This PR was merged into the 2.7 branch.
Discussion
----------
Prevent bundle readers from breaking out of paths
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
<!--
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
- Please fill in this template according to the PR you're about to submit.
- Replace this comment by a description of what your PR is solving.
-->
Commits
-------
c8f9f916b4 prevent bundle readers from breaking out of paths
* 3.4: (21 commits)
fixed CS
HttpCache lock update
[Intl] Update ICU data to 60.1
[YAML] Allow to parse custom tags when linting yaml files
[HttpKernel][Debug] Remove noise from stack frames of deprecations
[WebServerBundle] prevent console.terminate from being fired after stopping server
[Validator] Fix Costa Rica IBAN format
[Bridge/ProxyManager] Remove direct reference to value holder property
[Validator] Add Belarus IBAN format
[Config] Fix cannotBeEmpty()
[Debug] More aggressively aggregate silenced notices per file+line
[HttpFoundation] minor session-related fix
[Cache][Lock] Add RedisProxy for lazy Redis connections
[TwigBridge] [Bootstrap 4] Fix validation error design for expanded choiceType
[FrameworkBundle] Specifically inject the debug dispatcher in the collector
[WebserverBundle] fixed the bug that caused that the webserver would …
update the pull request template
[Stopwatch] minor fix
Add default mapping path for validator component
Add default mapping path for serializer component
...
* 2.8:
[Intl] Update ICU data to 60.1
[Validator] Fix Costa Rica IBAN format
[Bridge/ProxyManager] Remove direct reference to value holder property
[Validator] Add Belarus IBAN format
[FrameworkBundle] Specifically inject the debug dispatcher in the collector
update the pull request template
[Stopwatch] minor fix
* 3.4:
[HttpFoundation] refactoring: calculate when need
[Serializer] Fix extra attributes when no group specified
[Intl] Make intl-data tests pass and save language aliases again
[FrameworkBundle][Config] fix: do not add resource checkers for debug=false
[DI] Fix "almost-circular" dependencies handling
[Console] Fix CommandTester::setInputs() docblock
Only enabling validation if it is present
Fix displaying errors for bootstrap 4
[Serializer] readd default argument value
Fix reference dump for deprecated nodes
[PhpUnitBridge] Fixed fatal error in CoverageListener when something goes wrong in Test::setUpBeforeClass
[HttpKernel] Let the storage manage the session starts
[VarDumper] fix trailling comma when dumping an exception
[Validator] Fix TraceableValidator is reset on data collector instantiation
Remove useless docblocks
[FrameworkBundle] Fix docblocks
[PropertyInfo] Remove useless docblocks
* 2.8:
fixed CS
[DI] Fix PhpDumper blank lines around namespace
fixed CS
Filesystem: annotate the one network test with a "network" group.
[DependencyInjection] Don't store default deprecation template in every service definition instance
* 2.8:
fixed obsolete getMock() usage
fixed obsolete getMock() usage
[WebProfilerBundle] Display multiple HTTP headers in WDT
do not remove the Twig ExceptionController service
removed obsolete condition
do not try to register incomplete definitions
* 2.8:
fixed typo
fixed typo
Fixed a minor XML issue in a translation file
Fix merge
Fix merge
Fix merge
Fix merge
Update twig.html.twig
PhpUnitNoDedicateAssertFixer results
Improve Norwegian translations
[2.7] [FrameworkBundle] minor fix tests added by #17569
Fixed the antialiasing of the toolbar text
Simplify markdown for PR template
fixed CS
fixed CS
documented the $url parameter better
[Form] add test for ArrayChoiceList handling null
[Form] fix edge cases with choice placeholder
register commands from kernel when accessing list
Update FileSystem
* 2.8:
[WebProfilerBundle] Don't inherit CSS text-transform property for the toolbar.
Remove duplicate cursor property
Increase the inlining YAML level for config:debug
[Serializer] Minor: fix CS and PHPDoc
[Form] fix tests
[Serializer] Ensure that groups are strings
[Debug] Tell that the extension is for PHP 5 only
Static code analysis
Update AnnotationDirectoryLoader.php
added a test
Escape the delimiter in Glob::toRegex
[FrameworkBundle] Fix template location for PHP templates
[FrameworkBundle] Add path verification to the template parsing test cases
* 2.8:
[Locale] Add missing @group legacy annotations
[Form] Add missing @group legacy annotations
[Form] Use FQCN form types
Fix security-acl deps
Fix typo
[Security] Removed security-acl from the core
fixed typos
Fix doctrine mapping validation type error
Remove skipping of tests based on ICU data version whenever possible
Fix the handling of null as locale in the stub intl classes
do not dump leading backslashes in class names
fix issue #15377
Skip ::class constant
[Config] type specific check for emptiness
[Form] Deprecated FormTypeInterface::getName() and passing of type instances
Conflicts:
UPGRADE-2.8.md
composer.json
src/Symfony/Bridge/Doctrine/composer.json
src/Symfony/Bridge/Twig/composer.json
src/Symfony/Bundle/SecurityBundle/composer.json
src/Symfony/Component/ClassLoader/ClassMapGenerator.php
src/Symfony/Component/DependencyInjection/Tests/ContainerTest.php
src/Symfony/Component/Form/Tests/AbstractExtensionTest.php
src/Symfony/Component/Form/Tests/AbstractLayoutTest.php
src/Symfony/Component/Form/Tests/SimpleFormTest.php
src/Symfony/Component/Locale/Tests/LocaleTest.php
src/Symfony/Component/Locale/Tests/Stub/StubLocaleTest.php
src/Symfony/Component/Security/Acl/README.md
src/Symfony/Component/Security/Acl/composer.json
Many tests being skipped based on the ICU data version don't actually
need it. They might be testing code paths not relying on Intl, or not
performing assertions on the values depending on the ICU data and so not
dependant on the exact ICU version being used.
To let opcode caches optimize cached code, the `PHP_VERSION_ID`
constant is used to detect the current PHP version instead of calling
`version_compare()` with `PHP_VERSION`.