* 3.4:
[Validator] Allow underscore character "_" in URL username and password
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
do not validate passwords when the hash is null
[DI] Fix making the container path-independent when the app is in /app
Allow copy instead of symlink for ./link script
[FrameworkBundle] resolve service locators in `debug:*` commands
bumped Symfony version to 3.4.37
updated VERSION for 3.4.36
update CONTRIBUTORS for 3.4.36
updated CHANGELOG for 3.4.36
* 4.4:
Fixed translations file dumper behavior
When set, get secret from config variable
[FrameworkBundle] Set the parameter bag as resolved in ContainerLintCommand
[SecurityBundle] Fix switch_user provider configuration handling
* 5.0:
[DI] auto-register singly implemented interfaces by default
[DI] fix overriding existing services with aliases for singly-implemented interfaces
remove service when base class is missing
do not depend on the QueryBuilder from the ORM
[Security/Http] call auth listeners/guards eagerly when they "support" the request
[Messenger] add tests to FailedMessagesShowCommand
Fix the translation commands when a template contains a syntax error
[Security] Fix clearing remember-me cookie after deauthentication
[Validator] Update Slovenian translations
[HttpClient] remove conflict rule with HttpKernel that prevents using the component in Symfony 3.4
[Config][ReflectionClassResource] Handle parameters with undefined constant as their default values
Fix compatibility with Monolog 2
fix dumping number-like string parameters
Fix CI
[Console] Fix autocomplete multibyte input support
[Config] don't break on virtual stack frames in ClassExistenceResource
more robust initialization from request
Changing the multipart form-data behavior to use the form name as an array, which makes it recognizable as an array by PHP on the $_POST globals once it is coming from the HttpClient component
* 4.4:
[DI] auto-register singly implemented interfaces by default
[DI] fix overriding existing services with aliases for singly-implemented interfaces
remove service when base class is missing
do not depend on the QueryBuilder from the ORM
[Security/Http] call auth listeners/guards eagerly when they "support" the request
[Messenger] add tests to FailedMessagesShowCommand
Fix the translation commands when a template contains a syntax error
[Security] Fix clearing remember-me cookie after deauthentication
[Validator] Update Slovenian translations
[HttpClient] remove conflict rule with HttpKernel that prevents using the component in Symfony 3.4
[Config][ReflectionClassResource] Handle parameters with undefined constant as their default values
fix dumping number-like string parameters
Fix CI
[Console] Fix autocomplete multibyte input support
[Config] don't break on virtual stack frames in ClassExistenceResource
more robust initialization from request
Changing the multipart form-data behavior to use the form name as an array, which makes it recognizable as an array by PHP on the $_POST globals once it is coming from the HttpClient component
* 4.3:
[Messenger] add tests to FailedMessagesShowCommand
Fix the translation commands when a template contains a syntax error
[Security] Fix clearing remember-me cookie after deauthentication
[Validator] Update Slovenian translations
[Config][ReflectionClassResource] Handle parameters with undefined constant as their default values
fix dumping number-like string parameters
Fix CI
[Console] Fix autocomplete multibyte input support
[Config] don't break on virtual stack frames in ClassExistenceResource
more robust initialization from request
* 5.0: (47 commits)
reset the kernel cache after each test
[HttpKernel] Ability to define multiple kernel.reset tags
[Routing] Continue supporting single colon in object route loaders
[FWBundle] Remove unused parameter
[Intl] [Workflow] fixes English grammar typos
[Filesystem] [Serializer] fixes English grammar typo
mailer: mailchimp bridge is throwing undefined index _id when setting message id in mandrill http transport
has_roles should be is_granted in security upgrade file
has_roles should be is_granted in upgrade files
[HttpClient] Fix early cleanup of pushed HTTP/2 responses
skip test on incompatible PHP versions
[HttpKernel] Don't cache "not-fresh" state
Drop WebServerBundle directory
[FrameworkBundle][Cache] Don't deep-merge cache pools configuration
[Messenger] Adding exception to amqp transport in case amqp ext is not installed
[SecurityBundle] Don't require a user provider for the anonymous listener
[DoctrineBridge] Fixed cs in DoctrineType
[Monolog Bridge] Fixed accessing static property as non static.
Improve Symfony description
[Mailer] Add UPGRADE entries about Envelope and MessageEvent
...
