This PR was merged into the 4.3-dev branch.
Discussion
----------
[VarDumper] Improve performance of AbstractCloner
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | - <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | -
While profiling Symfony in "dev" environment (see #29762) I found that `VarCloner::addCasters()` was making thousands of `strtolower()` calls.
![varcloner-addcasters](https://user-images.githubusercontent.com/73419/50694461-40a1bd80-103a-11e9-83c0-a28b8f8f161e.png)
In this PR I propose to remove all those calls. I think it's possible to do it ... but I could be completely wrong, so please review.
-----
As a side note, in the past we did the same `strtolower()` to service IDs and parameter names. We stopped doing that in Symfony 3.3 and it gave us a small performance improvement (same as we could gain here).
If the `strtolower()` calls of `VarCloner::addCasters()` are made just to apply the caster even if the class name is wrongly spelled, I think we could make this change. My guess is that nothing would break for the user (unlike removing the `strtolower()` in DependencyInjection, which broke wrongly spelled services and params). Thanks!
Commits
-------
cff23e52bf [VarDumper] Improve performance of AbstractCloner
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Routing] Make important parameters required when matching
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/issues/29763
| License | MIT
| Doc PR | n/a
1. This PR improves "important" route parameters implementation. Instead of considering `!slug` to be a variable name (which is not correct from my POV and leads to a lot of `'!' === $varName[0]` and `substr($varName, 1)` snippets), I took advantage of the `$token` array and used offset `[5]` for keeping boolean importance flag. This approach improved and simplified code.
1. This PR makes important parameters required when matching according to https://github.com/symfony/symfony/issues/29763
Commits
-------
2c3ab22080 Made important parameters required when matching
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Form][TwigBridge] Add help_html
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | no
| License | MIT
| Doc PR | symfony/symfony-docs#...
Sometimes, when we use the form `help` option, we want to display it as HTML (add bold, italic, a span with a specific class, ...). For security reasons, we escape the `help` content.
In this PR, I've added an `help_html` option, seted to false per default. When it set on true, the `help` content is no longer escaped.
Commits
-------
33f5f855d6 [Form][TwigBridge] Add help_html option
This PR was merged into the 4.3-dev branch.
Discussion
----------
[DI] Added support for deprecating aliases
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? |no
| Tests pass? | yes
| Fixed tickets | #24507
| License | MIT
| Doc PR | TBD
This PR is a continuity of #24707
Commits
-------
6c571adda7 Added support for deprecating aliases (runtime+dumper)
0eb071b9f8 Added support for deprecating an alias
This PR was merged into the 3.4 branch.
Discussion
----------
Enable PHP 7.3 on Travis
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
The bits of #29624 that apply to 3.4.
Commits
-------
335036cf09 Enable PHP 7.3 on Travis
This PR was merged into the 4.3-dev branch.
Discussion
----------
Dont advertize what symfony/symfony "provides"
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
No need to maintain not advertize this IMHO.
Commits
-------
e8a7a0e2fc Dont advertize what symfony/symfony "provides"
This PR was merged into the 4.2 branch.
Discussion
----------
[Process] disable transient test on Windows
| Q | A
| ------------- | ---
| Branch? | 4.2
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This test makes our Windows CI red 80% of the time, let's disable it until someone can have a deeper look.
PIng @Nek- , help wanted.
Commits
-------
399fee64f8 [Process] disable transient test on Windows
* 4.2:
Bump phpunit bridge cache id
[appveyor] fix create-project phpunit
Fix HttpKernel Debug requirement
Fix heredoc
use final annotation to allow mocking the class
synchronise the form builder docblock
Grammar fix in exception message
fix tests
forward the parse error to the calling code
Avoid dots in generated class names.
[Debug][DebugClassLoader] Match more cases for final, deprecated and internal classes / methods extends
ensure compatibility with older PHPUnit mocks
[Security] Do not mix usage of password_*() functions and sodium_*() ones
* 4.1:
Bump phpunit bridge cache id
[appveyor] fix create-project phpunit
Fix HttpKernel Debug requirement
Fix heredoc
use final annotation to allow mocking the class
synchronise the form builder docblock
Grammar fix in exception message
fix tests
forward the parse error to the calling code
[Debug][DebugClassLoader] Match more cases for final, deprecated and internal classes / methods extends
ensure compatibility with older PHPUnit mocks
[Security] Do not mix usage of password_*() functions and sodium_*() ones
* 3.4:
Bump phpunit bridge cache id
[appveyor] fix create-project phpunit
Fix HttpKernel Debug requirement
Fix heredoc
use final annotation to allow mocking the class
synchronise the form builder docblock
Grammar fix in exception message
fix tests
forward the parse error to the calling code
[Debug][DebugClassLoader] Match more cases for final, deprecated and internal classes / methods extends
ensure compatibility with older PHPUnit mocks
[Security] Do not mix usage of password_*() functions and sodium_*() ones
This PR was merged into the 3.4 branch.
