This PR was merged into the 4.3 branch.
Discussion
----------
[TwigBundle][exception] Added missing css variable to highlight line in trace
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
---
To get the yellow background
Commits
-------
5f19501 [TwigBundle][exception] Added missing css variable to highlight line in trace
This PR was merged into the 4.4 branch.
Discussion
----------
Re-allow to use "tagged" in service definitions
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a
| License | MIT
| Doc PR | n/a
Re-allow to use `tagged` in 4.4 and 5.0. It makes it easier for bundles to support both Symfony 4.3- and Symfony 4.4+.
Needed to make API Platform compatible with Symfony 5 (api-platform/core#3009)
Commits
-------
7b7dc0df9a Re-allow to use "tagged" in service definitions
This PR was merged into the 4.4 branch.
Discussion
----------
[Lock][Cache] Allows URL DSN in PDO adapters
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | TODO
This PR duplicate a feature from PdoSessionHandler that convert URL DSN ( ie. mysql://localhost/test) into PDO DSN (ie. mysql:host=localhost;dbname=test)
that would ease configuration by using the same well-known variable
```
framework:
lock: '%env(DATABASE_URL)%'
```
note: I applied the same change on Cache component for consistency.
Commits
-------
474daf976e Allows URL DSN in Lock and Cache
This PR was squashed before being merged into the 4.3 branch (closes#33828).
Discussion
----------
[DoctrineBridge] Auto-validation must work if no regex are passed
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a
| License | MIT
| Doc PR | n/a
Backport of https://github.com/symfony/symfony/pull/32107/files#r295762928.
This behavior if faulty, if no regex are passed, autvalidation must be triggered, [as done in `PropertyInfoLoader`](https://github.com/symfony/symfony/blob/4.3/src/Symfony/Component/Validator/Mapping/Loader/PropertyInfoLoader.php#L50).
Commits
-------
5ed7d6c759 [DoctrineBridge] Auto-validation must work if no regex are passed
This PR was merged into the 4.4 branch.
Discussion
----------
[ErrorRenderer] Security fix: hide sensitive error messages
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | n/a
| License | MIT
| Doc PR | n/a
This PR fixes a security issue. Exception messages must not be displayed except when debugging, because they can contain sensitive data including credentials.
For instance, PDO and Doctrine throw exception with message such as `The details are: SQLSTATE[HY000] [1045] Access denied for user 'root'@'db.example.com' (using password: NO)` revealing internal details about the infrastructure usful for an attacker.
Also, I still think that ErrorRenderer should be removed in favor of using the Serializer directly (see https://github.com/symfony/symfony/pull/33650#issuecomment-534441889). I'll try to open some PRs to do that in tomorrow.
Commits
-------
d7d7f22 [ErrorRenderer] Security fix: hide sensitive error messages
This PR was merged into the 4.3 branch.
Discussion
----------
[OptionsResolver] Fix an error message to be more accurate
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#30432
| License | MIT
| Doc PR | -
Follow-up https://github.com/symfony/symfony/pull/30442 for 4.3
Commits
-------
1be68a752a Fix an error message to be more accurate
* 4.3:
[OptionsResolve] Revert change in tests for a not-merged change in code
[HttpClient] fix handling of 3xx with no Location header - ignore Content-Length when no body is expected
[Workflow] Made the configuration more robust for the 'property' key
[Security/Core] make NativePasswordEncoder use sodium to validate passwords when possible
#30432 fix an error message
fix paths to detect code owners
[HttpClient] ignore the body of responses to HEAD requests
[Validator] Ensure numeric subpaths do not cause errors on PHP 7.4
[SecurityBundle] Fix wrong assertion
Remove unused local variables in tests
[Yaml][Parser] Remove the getLastLineNumberBeforeDeprecation() internal unused method
Make sure to collect child forms created on *_SET_DATA events
[WebProfilerBundle] Improve display in Email panel for dark theme
do not render errors for checkboxes twice
This PR was merged into the 3.4 branch.
Discussion
----------
[SecurityBundle] correct types for default arguments for firewall configs
| Q | A
| ------------- | ---
| Branch? | 3.4 (and forward)
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | n/a
| License | MIT
| Doc PR | n/a
Up until now, the default template arguments in the `security.firewall.config` abstract service definition have been each defined (aside from the argument for `$listeners` which is given a `collection` type) in the XML as
```xml
<argument />
```
which resolves to an empty string, despite that some of the arguments are typed to being either `bool` or `array|null` on the `Symfony\Bundle\SecurityBundle\Security\FirewallConfig` class itself.