* 4.4: (38 commits)
reset the kernel cache after each test
[HttpKernel] Ability to define multiple kernel.reset tags
[Routing] Continue supporting single colon in object route loaders
[FWBundle] Remove unused parameter
[Intl] [Workflow] fixes English grammar typos
[Filesystem] [Serializer] fixes English grammar typo
mailer: mailchimp bridge is throwing undefined index _id when setting message id in mandrill http transport
has_roles should be is_granted in upgrade files
[HttpClient] Fix early cleanup of pushed HTTP/2 responses
skip test on incompatible PHP versions
[HttpKernel] Don't cache "not-fresh" state
[FrameworkBundle][Cache] Don't deep-merge cache pools configuration
[Messenger] Adding exception to amqp transport in case amqp ext is not installed
[SecurityBundle] Don't require a user provider for the anonymous listener
[Monolog Bridge] Fixed accessing static property as non static.
Improve Symfony description
[Mailer] Add UPGRADE entries about Envelope and MessageEvent
[FrameworkBundle] fix leftover mentioning "secret:" processor
Add DateTimeZoneNormalizer into Dependency Injection
[Messenger] Error when specified default bus is not among the configured
...
* 5.0:
[Routing] fix tests
[DI] minor cleanup
[Form] group constraints when calling the validator
Remove wrong @group legacy annotations
[DependencyInjection] Fix dumping multiple deprecated aliases
allow button names to start with uppercase letter
Allow PHP ^7.2.5
States that the HttpClient provides a Http Async implementation
[Routing] Fix ContainerLoader and ObjectLoaderTest
[HttpKernel] Make ErrorListener::onKernelException()'s dispatcher argument explicit
[HttpKernel] Drop deprecated ExceptionListener
Removed extra whitespace
[Security] Fix best encoder not wired using migrate_from
* 4.4: (23 commits)
[HttpFoundation] fix docblock
[HttpKernel] Flatten "exception" controller argument if not typed
Fix MySQL column type definition.
Link the right file depending on the new version
[Cache] Redis Tag Aware warn on wrong eviction policy
[HttpClient] fix HttpClientDataCollector
[HttpKernel] collect bundle classes, not paths
[Config] fix id-generation for GlobResource
[HttpKernel] dont check cache freshness more than once per process
[Finder] Allow ssh2 stream wrapper for sftp
[FrameworkBundle] fix wiring of httplug client
add FrameworkBundle requirement
[SecurityBundle] add tests with empty authenticator
[Security] always check the token on non-lazy firewalls
[DI] Use reproducible entropy to generate env placeholders
[WebProfilerBundle] Require symfony/twig-bundle
[Mailer] Add UPGRADE entry about the null transport DSN
bumped Symfony version to 4.3.9
updated VERSION for 4.3.8
updated CHANGELOG for 4.3.8
...
* 4.4:
[Console] Constant STDOUT might be undefined.
Add missing conflict with symfony/serializer <4.4
Allow returning null from NormalizerInterface::normalize
bumped Symfony version to 4.4.0
updated VERSION for 4.4.0-BETA1
updated CHANGELOG for 4.4.0-BETA1
[Security\Core] throw AccessDeniedException when switch user fails
[Mime] fix guessing mime-types of files with leading dash
[HttpFoundation] fix guessing mime-types of files with leading dash
[VarExporter] fix exporting some strings
[Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances
Use constant time comparison in UriSigner
* 4.3:
[Console] Constant STDOUT might be undefined.
Allow returning null from NormalizerInterface::normalize
[Security\Core] throw AccessDeniedException when switch user fails
[Mime] fix guessing mime-types of files with leading dash
[HttpFoundation] fix guessing mime-types of files with leading dash
[VarExporter] fix exporting some strings
[Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances
Use constant time comparison in UriSigner
* 4.4: (39 commits)
[Console] Fix#33915, Detect dimensions using mode CON if vt100 is supported
[PhpUnitBridge] Also search for composer.phar in git root folder
[HttpKernel][DataCollectorInterface] Ease compatibility
Add tests to ensure defaultLocale is properly passed to the URL generator
[DependencyInjection] Fix broken references in tests
[VarDumper] display the method we're in when dumping stack traces
[HttpClient] Retry safe requests when then fail before the body arrives
[Console] Rename some methods related to redraw frequency
Avoid using of kernel after shutdown
Simplify PHP CS Fixer configuration
[PropertyInfo] Fixed type extraction for nullable collections of non-nullable elements
[FrameworkBundle] [HttpKernel] fixed correct EOL and EOM month
Fix CS
[Serializer] Fix property name usage for denormalization
Name test accordingly to the tested class
Fix MockFileSessionStorageTest::sessionDir being used after it's unset
[Security] Fix SwitchUserToken wrongly deauthenticated
Supporting Bootstrap 4 custom switches
Add new Form WeekType
bumped Symfony version to 4.3.7
...
