* 3.4:
[Validator] Add missing translations of nn locale
[HttpKernel] Fix that the `Store` would not save responses with the X-Content-Digest header present
[Intl] bump icu 67.1
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
[Validator] Add missing translations of nn locale
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes/no
| New feature? | no
| Deprecations? | no
| Tickets | Fix#30178
| License | MIT
Added missing translations to validator with locale nn
Commits
-------
040d01e53b [Validator] Add missing translations of nn locale
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
[HttpKernel] Fix that the `Store` would not save responses with the X-Content-Digest header present
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
Responses fetched from upstream sources might have a `X-Content-Digest` header, for example if the Symfony Cache is used upstream. This currently prevents the `Store` from saving such responses. In general, the value of this header should not be trusted.
As I consider this header an implementation detail of the `Store`, the fix tries to be local to that class; we should not rely on the `HttpCache` or other classes to remove untrustworthy headers for us.
This fixes the issue that when using the `HttpCache` in combination with the Symfony HttpClient, responses that have also been cached upstream in an instance of `HttpCache` are not cached locally. It adds the overhead of re-computing the content digest every time the `HttpCache` successfully re-validated a response.
Commits
-------
d8964fb8b7 [HttpKernel] Fix that the `Store` would not save responses with the X-Content-Digest header present
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
[Intl] bump icu 67.1
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Fix #... <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
mainly some new locales+scripts (see 3a3a9ba)
Commits
-------
29eb271184 [Intl] bump icu 67.1
This PR was merged into the 3.4 branch.
Discussion
----------
[BrowserKit] Allow Referer set by history to be overridden
| Q | A
| ------------- | ---
| Branch? | 3.4, see https://github.com/symfony/symfony/pull/36591 for 5.0
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
Commits
-------
4774946fbd [BrowserKit] Allow Referer set by history to be overridden (3.4)
This PR was merged into the 4.4 branch.
Discussion
----------
[HttpClient] fix PHP warning + accept status code >= 600
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36717
| License | MIT
| Doc PR | -
This fixes the PHP warning reported in the linked issue.
This also relaxes the accepted status codes, with https://www.linkedin.com/company/linkedin/ as an example that returns a non-conformant one (`999`).
These are now handled as 5xx codes, ie they trigger a ServerException.
Commits
-------
c764b5c36e [HttpClient] fix PHP warning + accept status code >= 600
This PR was merged into the 4.4 branch.
Discussion
----------
[Security/Core] fix compat of `NativePasswordEncoder` with pre-PHP74 values of `PASSWORD_*` consts
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36451
| License | MIT
| Doc PR | -
Commits
-------
df32171cb2 [Security/Core] fix compat of `NativePasswordEncoder` with pre-PHP74 values of `PASSWORD_*` consts
This PR was merged into the 4.4 branch.
Discussion
----------
[DependencyInjection] Fix register event listeners compiler pass
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
I've wanted to use the simpler event listener registration syntax (https://symfony.com/blog/new-in-symfony-4-4-simpler-event-listeners) in my project and it didn't work so I'm sending this fix.
We use the `KnpPaginatorBundle` bundle which also [calls the `RegisterListenersPass` compiler pass](https://github.com/KnpLabs/KnpPaginatorBundle/blob/v5.2.0/src/DependencyInjection/Compiler/PaginatorConfigurationPass.php#L22) in order to register with the event dispatcher their custom tags for listeners and subscribers (`knp_paginator.listener` and `knp_paginator.subscriber`).