This wouldn't be so much of a problem if the child definitions that use this as a template overrode all the arguments every time, but in the case of firewall configs that mark security as _not_ being enabled, [only the first few arguments are overwritten](https://github.com/symfony/symfony/blob/3.4/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php#L349-L352), so firewall config objects that do not have security enabled are instantiated by the DI container with parameters with some of the wrong types.
In general this wouldn't be an issue, as firewalls with security not enabled would not usually be consumed in a context where further security-related config were needed, but there is a case in `Symfony\Bundle\SecurityBundle\DataCollector\SecurityDataCollector` where the method `getSwitchUser()` on the firewall config object [can be called](https://github.com/symfony/symfony/blob/3.4/src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php#L181) without checking first whether the firewall has security enabled, which leads to an exception being thrown:
```
Symfony\Component\Debug\Exception\ContextErrorException
Warning: Illegal string offset 'parameter'
in vendor/symfony/symfony/src/Symfony/Bundle/SecurityBundle/DataCollector/SecurityDataCollector.php (line 184)
```
which is down to the firewall config being set with an empty string rather than `null` (in which case the logic here would function as expected).
It seemed most appropriate as a fix (especially given possible introduction of scalar type hints in the future) to apply types to the default arguments so that it was no longer possible to instantiate a firewall config object with parameters of unexpected types.
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/roadmap):
- Always add tests and ensure they pass.
- Never break backward compatibility (see https://symfony.com/bc).
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too.)
- Features and deprecations must be submitted against branch 4.4.
- Legacy code removals go to the master branch.
-->
Commits
-------
6b7044fc01 [SecurityBundle] correct types for default arguments for firewall configs
* 3.4:
#30432 fix an error message
fix paths to detect code owners
[Validator] Ensure numeric subpaths do not cause errors on PHP 7.4
Remove unused local variables in tests
Make sure to collect child forms created on *_SET_DATA events
do not render errors for checkboxes twice
This PR was merged into the 4.3 branch.
Discussion
----------
[Workflow] Made the configuration more robust for the 'property' key
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34092
| License | MIT
| Doc PR |
Commits
-------
0c31ff007e [Workflow] Made the configuration more robust for the 'property' key
This PR was merged into the 4.3 branch.
Discussion
----------
[HttpClient] fix handling of 3xx with no Location header - ignore Content-Length when no body is expected
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
A `304` is the final response code.
This PR implements the same logic as curl.
Commits
-------
50a88c59f6 [HttpClient] fix handling of 3xx with no Location header - ignore Content-Length when no body is expected
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] Allow to stick to a specific password hashing algorithm
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fix#33054
| License | MIT
| Doc PR | todo
Allows using `argon2i`, `argon2id` and `bcrypt`.
Commits
-------
6712d1e504 [Security] Allow to set a fixed algorithm
This PR was merged into the 4.4 branch.
Discussion
----------
[Security/Core] add fast path when encoded password cannot match anything
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Only `MessageDigestPasswordEncoder` and `Pbkdf2PasswordEncoder` need this fast path: the sodium and the native encoders already implement it natively.
When a migrating encoder is used, a failed password validation fallbacks to all encoders. This makes the process slower than needed currently.
Commits
-------
c57f8f7f93 [Security/Core] add fast path when encoded password cannot match anything
This PR was merged into the 4.4 branch.
Discussion
----------
[FrameworkBundle] Remove suffix convention when using env vars to override secrets from the vault
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Right now, env vars that override encrypted secrets must en up with `_SECRET`.
This PR removes this convention. It also enforces that only vars defined in the vault can be overriden locally. This means one cannot set a local-only secret.
Commits
-------
2ec9647e75 [FrameworkBundle] Remove suffix convention when using env vars to override secrets from the vault
This PR was merged into the 3.4 branch.
Discussion
----------
[OptionsResolver] Fix an error message to be more accurate
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #30432
| License | MIT
| Doc PR |
See #30432 for more details:
> **Symfony version(s) affected**: 3.4, maybe other versions too (not tested)
>
> **Description**
> Error message when allowedTypes is an array contains `[]` but should not:
> `The option "testme" with value array is expected to be of type "string[]", but one of the elements is of type "integer[]".`
> It should be:
> `The option "testme" with value array is expected to be of type "string[]", but one of the elements is of type "integer".`
>
> **How to reproduce**
>
> ```
> $resolver = (new OptionsResolver())
> ->setDefault('testme', [])
> ->setAllowedTypes('testme', ['string[]'])
> ->resolve(['testme' => ['test', 12]]);
> ```
In addition I changed an error message to be more
accurate if provided more than one incorrect value:
> [...] is expected to be of type "integer[][]", but is of type "integer|boolean|string".
Commits
-------
7fa2fc2#30432 fix an error message
This PR was merged into the 3.4 branch.