This PR was merged into the 4.4 branch.
Discussion
----------
[ErrorRenderer] Show generic message in non-debug mode
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
I agree with @Tobion here https://github.com/symfony/symfony/pull/34158#issuecomment-548181099, so let's always show the detail message, but for 5xx errors we'll send a generic message instead.
/cc @dunglas wdyt?
Commits
-------
45f1a5ee06 Show generic message in non-debug mode
This PR was merged into the 4.4 branch.
Discussion
----------
[DI] Add compiler pass and command to check that services wiring matches type declarations
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #27744
| License | MIT
| Doc PR |
PR replacing https://github.com/symfony/symfony/pull/27825.
It adds a `lint:container` command asserting the type hints used in your code are correct.
Commits
-------
8230a1543e Make it really work on real apps
4b3e9d4c96 Fix comments, improve the feature
a6292b917b [DI] Add compiler pass to check arguments type hint
This PR was merged into the 4.3 branch.
Discussion
----------
[4.3] Remove unused local variables
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Follow up of https://github.com/symfony/symfony/pull/34105 on 4.3.
Commits
-------
58161b8eec [4.3] Remove unused local variables
* 4.4:
[Config] Disable default alphabet sorting in glob function due of unstable sort
[HttpClient] always return the empty string when the response cannot have a body
[TwigBundle][exception] Added missing css variable to highlight line in trace
[Serializer] Improve messages for unexpected resources values
[SecurityBundle] correct types for default arguments for firewall configs
* 4.3:
[Config] Disable default alphabet sorting in glob function due of unstable sort
[HttpClient] always return the empty string when the response cannot have a body
[TwigBundle][exception] Added missing css variable to highlight line in trace
[Serializer] Improve messages for unexpected resources values
[SecurityBundle] correct types for default arguments for firewall configs
* 3.4:
[Config] Disable default alphabet sorting in glob function due of unstable sort
[Serializer] Improve messages for unexpected resources values
[SecurityBundle] correct types for default arguments for firewall configs
* 4.4:
Re-allow to use "tagged" in service definitions
[HttpFoundation] Allow to not pass a parameter to Request::isMethodSafe()
Add missing lock connection string in FrameworkExtension
[DomCrawler] normalizeWhitespace should be true by default
[DoctrineBridge] Auto-validation must work if no regex are passed
Allows URL DSN in Lock and Cache
* 4.4:
[OptionsResolve] Revert change in tests for a not-merged change in code
[HttpClient] fix handling of 3xx with no Location header - ignore Content-Length when no body is expected
[Workflow] Made the configuration more robust for the 'property' key
[Security/Core] make NativePasswordEncoder use sodium to validate passwords when possible
[FrameworkBundle] make SodiumVault report bad decryption key accurately
cs fix
[Security] Allow to set a fixed algorithm
[Security/Core] make encodedLength computation more generic
[Security/Core] add fast path when encoded password cannot match anything
#30432 fix an error message
fix paths to detect code owners
[HttpClient] ignore the body of responses to HEAD requests
[Validator] Ensure numeric subpaths do not cause errors on PHP 7.4
[SecurityBundle] Fix wrong assertion
Remove unused local variables in tests
[Yaml][Parser] Remove the getLastLineNumberBeforeDeprecation() internal unused method
Make sure to collect child forms created on *_SET_DATA events
[WebProfilerBundle] Improve display in Email panel for dark theme
do not render errors for checkboxes twice
* 4.3:
[OptionsResolve] Revert change in tests for a not-merged change in code
[HttpClient] fix handling of 3xx with no Location header - ignore Content-Length when no body is expected
[Workflow] Made the configuration more robust for the 'property' key
[Security/Core] make NativePasswordEncoder use sodium to validate passwords when possible
#30432 fix an error message
fix paths to detect code owners
[HttpClient] ignore the body of responses to HEAD requests
[Validator] Ensure numeric subpaths do not cause errors on PHP 7.4
[SecurityBundle] Fix wrong assertion
Remove unused local variables in tests
[Yaml][Parser] Remove the getLastLineNumberBeforeDeprecation() internal unused method
Make sure to collect child forms created on *_SET_DATA events
[WebProfilerBundle] Improve display in Email panel for dark theme
do not render errors for checkboxes twice
This PR was merged into the 3.4 branch.