Their compiler pass is `TYPE_BEFORE_REMOVING` and priority zero which is the same type and priority as the pass that gets [added by FrameworkBundle](https://github.com/symfony/symfony/blob/v4.4.8/src/Symfony/Bundle/FrameworkBundle/FrameworkBundle.php#L125). Since both the type and priority is the same the order of execution is `undefined` (because [that is how regular sort behaves in PHP which is used by default by `krsort`](https://github.com/symfony/symfony/blob/v4.4.8/src/Symfony/Component/DependencyInjection/Compiler/PassConfig.php#L264)) and the `RegisterListenersPass` currently removes the `eventAliasesParameter` parameter from the container if it is set (which is [set here](https://github.com/symfony/symfony/blob/v4.4.8/src/Symfony/Bundle/FrameworkBundle/Resources/config/services.xml#L9)). So what happens in my app is that the Knp compiler pass runs first, the `event_dispatcher.event_aliases` parameter is removed and then the FrameworkBundle registered compiler pass runs and since the aliases are not present anymore the events do not get aliased properly. The event dispatcher service in the compiled container looks like:
```php
$instance->addListener('Symfony\Component\HttpKernel\Event\RequestEvent', ...);
```
instead of the expected
```php
$instance->addListener('kernel.request', ...);
```
This means that my listener never gets called on the kernel request event.
Another potential fix would be to adjust the Knp compiler pass priority, but seeing as that would fix only that bundle (who knows how many bundles out there have the same problem) and that I don't see any drawback in letting the `event_dispatcher.event_aliases` parameter stay in the container I think that this is better to fix here.
Commits
-------
646878d072 Fix register event listeners compiler pass
* 3.4:
[VarDumper] fix for change in PHP 7.4.6
Added regression test for AccountStatusException behavior (ref #36822)
embed resource name in error message
[Serializer] fix issue with PHP 8
[Yaml] Fix escaped quotes in quoted multi-line string
This PR was merged into the 3.4 branch.
Discussion
----------
[Translator] embed resource name in error message
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
Someone reported on Slack that they accidentally stored a translation file with the `.twig` extension and that the error message was quite confusing.
Commits
-------
507a5963e4 embed resource name in error message
This PR was squashed before being merged into the 4.4 branch.
Discussion
----------
Change priority of KernelEvents::RESPONSE subscriber
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| License | MIT
This PR changes the priority of the `KernelEvents::RESPONSE` subscriber of the `ProfilerListener` so that it is the penultimate to be executed (just before `StreamedResponseListener`).
The reason is that other listeners that were executed after this one CAN change the response (such as `SessionListener` for example). This creates a headache when debugging, with a discrepancy between what is shown in a curl command, and by the Symfony profiler.
Commits
-------
6ed624ad16 Change priority of KernelEvents::RESPONSE subscriber
This PR was merged into the 4.4 branch.
Discussion
----------
[WebProfiler] Remove 'none' when appending CSP tokens
| Q | A
| ------------- | ---
| Branch? | 3.4, 4.4, 5.0
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36645
| License | MIT
| Doc PR | n/a
@nicolas-grekas asked me to to have a look at this after #36678.
If a user has a CSP policy of `default-src 'none'`, then the WebProfiler copies `'none'` to `script-src` and `style-src` then adds other sources. This creates an invalid policy since `'none'` is only allowed when it's the only item in the source list.
This will probably need to be merged into 3.4 first, I started on 4.4 so I can test in my current symfony project which requires 4.4.
Commits
-------
967bc4a860 [WebProfiler] Remove 'none' when appending CSP tokens
This PR was merged into the 4.4 branch.
Discussion
----------
[Mime] fix bad method call on `EmailAddressContains`
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | -
| License | MIT
| Doc PR | -
There is no method `Address` on [`MailboxHeader`](https://github.com/symfony/symfony/blob/4.4/src/Symfony/Component/Mime/Header/MailboxHeader.php), but a method `getAddress`.
Commits
-------
227ebd2fe9 [Mime] fix bad method call on "EmailAddressContains"
* 3.4:
[FrameworkBundle] display actual target for error in AssetsInstallCommand
Remove patches for Doctrine bugs and deprecations
[DI][EventDispatcher] added contract for implementation
This PR was merged into the 3.4 branch.
Discussion
----------
[DI][EventDispatcher] added contract for implementation
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36708
| License | MIT
As described in the attached issue a comment in the documentation of the `EventSubscriberInterface` would be helpful to make sure users do not use logic based on runtime state in their implementation of `getSubscribedEvents`.