Discussion
----------
[Form] Make sure to collect child forms created on *_SET_DATA events
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#29291
| License | MIT
| Doc PR | -
See reproducer provided by @WubbleWobble https://github.com/WubbleWobble/symfony-issue-29291.
Commits
-------
50efc1a Make sure to collect child forms created on *_SET_DATA events
This PR was merged into the 4.3 branch.
Discussion
----------
[Yaml][Parser] Remove the getLastLineNumberBeforeDeprecation() internal unused method
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
This method is internal and unused. It was removed by a2ae6bf745 but was added back mistakenly by 1baac5a74f.
Commits
-------
49acc16424 [Yaml][Parser] Remove the getLastLineNumberBeforeDeprecation() internal unused method
This PR was merged into the 4.3 branch.
Discussion
----------
[HttpClient] ignore the body of responses to HEAD requests
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34102
| License | MIT
| Doc PR | -
Commits
-------
0fc371e7df [HttpClient] ignore the body of responses to HEAD requests
This PR was squashed before being merged into the 3.4 branch (closes#34097).
Discussion
----------
[Validator] Ensure numeric subpaths do not cause errors on PHP 7.4
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix #... <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
Drupal is testing on PHP7.4 and hitting a problem with the line `if ('[' === $subPath[0]) {` because `$subPath` is not a string. We're already doing string casting in the method so we could do it once and be done. Note this is not a problem on the master branch / SF5 because of primitive typehinting.
Without this fix on PHP7.4 you see errors like...
```
1) Symfony\Component\Validator\Tests\Util\PropertyPathTest::testAppend with data set #5 ('0', 1, '0.1', 'Numeric subpaths do not cause...rrors.')
Trying to access array offset on value of type int
```
Commits
-------
6244a1ec47 [Validator] Ensure numeric subpaths do not cause errors on PHP 7.4
This PR was merged into the 4.3 branch.
Discussion
----------
[Messenger] use database platform to convert correctly the DateTime
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | yes <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/issues/32427
| License | MIT
In Doctrine Messenger the method `\Symfony\Component\Messenger\Transport\Doctrine\Connection::formatDateTime()` is used to format dateTime into this: `Y-m-d\TH:i:s`.
But this is not supported in all databases platform.
Here we use the database platform to convert correctly the dateTime.
Commits
-------
cfa11561d1 Format DateTime depending on database platform
This PR was merged into the 4.4 branch.
Discussion
----------
[HttpClient] allow option "buffer" to be a stream resource
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Commits
-------
e87301603e [HttpClient] allow option "buffer" to be a stream resource
This PR was merged into the 4.3 branch.
Discussion
----------
[Messenger] Show exceptions after multiple retries
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #32311
| License | MIT
| Doc PR | n/a
After retrying a failed message, the `RedeliveryStamp` looses it's exception information. This PR will remedy that.
Commits
-------
598bd92313 [Messenger] Show exceptions on after empty fails
This PR was merged into the 4.4 branch.
Discussion
----------
[FrameworkBundle] Don't reset the test container but the real one instead
| Q | A
| ------------- | ---
| Branch? | 4.4 for features / 3.4 or 4.3 for bug fixes <!-- see below -->
| Bug fix? | yes/no
| New feature? | yes/no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | yes/no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix #... <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | -
After #31202 and #32056, the tearDown method keeps throwing deprecation notices about "Getting the container from a non-booted kernel". The reason is that resetting the test-container calls `$kernel->getContainer()` while the kernel has been shut down.
This fixes it and a few other glitches found meanwhile.
Commits
-------
8e16143256 [FrameworkBundle] Dont reset the test container but the real one instead
This PR was merged into the 4.4 branch.
Discussion
----------
[SecurityBundle] test with doctrine-bundle 2
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Commits
-------
e3261f4f7f [SecurityBundle] test with doctrine-bundle 2
This PR was merged into the 4.4 branch.
Discussion
----------
[Debug] remove return types that break FC badly
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
The return type on Debug's FlattenException blocks creating a child class that is compatible with both v4.4 and v5.0.
Removing it fixes the issue with no BC break.
Adding `final` on `setPrevious` will allow updating its type hint in v5.0.
Commits
-------
cb5ef6ec18 [Debug] remove return types that break FC badly
This PR was merged into the 4.4 branch.
Discussion
----------
Add .gitignore to .gitattributes
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | #33946
| License | MIT
Commits
-------
246c5fdf43 Add .gitignore to .gitattributes
This PR was merged into the 4.4 branch.
Discussion
----------
[Mailer] Fix typo
| Q | A
| ------------- | ---
| Branch? | 4.4 for features / 3.4 or 4.3 for bug fixes <!-- see below -->
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix#34006
| License | MIT
| Doc PR | n/a
The XML is different depending on the way we are sending email. So, it's `SendEmailResult` when using the API and `SendRawEmailResult` when using the HTTP class (we are then sending the raw email).