Discussion
----------
[SecurityBundle] correct types for default arguments for firewall configs
| Q | A
| ------------- | ---
| Branch? | 3.4 (and forward)
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | n/a
| License | MIT
| Doc PR | n/a
Up until now, the default template arguments in the `security.firewall.config` abstract service definition have been each defined (aside from the argument for `$listeners` which is given a `collection` type) in the XML as
```xml
<argument />
```
which resolves to an empty string, despite that some of the arguments are typed to being either `bool` or `array|null` on the `Symfony\Bundle\SecurityBundle\Security\FirewallConfig` class itself.
This wouldn't be so much of a problem if the child definitions that use this as a template overrode all the arguments every time, but in the case of firewall configs that mark security as _not_ being enabled, [only the first few arguments are overwritten](https://github.com/symfony/symfony/blob/3.4/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php#L349-L352), so firewall config objects that do not have security enabled are instantiated by the DI container with parameters with some of the wrong types.
In general this wouldn't be an issue, as firewalls with security not enabled would not usually be consumed in a context where further security-related config were needed, but there is a case in `Symfony\Bundle\SecurityBundle\DataCollector\SecurityDataCollector` where the method `getSwitchUser()` on the firewall config object [can be called](https://github.com/symfony/symfony/blob/3.4/src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php#L181) without checking first whether the firewall has security enabled, which leads to an exception being thrown:
```
Symfony\Component\Debug\Exception\ContextErrorException
Warning: Illegal string offset 'parameter'
in vendor/symfony/symfony/src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php (line 184)
```
which is down to the firewall config being set with an empty string rather than `null` (in which case the logic here would function as expected).
It seemed most appropriate as a fix (especially given possible introduction of scalar type hints in the future) to apply types to the default arguments so that it was no longer possible to instantiate a firewall config object with parameters of unexpected types.
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Always add tests and ensure they pass.
- Never break backward compatibility (see https://symfony.com/bc).
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too.)
- Features and deprecations must be submitted against branch 4.4.
- Legacy code removals go to the master branch.
-->
Commits
-------
6b7044fc01 [SecurityBundle] correct types for default arguments for firewall configs
* 3.4:
#30432 fix an error message
fix paths to detect code owners
[Validator] Ensure numeric subpaths do not cause errors on PHP 7.4
Remove unused local variables in tests
Make sure to collect child forms created on *_SET_DATA events
do not render errors for checkboxes twice
* 4.4:
[Validator] Set Length::$allowEmptyString to false when a NotBlank contraint is defined
[FrameworkBundle] Dont reset the test container but the real one instead
Import missing classes
[SecurityBundle] test with doctrine-bundle 2
This PR was merged into the 4.4 branch.
Discussion
----------
[FrameworkBundle] Don't reset the test container but the real one instead
| Q | A
| ------------- | ---
| Branch? | 4.4 for features / 3.4 or 4.3 for bug fixes <!-- see below -->
| Bug fix? | yes/no
| New feature? | yes/no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | yes/no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix #... <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | -
After #31202 and #32056, the tearDown method keeps throwing deprecation notices about "Getting the container from a non-booted kernel". The reason is that resetting the test-container calls `$kernel->getContainer()` while the kernel has been shut down.
This fixes it and a few other glitches found meanwhile.
Commits
-------
8e16143256 [FrameworkBundle] Dont reset the test container but the real one instead
This PR was merged into the 4.4 branch.