Commits
-------
88e43d4d4c [DI][EventDispatcher] added contract for implementation
When assets:install fails because the target directory does not exist, it should display the actual directory it wanted to have instead of the configuration directive. In most cases, the target directory is retrieved from the kernel config and thus differs from the argument.
* 3.4:
[PhpUnitBridge] fix PHP 5.3 compat
[PhpUnitBridge] Mark parent class also covered in CoverageListener
prevent notice for invalid octal numbers on PHP 7.4
This PR was merged into the 3.4 branch.
Discussion
----------
[PhpUnitBridge] Mark parent class also covered in CoverageListener
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
Commits
-------
dcb5653728 [PhpUnitBridge] Mark parent class also covered in CoverageListener
* 3.4:
[Filesystem] Handle paths on different drives
[WebProfiler] Do not add src-elem CSP directives if they do not exist
[Yaml] fix parse error when unindented collections contain a comment
[3.4][Inflector] Improve testSingularize() argument name
[PhpUnitBridge] fix PHP 5.3 compat again
Skip validation when email is an empty object
fix sr_Latn translation
[Validator] fix lazy property usage.
Fix annotation
[PhpUnitBridge] fix compat with PHP 5.3
[DX] Show the ParseException message in YAML file loaders
This PR was merged into the 4.4 branch.
Discussion
----------
[Console] Default hidden question to 1 attempt for non-tty session
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36565
| License | MIT
| Doc PR |
### Problem 1
`validateAttempts()` method repeats validation forever by default, until exception extending `RuntimeException` isn't thrown. This currently happens disregarding if user is in tty session where they can actually type input, or non-tty session. This presents a problem when user code throws custom exceptions for hidden questions -> loop doesn't stop. As far as I can tell this issue is in all Symfony versions, but it was uncovered only after we stopped marking interactive flag to false automatically ourselves. Actually, all 3 problems were already existing problems, just hidden until now.
### Problem 2
Infinite loop problem is related to hidden questions, but this one isn't. If validation fails, another attempt to read & validate happens. This means user will get two prompts: 2x same question with 2 different error messages. One error message coming from validator, second error message about inability to read input (because this loop repeats until this kind of error happens, so last output will always be this error). As an example, output in practice would look like following
```
What do you want to do:
>
[ERROR] Action must not be empty.
What do you want to do:
>
Aborted.
```
So even if loop stops, output is more than expected.
### Problem 3
This is purely cosmetic issue, but currently user gets `stty: stdin isn't a terminal` printed additionally when question helper tries to ask a hidden question without having tty. I have fixed this in same fashion as was already done for [getShell() method](ee7fc5544e/src/Symfony/Component/Console/Helper/QuestionHelper.php (L500)).
### More details
Well root of the first problem is that `\Symfony\Component\Console\Helper\QuestionHelper::getHiddenResponse` is inconsistent. In some cases it does throw `MissingInputException` (which extends `RuntimeException`), in others doesn't. This is because in others, `shell_exec` is used, which won't return `false` even in non-tty sessions. Initially I attempted to fix this and make them consistent by checking for empty result + `isTty` call, but during my testing I found that at least last, `bash -c` method returns `\n` as output both when passing empty input and when passing newline as input. This means we cannot differentiate with this technique when input is really empty, or at least I can't currently tell how, maybe someone does. I had also idea to use proc_open and check if `STDERR` cotains message about stdin not being a terminal, but I realized these functions might not be available. In future we should modernize this method to use less hacky techniques. Other solutions, eg. Inquirer.js or [hoa/console](https://github.com/hoaproject/Console/blob/master/Source/Readline/Readline.php) have much more elegant solutions. Anyway, since I encountered this issue and additionally this doesn't solve Problem 2, I stopped trying to fix this on this level.
### Alternative solution
Alternative solution to problem 1 and 3 would be to fallback to default in case of hidden questions when tty is missing. But this still doesn't solve problem 2 and I can't think about solution right now which would fix problem 2 separately. We also didn't really reach consensus if reading passwords via stdin is desired. I tried this in `Inquirer.js` and this library *does read password from stdin*
Commits
-------
ee7fc5544e [Console] Default hidden question to 1 attempt for non-tty session
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
[Filesystem] Handle paths on different drives
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| License | MIT
`makePathRelative` strips and ignores the drive letters given Windows paths on different drives, resulting in a relative path which does not resolve to the desired target.