Commits
-------
4bd7cb0368 [Mailer] Fix SES Message Id retrieval
This PR was merged into the 4.4 branch.
Discussion
----------
[ExpressionLanguage][Lexer] Exponential format for number
Exponential format has been added for numbers.
Ex: 1.99E+3 === 1990,
Ex: expression (1 + 1.99E+3) = 1991
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
Exponential format has been added for numbers.
Ex: 1.99E+3 === 1990,
Expressions:
0.1e+2 = 10
1e-2 = 0.01
(1 + 1.99E+3) = 1991
and etc...
Commits
-------
430ec32992 [ExpressionLanguage][Lexer] Exponential format for number
This PR was merged into the 4.4 branch.
Discussion
----------
Use port 465 for SES SMTP transport
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34064
| License | MIT
Commits
-------
8492e260cb Use port 465 for SES SMTP transport
This PR was merged into the 4.4 branch.
Discussion
----------
[Messenger] Fix worker-only Doctrine middleware from running always
| Q | A
| ------------- | ---
| Branch? | 4.4 (or 4.3?, this is a bug fix)
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#32436 Depends on #34069
| License | MIT
| Doc PR | not needed
Several Doctrine middleware are only meant to be run in a "worker" context: we want to "ping" the connection, "close" the connection and "clear" the entity manager ONLY when we are receiving messages. Before this PR, it was done always, which causes bad behavior for sync messages (imagine your Doctrine connection being closed in the middle of a controller or see https://github.com/symfony/symfony/pull/31334#issuecomment-544288437).
This fixes that in a pragmatic way: no new system for "worker-only" middleware or anything like that: just make the middleware smart enough to only do their work when a message is being received async.
Commits
-------
290a72917b Fixing issue where worker-only middleware were run in all contexts
This PR was merged into the 4.4 branch.
Discussion
----------
[ErrorRenderer] FlattenException cannot be final
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Making it final forces tight coupling with the implementation as soon as one type-hints for the class.
That's a blocker on making e.g. `EasyAdminBundle` compatible with Symfony 5.
Commits
-------
b125835056 [ErrorRenderer] FlattenException cannot be final
This PR was merged into the 4.3 branch.
Discussion
----------
[HttpClient] skip tests implemented in 4.4
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Needed after #34051 and #34044
Commits
-------
ae86ab18fa [HttpClient] skip tests implemented in 4.4
This PR was merged into the 4.4 branch.
Discussion
----------
[VarDumper] improve displaying cut closures
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Minor but still an improvement so 4.4: this change makes closures replaced by `CutStub` be displayed with their signature instead of just the `Closure` label.
Commits
-------
2b0a11de02 [VarDumper] improve displaying cut closures
This PR was merged into the 4.4 branch.
Discussion
----------
[Lock] Set ReturnType of LockFactory to LockInterface
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix #...
| License | MIT
| Doc PR |
LockFactory I think should return a LockInterface and not the Lock class.
/cc @chalasr
Commits
-------
ff1fa57ef2 Set ReturnType of LockFactory to LockInterface
This PR was merged into the 3.4 branch.
Discussion
----------
[TwigBridge] do not render errors for checkboxes twice
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34008
| License | MIT
| Doc PR |
Commits
-------
9eddea97d8 do not render errors for checkboxes twice
This PR was merged into the 4.3 branch.
Discussion
----------
[Messenger] Fix ignored options in redis transport
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#33425
| License | MIT
| Doc PR | -
Also fixes redis authentication failure handling (inline with invalid db index handling, borrowed from symfony/cache).
/cc @alexander-schranz
Commits
-------
c83ff94c37 [Messenger] Fix ignored options in redis transport
This PR was merged into the 4.4 branch.
Discussion
----------
[FrameworkBundle] Add `secrets:*` commands and `%env(secret:...)%` processor to deal with secrets seamlessly
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fix#27351
| License | MIT
| Doc PR | symfony/symfony-docs/pull/11396
This PR continues #31101, please see there for previous discussions. The attached patch has been fine-tuned on https://github.com/nicolas-grekas/symfony/pull/33 with @jderusse.
This PR is more opinionated and thus a lot simpler than #31101: only Sodium is supported to encrypt/decrypt (polyfill possible), and only local filesystem is available as a storage, with little to no extension point. That's on purpose: the goal here is to provide an experience, not software building blocks. In 5.1, this might be extended and might lead to a new component, but we'd first need reports from real-world needs. Having this straight-to-the-point in 4.4 will allow gathering these needs (if they exist) and will immediately provide a nice workflow for the need we do want to solve now: forwarding secrets from dev to prod using git in a secure way.