Discussion
----------
[SecurityBundle] test with doctrine-bundle 2
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Commits
-------
e3261f4f7f [SecurityBundle] test with doctrine-bundle 2
* 4.4:
[Debug] remove return types that break FC badly
[Mailer][MailchimpBridge] Don't send address names if empty string
[ExpressionLanguage][Lexer] Exponential format for number
[Mailer] Fix SES Message Id retrieval
Add .gitignore to .gitattributes
* 4.4: (26 commits)
cs fix
[Validator] sync NO and NB translations
[Cache] improve perf of pruning for fs-based adapters
[Cache] cs fix
[Cache] clean tags folder on invalidation
[Cache] remove implicit dependency on symfony/filesystem
Allow to set cookie_samesite to 'none'
[Dotenv] support setting default env var values
[VarDumper] fix array key error for class SymfonyCaster
[Cache] Improve RedisTagAwareAdapter invalidation logic & requirements
Adds missing translations for no nb
[HttpKernel] fix $dotenvVars in data collector
Add the missing translations for the Swedish ("sv") locale
Prevent ProgressBar redraw when message is same
[DI] enable improved syntax for defining method calls in Yaml
bumped Symfony version to 4.3.6
updated VERSION for 4.3.5
updated CHANGELOG for 4.3.5
bumped Symfony version to 3.4.33
updated VERSION for 3.4.32
...
* 4.3:
[Cache] clean tags folder on invalidation
[Cache] remove implicit dependency on symfony/filesystem
Allow to set cookie_samesite to 'none'
[VarDumper] fix array key error for class SymfonyCaster
Adds missing translations for no nb
[HttpKernel] fix $dotenvVars in data collector
Add the missing translations for the Swedish ("sv") locale
bumped Symfony version to 4.3.6
updated VERSION for 4.3.5
updated CHANGELOG for 4.3.5
bumped Symfony version to 3.4.33
updated VERSION for 3.4.32
update CONTRIBUTORS for 3.4.32
updated CHANGELOG for 3.4.32
[Messenger] DoctrineTransport: ensure auto setup is only done once
[Form][DateTimeImmutableToDateTimeTransformer] Preserve microseconds and use \DateTime::createFromImmutable() when available
[Crawler] document $default as string|null
* 4.4:
[travis] Fix build-packages script
Add types to constructors and private/final/internal methods (Batch III)
[HttpClient] Async HTTPlug client
[Messenger] Allow to configure the db index on Redis transport
[HttpClient] bugfix exploding values of headers
[VarDumper] Made all casters final
[VarDumper] Added a support for casting Ramsey/Uuid
Remove useless testCanCheckIfTerminalIsInteractive test case
[Validator] Add the missing translations for the Thai (\"th\") locale
[Routing] gracefully handle docref_root ini setting
[Validator] Fix ValidValidator group cascading usage
This PR was squashed before being merged into the 4.4 branch (closes#33770).
Discussion
----------
Add types to constructors and private/final/internal methods (Batch III)
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | #32179, #33228
| License | MIT
| Doc PR | N/A
Followup to #33709, this time with:
* Validator
* VarDumper
* Workflow
* Yaml
* all bridges
* all bundles
That should be the final batch. 😃
Commits
-------
6493902287 Add types to constructors and private/final/internal methods (Batch III)
* 4.4: (27 commits)
[Validator] add notice in UPGRADE file for new Range constraint option
[CssSelector] Support *:only-of-type pseudo class selector
[Intl] Update the ICU data to 65.1 (4.4 branch)
[Intl] Update the ICU data to 65.1 (4.3 branch)
Replace deprecated calls in tests
[Intl] Update the ICU data to 65.1
Delete 5_Security_issue.md
[DI] Whitelist error_renderer.renderer tag in UnusedTagsPass
[DI] Whitelist validator.auto_mapper in UnusedTagsPass
Update CHANGELOG.md
[HttpClient] Fixed#33832 NO_PROXY option ignored in NativeHttpClient::request() method
[EventDispatcher] A compiler pass for aliased userland events.
[Cache] give 100ms before starting the expiration countdown
[Cache] fix logger usage in CacheTrait::doGet()
[VarDumper] fix dumping uninitialized SplFileInfo
Added missing translations.
[Form] Added CountryType option for using alpha3 country codes
Fixed invalid changelog 4.0.0 for VarDumper
[Workflow] Fixed BC break on WorkflowInterface
Fix wrong expression language value
...