This PR makes `makePathRelative` notice paths on different drives, and return the full (absolute) target path in case instead.
Commits
-------
00e727ae4e [Filesystem] Handle paths on different drives
This PR was merged into the 3.4 branch.
Discussion
----------
[WebProfiler] Do not add src-elem CSP directives if they do not exist
| Q | A
| ------------- | ---
| Branch? | 3.4, 4.4, 5.0
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36643
| License | MIT
| Doc PR | n/a
In the latest 3.4.*, 4.4.* and 5.0.* branches the `script-src-elem` and `style-src-elem` directives are added to the Content-Security-Policy header if they don't exist by copying the `default-src`. This causes browsers to ignore the `script-src` and `style-src` directives which likely contain scripts and styles the developer wanted to allow.
As mentioned in the fixed ticket, we shouldn't be adding these directives if they don't exist because the browser will automatically fallback to `script-src` and `style-src` which we have already added `unsafe-inlen` and the `nonce-*` to.
This will need to be merged into 3.4, 4.4 and 5.0, but I was unsure which branch I am meant to base it off to start with. I've put it on 4.4 but can move it to another if required.
Commits
-------
d9c47087c9 [WebProfiler] Do not add src-elem CSP directives if they do not exist
This PR was merged into the 3.4 branch.
Discussion
----------
[DX] Show the ParseException message in all YAML file loaders
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
This PR synchronizes the exception message in the Routing, Validator and Translation YAML file loaders with the DependencyInjection YAML file loader behavior. Adding the ParseException message is a big DX gain because it highlights the problem directly instead of having to scroll down 7 previous exceptions.
I'm targetting 3.4 because DX can be considered as a bug fix AFAIK.
Commits
-------
fc6cf3d3c6 [DX] Show the ParseException message in YAML file loaders
This PR was merged into the 4.4 branch.
Discussion
----------
Execute docker dependent tests with github actions
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Fixes#36427
| License | MIT
| Doc PR | -
* redis, memcached, rabbitmq and vulcain dependent tests moved to the github action
* run on PHP 7.1 and 7.4 only
* use the `integration` group for all tests that depend on docker services
* do not exclude the `integration` group on Travis, but make sure tests that depend on docker services are skipped properly
[<img width="1222" alt="image" src="https://user-images.githubusercontent.com/190447/80806323-48339100-8bb2-11ea-95cd-5ce773c74ce6.png">](https://github.com/jakzal/symfony/runs/636461875?check_suite_focus=true)
Commits
-------
d710c1b654 Execute docker dependent tests with github actions
This PR was merged into the 3.4 branch.
Discussion
----------
[Validator] Skip validation when email is an empty object
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | <!-- required for new features -->
When the value passed to the email validator is an empty object the validator is still called and will mark the value as invalid. The object should be skipped in this case, as it is also done in the `UrlValidator`
bfdbb244fe/src/Symfony/Component/Validator/Constraints/UrlValidator.php (L59-L62)
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/releases):
- Always add tests and ensure they pass.
- Never break backward compatibility (see https://symfony.com/bc).
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too.)
- Features and deprecations must be submitted against branch master.
-->
Commits
-------
de5d68ef2a Skip validation when email is an empty object
This PR was merged into the 4.4 branch.
Discussion
----------
[Translation] Fix for translation:update command updating ICU messages
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36459
| License | MIT
If `translation:update` command executed with option `--domain=messages` – it ignore `messages-intl-icu` file and just create new `messages`
Method `TranslationUpdateCommand::filterCatalogue()` on `MessageCatalogue::all()` method to get all messages for domain
But `MessageCatalogue::all()` method disredard `intl-icu` domains and simply merge all.