The workflow this will allow is the following:
- public/private key pairs are generated in the `config/secrets/%kernel.environment%/` folder using `bin/console secrets:generate-keys`
- for the prod env, the corresponding private key should be deployed to the server using whatever means the hosting provider allows - this key MUST NOT be committed
- the public key is used to encrypt secrets and thus *may* be committed in the git repository to allow anyone *that can commit* to add secrets - this is done using `bin/console secrets:set`
DI configuration can reference secrets using `%env(secret:...)%` in e.g `services.yaml`.
There is also `bin/console secrets:remove` and `bin/console debug:secrets` to complete the toolbox.
In terms of design, vs #31101, this groups the dual "encoder" + "storage" concepts in a single "vault" one. That's part of what makes this PR simpler.
That's all folks :)
Commits
-------
c4653e1f65 Restrict secrets management to sodium+filesystem
02b5d740e5 Add secrets management
8c8f62390a Proof of concept for encrypted secrets
* 4.3:
[HttpKernel] fix wrong removal of the just generated container dir
bug #34024 [Routing] fix route loading with wildcard, but dir or file is empty (gseidel)
[Routing] fix route loading with wildcard, but dir or file is empty
This PR was merged into the 3.4 branch.
Discussion
----------
[HttpKernel] fix wrong removal of the just generated container dir
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
The patch applies to 3.4 but the fix really affects to 4.4 with the introduction of the new `.preload.php` file.
/cc @fabpot since you encountered this error quite often recently during `composer up/req` :)
Commits
-------
4ad09ebafb [HttpKernel] fix wrong removal of the just generated container dir
This PR was merged into the 4.3 branch.
Discussion
----------
[Routing] fix route loading with wildcard, but dir or file is empty
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | no ticket i see so far
| License | MIT
In my route config i have something like:
```yaml
empty_wildcard:
resource: ../controller/empty_wildcard/*
prefix: /empty_wildcard
```
But ``empty_wildcard`` is empty or has no route configured.
So i had this error:
``Call to a member function addPrefix() on null``
This PR take care if no route is configured, there will be no error.
Commits
-------
217058b475 [Routing] fix route loading with wildcard, but dir or file is empty
This PR was merged into the 4.3 branch.
Discussion
----------
[Routing] fix route loading with wildcard, but dir or file is empty
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | no ticket i see so far
| License | MIT
In my route config i have something like:
```yaml
empty_wildcard:
resource: ../controller/empty_wildcard/*
prefix: /empty_wildcard
```
But ``empty_wildcard`` is empty or has no route configured.
So i had this error:
``Call to a member function addPrefix() on null``
This PR take care if no route is configured, there will be no error.
Commits
-------
217058b475 [Routing] fix route loading with wildcard, but dir or file is empty
* 4.3:
[Dotenv] allow LF in single-quoted strings
[Yaml] Throw exception for tagged invalid inline elements
[Mailer] Fix Mandrill Transport API payload with named addresses
This PR was merged into the 3.4 branch.
Discussion
----------
[Dotenv] allow LF in single-quoted strings
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
in a shell:
```sh
FOO='bar
baz'
```
is legal to set a value to (in PHP):
```php
"bar\nbaz"
```
Commits
-------
4d79116a0d [Dotenv] allow LF in single-quoted strings
This PR was merged into the 3.4 branch.
Discussion
----------
[Yaml] Throw exception for tagged invalid inline elements
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | n/a
| License | MIT
| Doc PR | n/a
At the moment the result for `!foo 'don't do somthin' like that'` is a `TaggedValue` with value "don".
Commits
-------
bed479c561 [Yaml] Throw exception for tagged invalid inline elements
This PR was merged into the 4.4 branch.
Discussion
----------
Replace STDIN by php://stdin
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
`STDIN` is SAPI-dependent.
Commits
-------
365d02be77 Replace STDIN by php://stdin
This PR was merged into the 4.4 branch.
Discussion
----------
[HttpClient] add HttpClient::createForBaseUri()
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
I've seen ppl use `HttpClient::create()` with default `base_uri` & `auth_bearer`. That's a security risk as the bearer would be sent to any hosts that the client requests.
Instead, ppl should use `ScopingHttpClient`.
The new method should help to discover and use it.
Commits
-------
1aa9a118d6 [HttpClient] add HttpClient::createForBaseUri()
This PR was merged into the 4.4 branch.
Discussion
----------
[FrameworkBundle] Improve the sorting of tagged services
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fix https://github.com/symfony/symfony/issues/33716
| License | MIT
| Doc PR | -
Little DX improvement, to sort the tags inside each service tagged.