* 4.4:
sync phpunit script with master
[HttpFoundation] allow additinal characters in not raw cookies
[Console] Deprecate abbreviating hidden command names using Application->find()
Do not include hidden commands in suggested alternatives
[Messenger] Improve error message when routing to an invalid transport (closes#31613)
[DependencyInjection] Fix wrong exception when service is synthetic
[Security] add "anonymous: lazy" mode to firewalls
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] add "anonymous: lazy" mode to firewalls
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fixes#26769 et al.
| License | MIT
| Doc PR | -
Contains #33663 until it is merged.
This PR allows defining a firewall as such:
```yaml
security:
firewalls:
main:
anonymous: lazy
```
This means that the corresponding area should not start the session / load the user unless the application actively gets access to it. On pages that don't fetch the user at all, this means the session is not started, which means the corresponding token neither is. Lazily, when the user is accessed, e.g. via a call to `is_granted()`, the user is loaded, starting the session if needed.
See #27817 for previous explanations on the topic also.
Note that thanks to the logic in #33633, this PR doesn't have the drawback spotted in #27817: here, the profiler works as expected.
Recipe update pending at https://github.com/symfony/recipes/pull/649
Commits
-------
5cd1d7b4cc [Security] add "anonymous: lazy" mode to firewalls
* 4.4:
[Form][Validator][Intl] Fix tests
[Messenger] return empty envelopes when RetryableException occurs
[Intl] Excludes locale from language codes (split localized language names)
[FrameworkBundle] WebTestCase KernelBrowser::getContainer null return type
[Intl] Fix compile type errors
[Validator] Accept underscores in the URL validator as the URL will resolve correctly
[Translation] Collect original locale in case of fallback translation
Add types to constructors and private/final/internal methods (Batch I)
[HttpFoundation] optimize normalization of headers
Replace REMOTE_ADDR in trusted proxies with the current REMOTE_ADDR
[ErrorHandler] Forward \Throwable
Fix toolbar load when GET params are present in "_wdt" route
* 4.4:
[Security/Http] fix typo in deprecation message
[Security] Deprecate isGranted()/decide() on more than one attribute
Fixed a minor typo in the UPGRADE to 5.0 guide
Various tweaks 3.4
Various tweaks 4.3
[Security] Make stateful firewalls turn responses private only when needed
[PhpUnit] Fix usleep mock return value
Revert \"feature #33507 [WebProfiler] Deprecated intercept_redirects in 4.4 (dorumd)\"
[TwigBundle] typo
[TwigBundle] fix test case
[Lock] use Predis\ClientInterface instead of Predis\Client
Allow Twig 3
Minor tweaks
Fix version typo in deprecation notice
[Form][SubmitType] Add "validate" option
hint to the --parse-tags when parsing tags fails
Make legacy "wrong" RFC2047 encoding apply only to one header
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] Make stateful firewalls turn responses private only when needed
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #26769 *et al.*
| License | MIT
| Doc PR | -
Replaces #28089
By taking over session usage tracking and replacing it with token usage tracking, we can prevent responses that don't actually use the token from turning responses private without changing anything to the lifecycle of security listeners. This makes the behavior much more seamless, allowing to still log the user with the monolog processor, and display it in the profiler toolbar.
This works by using two separate token storage services:
- `security.token_storage` now tracks access to the token and increments the session usage tracker when needed. This is the service that is injected in userland.
- `security.untracked_token_storage` is a raw token storage that just stores the token and is disconnected from the session. This service is injected in places where reading the session doesn't impact the generated output in any way (as e.g. in Monolog processors, etc.)
Commits
-------
20df3a125c [Security] Make stateful firewalls turn responses private only when needed
* 4.4:
Re-enable push support for HttpClient
[DependencyInjection] Accept existing interfaces as valid named args
Fixed incompatibility between ServiceSubscriberTrait and classes with protected $container property
[Cache] Added reserved characters constant for CacheItem
[DI] cascade preloading only to public parameters/properties
Move Anonymous config to a SecurityFactory
* 4.4: (21 commits)
[appveyor] exclude tty group
[HttpFoundation] Add types to private/final/internal methods and constructors.
Add types to private/final/internal methods and constructors.