[Translation] added $strict parameter for MessageCatalogueInterface::all() to be able to get only defined domain messages
[FrameworkBundle] modified translation:update command to respect intl-icu domain
Commits
-------
567cee5f02 [Translation] Fix for translation:update command updating ICU messages
This PR was squashed before being merged into the 3.4 branch (closes#36627).
Discussion
----------
[Validator] fix lazy property usage.
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36343
| License | MIT
| Doc PR |
This attempts to fix a large regression introduced in #36343, which broke recursing values returned from `getter` Constraints, because they are now wrapped in in a `LazyProperty`. The `LazyProperty` needs to be evaluated because some checks are done on the type of `$value`, i.e `is_array` etc... in `validateGenericNode`.
I'm concerned that the original PR didn't really add sufficient test coverage for the introduction of `LazyProperty`, and I'm not 100% sure that I've caught all the cases where the `instanceof` check are needed in this PR.
For the tests, I added the `@dataProvider getConstraintMethods` to every test that hit the problem area of code.
~~The only issue is that my fixed has broken the test introduced in #36343, `testGroupedMethodConstraintValidateInSequence`.~~
~~I think I need @HeahDude to help me work through this. Maybe there is a more simple solution, one that doesn't require doing `instanceof LazyPropery` checks in multiple places, because this feels very brittle.~~
EDIT: fixed that test.
Commits
-------
281861e788 [Validator] fix lazy property usage.
This PR was merged into the 4.4 branch.
Discussion
----------
[Form] provide a useful message when extension types don't match
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Fix#36610
| License | MIT
| Doc PR |
Commits
-------
88d836643a provide a useful message when extension types don't match
This PR was merged into the 4.4 branch.
Discussion
----------
[Serializer] do not transform empty \Traversable to Array
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | na
| License | MIT
| Doc PR | na
Today, using `PRESERVE_EMPTY_OBJECTS` ([introduced in 4.0](f28e826627)), the JSON serialization of:
```php
<?php
$object = [];
$object['foo'] = new \ArrayObject();
$object['bar'] = new \ArrayObject(['notempty']);
$object['baz'] = new \ArrayObject(['nested' => new \ArrayObject()]);
```
Outputs:
```json
{"foo":[],"bar":["notempty"],"baz":{"nested":[]}}
```
Instead of the expected:
```json
{"foo":{},"bar":["notempty"],"baz":{"nested":{}}}
```
This issue comes from the Serializer that transforms `Traversable` to an Array [here](11a707200d/src/Symfony/Component/Serializer/Serializer.php (L159)). Also, the `AbstractObjectNormalizer` [doesn't support Traversable](11a707200d/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php (L134)), but he allows to preserve empty objects.
I propose this patch where the fix doesn't transform a `Traversable` to an Array. I see another way to patch this in which we could allow empty Traversable in the `AbstractObjectNormalizer` (not sure it's better though). See attached [other-fix.patch](https://github.com/symfony/symfony/files/4539865/other-fix.log) to see the alternative patch.
Commits
-------
e5c20293fa Fix serializer do not transform empty \Traversable to Array
This PR was merged into the 4.4 branch.
Discussion
----------
[Cache] Fixed not supported Redis eviction policies
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | no
| License | MIT
| Doc PR | no
**Steps to reproduce:**
1. Define the following redis service on SymfonyCloud:
```
rediscache:
type: redis:5.0
size: S
configuration:
maxmemory_policy: allkeys-lru
```
2. Deploy the change
**Expected result:**
No redis cache will be populated
**Actual result:**
Following exception is thrown:
```
[2020-04-28T05:35:58.440403-04:00] php.CRITICAL: Uncaught Error: Return value of Symfony\Component\Cache\Adapter\RedisTagAwareAdapter::doSave() must be of the type array, bool returned {"exception":"[object] (TypeError(code: 0): Return value of Symfony\\Component\\Cache\\Adapter\\RedisTagAwareAdapter::doSave() must be of the type array, bool returned at /app/vendor/symfony/cache/Adapter/RedisTagAwareAdapter.php:100)"} []
```
Commits
-------
3d6e942da5 [Cache] Fixed not supported Redis eviction policies