More details in linked issue.
Commits
-------
f892289351 [FrameworkBundle] Improve the sorting of tagged services
This PR was merged into the 4.4 branch.
Discussion
----------
[HttpClient] try using php-http/discovery when nyholm/psr7 is not installed
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
In case one has `php-http/discovery`, we can leverage it...
Commits
-------
6e0cb581a1 [HttpClient] try using php-http/discovery when nyholm/psr7 is not installed
* 4.3:
fix PHP 5.6 compatibility
[Cache] fixed TagAwareAdapter returning invalid cache
Add plus character `+` to legal mime subtype
Make Symfony\Contracts\Service\Test\ServiceLocatorTest abstract
bug #33942 [DI] Add extra type check to php dumper
[Dotenv] search variable values in ENV first then env file
[PropertyInfo] Respect property name case when guessing from public method name
[VarDumper] fix resetting the "bold" state in CliDumper
Missing argument in method_exists
SCA: added missing break in a loop
* 3.4:
fix PHP 5.6 compatibility
[Cache] fixed TagAwareAdapter returning invalid cache
[PropertyInfo] Respect property name case when guessing from public method name
This PR was squashed before being merged into the 4.4 branch (closes#33967).
Discussion
----------
[Mailer] Add Message-Id to SentMessage when sending an email
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes-ish
| New feature? | yes-ish as well
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | fixes#33681
| License | MIT
| Doc PR | -
This adds `SentMessage::getMessageId()` to retrieve the message id as generated internally OR by the provider sending the email.
Commits
-------
d97d1f9bb4 [Mailer] Fix Message ID for Postmark SMTP
b42c269760 Add Message-Id to SentMessage when sending an email
This PR was merged into the 4.4 branch.
Discussion
----------
[Serializer][CSV] Add context options to handle BOM
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | Fix#33684
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/12461
This allows BOM handling in en/decoded CSV files. To keep current behaviour intact both skipping BOM at the beginning of the CSV and outputting BOM are an opt-in feature.
Personally I'd propose to make `SKIP_INPUT_BOM` default to `false` in 5.0 so the BOM is transparent and people that for some reasons expect BOM characters to be present in the parsed text explicitly opt-out of trimming it.
Commits
-------
3eb36684d8 Add context options to handle BOM
This PR was merged into the 3.4 branch.
Discussion
----------
[PropertyInfo] Respect property name case when guessing from public method name
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#32656
| License | MIT
| Doc PR |
Using camelCase, with an attribute `$aFooBar`, naming the getter/setter `getAFooBar()`/`setAFooBar()`, returns the property name as AFooBar instead of aFooBar.
# Before
Property name `'AFooBar'`
# After
Property name `'aFooBar'` as expected
Commits
-------
843bb76f8a [PropertyInfo] Respect property name case when guessing from public method name
This PR was merged into the 4.4 branch.
Discussion
----------
[HttpClient] resolve promise chains on HttplugClient::wait()
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Fix#32142
| License | MIT
| Doc PR | -
Follow up of #33743
Right now, keeping a reference to promise objects returned by `HttplugClient::sendAsyncRequest()`, then calling their `wait()` method is the only way to actually resolve the promises. That's why when these promises are destructed, we cancel the corresponding HTTP request.
But thanks to the `HttplugClient::wait()` method, we have a hook to tick the event loop managed by the Symfony client.
I added a test case to run into this situation.
~It fails currently. I'd like asking @joelwurtz, @dbu and/or maybe @Nyholm if you could have a look and finish this PR? I'm not that familiar with promises and you might get faster and better to the goal. Anyone else is welcome also of course. Thank you for having a look :) PR welcome on my fork or as a separate one on this repos.~
Commits
-------
ea0be07a33 [HttpClient] resolve promise chains on HttplugClient::wait()
This PR was merged into the 4.4 branch.
Discussion
----------
[Cache] fix 2RTT + race condition in AbstractTagAwareAdapter::deleteItems()
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
A final improvement to `AbstractTagAwareAdapter::deleteItems()`: this PR makes `deleteItems()` operate in 1RTT instead of 2.
Commits
-------
0613c227ec [Cache] fix 2RTT + race condition in AbstractTagAwareAdapter::deleteItems()
This PR was merged into the 3.4 branch.
Discussion
----------
[Cache] fixed TagAwareAdapter returning invalid cache
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#33953
| License | MIT
| Doc PR |
This PR fixes `TagAwareAdapter` returning `CacheItem` when item-tags pair is missing tag key in pool. Currently `TagAwareAdapter` returns `CacheItem` with empty tags and `isHit` set to `true`. With this PR it returns `CacheItem` with `isHit` set to `false` as we can't know if item is valid or invalid when it's missing tag entry so we treat it as cache miss.