SCA: minor code tweaks
Tweak output
[FrameworkBundle] Added --sort option for TranslationUpdateCommand
[HttpClient] fallbackto CURLMOPT_MAXCONNECTS when CURLMOPT_MAX_HOST_CONNECTIONS is not available
[DI] generate preload.php file for PHP 7.4 in cache folder
Allow version 2 of the contracts package.
[Serializer] Allow multi-dimenstion object array in AbstractObjectNormalizer
fixed typo
[HttpKernel] Fix Apache mod_expires Session Cache-Control issue
deprecated not passing dash symbol (-) to STDIN commands
[VarDumper] display ellipsed FQCN for nested classes
[VarDumper] Display fully qualified title
[Mailer] Change the syntax for DSNs using failover or roundrobin
Removed workaround introduced in 4.3
[Console] Added support for definition list
[OptionsResolver] Display full nested options hierarchy in exceptions
New welcome page
...
* 4.4:
[Debug] disable new DebugClassLoader when testing the legacy one
- updated AbstractToken to compare Roles - Updated isEqualTo method to match roles as default User implements EquatableInterface - added test case - bumped symfony/security-core to 4.4
typos bis
typos
Fix more bad tests
Fix test fixtures with deprecated method signatures.
Fix 4.3 tests forward compat
[Messenger] fix empty amqp body returned as false
[Mailer] Added messenger to dev dependencies.
[Validator] Update "suggest" section in composer.json.
Fix routing cache broken when using generator_class
* 4.3:
Fix more bad tests
Fix test fixtures with deprecated method signatures.
Fix 4.3 tests forward compat
[Messenger] fix empty amqp body returned as false
Fix routing cache broken when using generator_class
* 4.4:
[Validator] Deprecated CacheInterface in favor of PSR-6.
Fix wrong namespace
[Mailer] Fix typo
[Mailer] Fix an error message
maintain sender/recipient name in SMTP envelopes
[Mailer] Improve an exception when trying to send a RawMessage without an Envelope
Fix#32148 TransportException was not thrown
Add ErrorController to preview and render errors
* 4.3:
cs fix
Fix return statements
[TwigBridge] add missing dep
Add false type to ChoiceListFactoryInterface::createView $label argument
Update UPGRADE guide of 4.3 for EventDispatcher
[SecurityBundle] display the correct class name on the deprecated notice
This PR was merged into the 4.3 branch.
Discussion
----------
Fix deprecations on 4.3
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #32844
| License | MIT
| Doc PR | NA
Fix deprecations in branch 4.3
note: remaining deprecation `assertStringContainsString` will be fixed in #32977
* [ ] fix tests in branch 3.4 in #32981
Commits
-------
8fd16a6bee Fix deprecation on 4.3
* 4.4:
[Debug] Improve UPGRADE files
remove wrongly added legacy group from test
consistently throw NotSupportException
[HttpKernel] Clarify error handler restoring process again
[HttpClient] Remove CURLOPT_CONNECTTIMEOUT_MS curl opt
add missing conflict rule
[Intl] fix nullable phpdocs and useless method visibility of internal class
remove some more useless phpdocs
Resilience against file_get_contents() race conditions.
Turned return type annotations of private methods into php return types.
* 4.4:
fix merge
Fix inconsistent return points.
pass translation parameters to the trans filter
[Mime] fixed wrong mimetype
[ProxyManagerBridge] Polyfill for unmaintained version
[HttpClient] Declare `$active` first to prevent weird issue
Remove deprecated assertContains
[HttpClient] fix tests
SCA: dropped unused mocks, duplicate import and a function alias usage
Added correct plural for box -> boxes
[Config] fix test
Fix remaining tests
fix getName() when transport is null
[Console] Check for ErrorHandler classes
Improve fa (persian) translation
* 4.3:
Fix inconsistent return points.
pass translation parameters to the trans filter
[Mime] fixed wrong mimetype
[ProxyManagerBridge] Polyfill for unmaintained version
[HttpClient] Declare `$active` first to prevent weird issue
Remove deprecated assertContains
[HttpClient] fix tests
SCA: dropped unused mocks, duplicate import and a function alias usage
Added correct plural for box -> boxes
[Config] fix test
Fix remaining tests
Improve fa (persian) translation
* 4.4:
bump phpunit-bridge cache-id
removed unneeded phpdocs
Use assertStringContainsString when needed
Use assert assertContainsEquals when needed
Use assertEqualsWithDelta when required