Discussion
----------
[Debug][DebugClassLoader] Match more cases for final, deprecated and internal classes / methods extends
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Currently, when there is no comment for a tag and another tag after, the detection does not work. Example :
```php
/**
* @final
*
* @author John
*/
class A {
}
```
AFAIK, those tags must not be in a specific order. That's why we should try to support more cases because we might miss things to report.
Also I do not understand why the regex is not the same for the classes and methods detection. I fixed that too.
I added a lot of cases in the "extends from final class" test and an easy way to add more when needed. Adding them everywhere might be overkill and useless. WDYT ?
I'm considering this as bug fix.
Commits
-------
c3b670a908 [Debug][DebugClassLoader] Match more cases for final, deprecated and internal classes / methods extends
This PR was squashed before being merged into the 4.3-dev branch (closes#29850).
Discussion
----------
[FrameworkBundle] xliff-version option to translation update command
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | no <!-- please add some, will be required by reviewers -->
| License | MIT
New 'version' option added to xliff translation update command. Currently xliff version is hardcoded to 1.2.
Commits
-------
4ec28bd45d [FrameworkBundle] xliff-version option to translation update command
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpKernel] Fix HttpKernel Debug requirement
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
The `LoggerDataCollector` is using the `SilencedErrorContext` class that doesn't exists before Symfony 3.2
Commits
-------
69feb49c0d Fix HttpKernel Debug requirement
This PR was merged into the 3.4 branch.
Discussion
----------
[Form] synchronise the form builder docblock
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Commits
-------
419d3db86c synchronise the form builder docblock
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] use final annotation to allow mocking the class
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #29946
| License | MIT
| Doc PR |
When the class was initially marked as `final`, it did only contain constants. Since #24337 the `Security` class also contains useful shortcut methods so allowing developers to mock the class in tests looks reasonable to me.
Commits
-------
1da00db247 use final annotation to allow mocking the class
This PR was merged into the 3.4 branch.
Discussion
----------
Grammar fix in exception message
According to https://en.wiktionary.org/wiki/whitespace and https://english.stackexchange.com/questions/25368/what-is-the-plural-form-of-whitespace valid sentences would be:
- Whitespace is ...
- Whitespaces are ...
- Whitespace characters are ...
But this is not correct:
- Whitespace are ...
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Commits
-------
6e279a006b Grammar fix in exception message
This PR was merged into the 3.4 branch.
Discussion
----------
[DependencyInjection] fix tests
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #29928
| License | MIT
| Doc PR |
My changes in #29928 broke the test suite.
Commits
-------
4db0a6e099 fix tests
This PR was merged into the 3.4 branch.
Discussion
----------
[DependencyInjection] forward the parse error to the calling code
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #29891
| License | MIT
| Doc PR |
This change does not fully solve the linked issue, but improves the exception a bit by providing a bit more context.
The error page will no start like this:
![bildschirmfoto 2019-01-18 um 12 28 14](https://user-images.githubusercontent.com/1957048/51384558-f7af3600-1b1c-11e9-9744-a40c41c821ce.png)
Commits
-------
c5c2d31fef forward the parse error to the calling code
This PR was merged into the 4.2 branch.
Discussion
----------
Avoid dots in generated class names
| Q | A
| ------------- | ---
| Branch? | 4.2
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #29921
| License | MIT
| Doc PR | N/A
This PR removes dots from class names containers generated out of anonymous kernel classes.
Commits
-------
52c80e6cf2 Avoid dots in generated class names.
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Do not mix password_*() API with libsodium one
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | n/a
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Argon2IPasswordEncoder uses native `password_hash()` and `password_verify()` functions if the current PHP installation embeds Argon2 support (>=7.2, compiled `--with-password-argon2`).
Otherwise, it fallbacks to the libsodium extension.
This was fine at time the encoder was introduced, but meanwhile libsodium changed the algorithm used by `sodium_crypto_pwhash_str()` which is now argon2id, that goes outside of the scope of the encoder which was designed to deal with `argon2i` only.
Nothing we can do as databases may already contain passwords hashed with argon2id, the encoder must keep validating those.
However, the PHP installation may change as time goes by, and could suddenly embed the Argon2 core integration. In this case, the encoder would use the `password_verify()` function which would fail in case the password was not hashed using argon2i.
This PR prevents it by detecting that argon2id was used, avoiding usage of `password_verify()`.
See https://github.com/jedisct1/libsodium-php/issues/194 and https://github.com/symfony/symfony/issues/28093 for references.
Patch cannot be tested as it is platform dependent.
Side note: I'm currently working on a new implementation for 4.3 that will properly supports argon2id (which has been added to the PHP core sodium integration in 7.3) and argon2i, distinctively.
Commits
-------
d6cfde94b4 [Security] Do not mix usage of password_*() functions and sodium_*() ones
This PR was merged into the 3.4 branch.
Discussion
----------
ensure compatibility with older PHPUnit mocks
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | alternative to #29913
| License | MIT
| Doc PR |
Commits
-------
b714419faf ensure compatibility with older PHPUnit mocks