Commits
-------
946f0a1e11 [Cache] fixed TagAwareAdapter returning invalid cache
This PR was merged into the 4.3 branch.
Discussion
----------
Make Symfony\Contracts\Service\Test\ServiceLocatorTest abstract
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | #33946
| License | MIT
Commits
-------
c2dd804a24 Make Symfony\Contracts\Service\Test\ServiceLocatorTest abstract
This PR was merged into the 4.3 branch.
Discussion
----------
[DI] Add extra type check to php dumper
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#33942
| License | MIT
| Doc PR
This PR adds a missing type check in the PHP Dumper. The bug has been detected while working on the https://github.com/prooph/service-bus-symfony-bundle and I haven't been able to reproduce it within a minimalist testcase.
I would like to add a unit test to cover it once I have figured out the exact context in which the bug occurs.
Any help would be greatly appreciated to do so, especially from "senior" contributors of the DependencyInjection component, many thanks in advance!
You will find more information about this bug in the linked ticket above.
Commits
-------
b17ebdf081 bug #33942 [DI] Add extra type check to php dumper
* 3.4:
Add plus character `+` to legal mime subtype
[Dotenv] search variable values in ENV first then env file
[VarDumper] fix resetting the "bold" state in CliDumper
SCA: added missing break in a loop
This PR was merged into the 4.4 branch.
Discussion
----------
[Mailer] added ReplyTo option for PostmarkApiTransport
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
Supports "ReplyTo" option with Postmark transport
Commits
-------
d49a7387de [Mailer] added ReplyTo option for PostmarkApiTransport
This PR was merged into the 4.4 branch.
Discussion
----------
[ErrorHandler] Rework fatal errors
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | https://github.com/symfony/symfony/issues/32605
| License | MIT
| Doc PR | -
Built on top of https://github.com/symfony/symfony/pull/33038 so review only the second commit : d5c3f7ed48
The goals of this PR is to replace current "fatal error handlers" with "error enhancers" since all our current fatal error handlers works on \Error since PHP7.
That means we won't use the FatalErrorException anymore, so we will be able to remove it (once we don't need it in the rest of the codebase).
The final goal btw is to handle \Throwable everywhere in the code so we can remove FatalThrowableError & FatalErrorException classes.
Commits
-------
aaa0cdf523 [ErrorHandler] Rework fatal error handlers
This PR was merged into the 4.4 branch.
Discussion
----------
[Cache] add TagAwareMarshaller to optimize data storage when using AbstractTagAwareAdapter
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | #33924
| License | MIT
| Doc PR | -
This is the final touch in my series of PR that fixes the linked issue.
Remarkably, the solutions I implemented for this issue are completely different than the one I described there. Fortunately, the issues themselves were correctly identified.
Plannification of implementation is gambling :)
/cc @andrerom
Commits
-------
5a4a30c6ef [Cache] add TagAwareMarshaller to optimize data storage when using AbstractTagAwareAdapter
This PR was merged into the 3.4 branch.
Discussion
----------
[VarDumper] fix resetting the "bold" state in CliDumper
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Commits
-------
21645a5b96 [VarDumper] fix resetting the "bold" state in CliDumper
This PR was merged into the 4.4 branch.
Discussion
----------
[Mime] added image/svg MIME support
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#33909
| License | MIT
| Doc PR |
Added `image/svg` MIME type to `svg` extension.
More @#33909.
Commits
-------
015eb6625c added image/svg MIME support
* 4.3:
[Cache] ignore unserialization failures in AbstractTagAwareAdapter::doDelete()
[HttpClient] send `Accept: */*` by default, fix removing it when needed
This PR was merged into the 4.3 branch.
Discussion
----------
[Cache] ignore unserialization failures in AbstractTagAwareAdapter::doDelete()
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Making things more robust, part of #33924
Commits
-------
a1f334c1b7 [Cache] ignore unserialization failures in AbstractTagAwareAdapter::doDelete()
* 4.3:
[Cache] clean tags folder on invalidation
[Cache] remove implicit dependency on symfony/filesystem
Allow to set cookie_samesite to 'none'
[VarDumper] fix array key error for class SymfonyCaster
Adds missing translations for no nb
[HttpKernel] fix $dotenvVars in data collector
Add the missing translations for the Swedish ("sv") locale
bumped Symfony version to 4.3.6
updated VERSION for 4.3.5
updated CHANGELOG for 4.3.5
bumped Symfony version to 3.4.33
updated VERSION for 3.4.32
update CONTRIBUTORS for 3.4.32
updated CHANGELOG for 3.4.32
[Messenger] DoctrineTransport: ensure auto setup is only done once
[Form][DateTimeImmutableToDateTimeTransformer] Preserve microseconds and use \DateTime::createFromImmutable() when available
[Crawler] document $default as string|null
* 3.4:
Adds missing translations for no nb
Add the missing translations for the Swedish ("sv") locale
bumped Symfony version to 3.4.33
updated VERSION for 3.4.32
update CONTRIBUTORS for 3.4.32
updated CHANGELOG for 3.4.32
This PR was merged into the 4.3 branch.
