5 Check for xdebug link format via both ini_get and get_cfg_var
This PR was merged into the 2.3 branch.
Discussion
----------
[2.3][HttpFoundation] Fix wrong assertion in Response test
| Q | A
| ------------- | ---
| Bug fix? | kinda
| New feature? | no
| BC breaks? | no
| Tests pass? | yes
| License | MIT
Commits
-------
3d63f80 [HttpFoundation] Fix wrong assertion in Response test
This PR was squashed before being merged into the 2.6-dev branch (closes#10960).
Discussion
----------
[Filesystem] Throw Exception on copying from an unreadable file or to an unwritable file
| Q | A |
| ------------- | ------------- |
| Bug fix? | No |
| New feature? | No |
| BC breaks? | No |
| Deprecations? | No |
| Tests pass? | Yes |
| Fixed tickets | |
| License | MIT |
In certain circumstances (overwrite set to true, target file not writable), Filesystem->copy() would return success even though the file was not successfully copied. Unit tests included.
Commits
-------
cd5da9b [Filesystem] Throw Exception on copying from an unreadable file or to an unwritable file
This PR was merged into the 2.4 branch.
Discussion
----------
Added verbosity methods to NullOutput
These 4 methods were not added to the OutputInterface because of BC, but they should still be implemented in all classes which implement that interface. Otherwise we have to do nasty tricks...
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Commits
-------
0459249 Added verbosity methods
This PR was merged into the 2.6-dev branch.
Discussion
----------
[HttpFoundation] Added a switch to delete file after the response is send
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
| Doc PR | symfony/symfony-docs#3975
I have not done any Unit Tests for this code as I suspect there may already be a way to solve my problem of deleting a file after the request was sent. Is it possible to use `sendContent` and delete the file after that? My attempts were unsuccessful.
If this code is desirable, please assist me in how I would write an unit test for this. Thanks.
TODO:
- [x] Add unit tests
- [x] Update documentation
- [x] Mention that using `X-Sendfile` will overwrite deleteFileAfterSend
Commits
-------
1fff158 [HttpFoundation] Added a switch to delete file after the response is send
* 2.5:
added missing test
fixed CS
[HttpFoundation] Remove content-related headers if content is empty
bumped Symfony version to 2.5.2
bumped Symfony version to 2.4.8
updated VERSION for 2.5.1
updated CHANGELOG for 2.5.1
removed defaults from PHPUnit configuration
Conflicts:
src/Symfony/Component/HttpKernel/Kernel.php
* 2.4:
added missing test
fixed CS
[HttpFoundation] Remove content-related headers if content is empty
bumped Symfony version to 2.4.8
removed defaults from PHPUnit configuration
Conflicts:
src/Symfony/Component/HttpKernel/Kernel.php
This PR was merged into the 2.6-dev branch.
Discussion
----------
[FrameworkBundle] Use ProcessHelper for server:run command
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
Let's use our new process helper :)
Commits
-------
6ca1c90 [FrameworkBundle] Use ProcessHelper for server:run command
a5f36a8 [Console] Add threshold for ProcessHelper verbosity
This PR was merged into the 2.3 branch.
Discussion
----------
remove defaults from PHPUnit configuration
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | --
| License | MIT
| Doc PR | --
Follow-up to #11329.
Commits
-------
afc4930 removed defaults from PHPUnit configuration
* 2.5:
updated VERSION for 2.4.7
updated CHANGELOG for 2.4.7
bumped Symfony version to 2.3.18
updated VERSION for 2.3.17
update CONTRIBUTORS for 2.3.17
updated CHANGELOG for 2.3.17
added XSD to PHPUnit configuration
fix the return types
add missing docblock for ProcessBuilder::addEnvironmentVariables()
bug #11319 [HttpKernel] Ensure the storage exists before purging it in ProfilerTest
[Translation] Added unescaping of ids in PoFileLoader
updated italian translation for validation messages
[DomCrawler] Fix docblocks and formatting.
[DomCrawler] Remove the query string and the anchor of the uri of a link
Simplified the Travis test command
Remove Expression Language services when the component is unavailable
Added SK translations
[Console] Make sure formatter is the same
* 2.4:
updated VERSION for 2.4.7
updated CHANGELOG for 2.4.7
bumped Symfony version to 2.3.18
updated VERSION for 2.3.17
update CONTRIBUTORS for 2.3.17
updated CHANGELOG for 2.3.17
added XSD to PHPUnit configuration
add missing docblock for ProcessBuilder::addEnvironmentVariables()
bug #11319 [HttpKernel] Ensure the storage exists before purging it in ProfilerTest
[Translation] Added unescaping of ids in PoFileLoader
updated italian translation for validation messages
[DomCrawler] Fix docblocks and formatting.
[DomCrawler] Remove the query string and the anchor of the uri of a link
Simplified the Travis test command
Remove Expression Language services when the component is unavailable
[Console] Make sure formatter is the same
Conflicts:
src/Symfony/Component/HttpKernel/Kernel.php
* 2.3:
bumped Symfony version to 2.3.18
updated VERSION for 2.3.17
update CONTRIBUTORS for 2.3.17
updated CHANGELOG for 2.3.17
added XSD to PHPUnit configuration
bug #11319 [HttpKernel] Ensure the storage exists before purging it in ProfilerTest
[Translation] Added unescaping of ids in PoFileLoader
updated italian translation for validation messages
[DomCrawler] Fix docblocks and formatting.
[DomCrawler] Remove the query string and the anchor of the uri of a link
Simplified the Travis test command
[Console] Make sure formatter is the same
Conflicts:
src/Symfony/Component/HttpKernel/Kernel.php