Discussion
----------
Allow to set SameSite config to 'none'
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#33926
| License | MIT
| Doc PR | -
Commits
-------
eec7e8cc61 Allow to set cookie_samesite to 'none'
This PR was merged into the 4.4 branch.
Discussion
----------
[EventDispatcher] Allow to omit the event name when registering listeners
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | #33453 (kind of)
| License | MIT
| Doc PR | TODO
After #30801 and #33485, this is another attempt at taking advantage of FQCN events for simplifying the registration of event listeners by inferring the event name from the parameter type declaration of the listener. This is my last attempt, I promise. 🙈
This time, I'd like to make the `event` attribute of the `kernel.event_listener` tag optional. This would allow us to build listeners like the following one without adding any attributes to the `kernel.event_listener` tag.
```php
namespace App\EventListener;
final class MyRequestListener
{
public function __invoke(RequestEvent $event): void
{
// do something
}
}
```
This in turn allows us to register a whole namespace of such listeners without having to configure each listener individually:
```YAML
services:
App\EventListener\:
resource: ../src/EventListener/*
tags: [kernel.event_listener]
```
Commits
-------
6f32584c76 [EventDispatcher] Allow to omit the event name when registering listeners.
This PR was merged into the 4.3 branch.
Discussion
----------
[Form][DateTimeImmutableToDateTimeTransformer] Preserve microseconds and use \DateTime::createFromImmutable() when available
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
For PHP >= 7.3, we should use [\DateTime::createFromImmutable()](https://www.php.net/manual/en/datetime.createfromimmutable.php) directly.
This patch also preserves the `\DateTime` microseconds when the conversion is done with `\DateTime::createFromFormat()`.
Commits
-------
dfa23034c3 [Form][DateTimeImmutableToDateTimeTransformer] Preserve microseconds and use \DateTime::createFromImmutable() when available
This PR was merged into the 4.4 branch.
Discussion
----------
[Cache] Improve RedisTagAwareAdapter invalidation logic & requirements
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes, _and improvment_
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
| Doc PR |
Changes logic of invalidation in RedisTagAwareAdapter in order to:
- Delete the tag key on invalidation => _avoiding possible left behind empty tag keys that Redis is not allowed to evict, gradually consuming more and more memory_
Positive side effects of no longer using sPOP:
- Lowered requirements to Redis 2.8, and no specific version constraint for phpredis
- Lift limitation of 2 billion keys per tag _(Now only limited by Redis Set datatype: 4 billion)_
Commits
-------
3d38c58b42 [Cache] Improve RedisTagAwareAdapter invalidation logic & requirements
This PR was squashed before being merged into the 4.4 branch (closes#33884).
Discussion
----------
Prevent ProgressBar redraw when message is same
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
This PR prevents ProgressBar from performing unnecessary redrawes if new output is same as current one. This is mostly useful when working with multiple progress bars. Same behavior can enforced by carefully setting redraw frequency, but I don't see any downsides for smarter redrawing by default.
This can be moved to `if ($this->overwrite)` if necessary, so it's applied only in case overwriting is enabled.
Commits
-------
78b515f049 Prevent ProgressBar redraw when message is same
This PR was merged into the 4.3 branch.
Discussion
----------
[Crawler] document $default as string|null
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
This has been introduced in 4.3
Commits
-------
e96add4787 [Crawler] document $default as string|null
This PR was squashed before being merged into the 4.3 branch (closes#32308).
Discussion
----------
[Messenger] DoctrineTransport: ensure auto setup is only done once
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? |no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
Setup is done for every invocation of `get`, `find`, and `findAll`.
For `get`, this causes message consumption to be very slow, as slow as 1 message per second on my moderately sized schema, because a schema diff is done in `setup` every `get`.
I'm not sure what the desired behaviour is here, but it seems like we should try performing a query, fail once, `setup`, and retry. This will the same approach taken by the PDO Cache.
However, we still need auto setup in `get`, as `get` starts a transaction, so the auto setup in `executeQuery` won't be called.
Further more, the same problem seems to exist for the AMPQ Transport, but the performance impact should be less there, but i have not tried.
Commits
-------
02414027e1 [Messenger] DoctrineTransport: ensure auto setup is only done once
