This PR was merged into the 3.3-dev branch.
Discussion
----------
Secure unserialize by restricting allowed classes when using PHP 7
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ---
| License | MIT
| Doc PR | ---
While playing around with Symfony in a PHP 7.1 application I noticed a warning in how EnvParameterResoure uses unserialize. Since PHP 7.0 introduced the options argument which allows to restrict which classes can be unserialized for better security, it might make sense to use it here. As far as I can tell this is no BC break, it only provides an additional safety mechanism.
Commits
-------
b4201810b9 Conditionally add options to unserialize in PHP 7.0+.
* 3.2:
[Console] Fix too strict test
[FrameworkBundle] Execute the PhpDocExtractor earlier
[validator] Updated croatian translation
Update DebugHandlersListener.php
ignore invalid cookies expires date format
[Console] SfStyleTest: Remove COLUMN env on tearDown
[TwigBundle] Fix the name of the cache warming test class
[Console] Fix TableCell issues with decoration
Add missing pieces in the upgrade guide to 3.0
* 3.2: (40 commits)
fixed CS
fixed CS
fixed CS fixer config
fixed typo
Revert "fixed typo"
fixed typo
fixed CS
Avoid setting request attributes from signature arguments in AnnotationClassLoader
[DependencyInjection] Add some missing typehints in YamlFileLoader
[DependencyInjection] minor: Fix a DocBlock
[HttpKernel] Give higher priority to adding request formats
[Cache] Fix tags expiration
[PhpUnit] Blacklist DeprecationErrorHandler in stack traces
[PropertyInfo] Don't try to access a property thru a static method
[PropertyInfo] Exclude static methods form properties guessing
[Workflow] Added new validator to make sure each place has unique translation names
[Cache] [PdoAdapter] Fix MySQL 1170 error (blob as primary key)
[FrameworkBundle] Fix third level headers for MarkdownDescriptor
[Ldap] Using Ldap stored username instead of form submitted one
[Ldap] load users with the good username case
...
* 3.1: (31 commits)
fixed CS
fixed CS
fixed CS fixer config
fixed typo
Revert "fixed typo"
fixed typo
fixed CS
Avoid setting request attributes from signature arguments in AnnotationClassLoader
[DependencyInjection] Add some missing typehints in YamlFileLoader
[DependencyInjection] minor: Fix a DocBlock
[HttpKernel] Give higher priority to adding request formats
[PropertyInfo] Don't try to access a property thru a static method
[PropertyInfo] Exclude static methods form properties guessing
[FrameworkBundle] Fix third level headers for MarkdownDescriptor
[Ldap] Using Ldap stored username instead of form submitted one
[Ldap] load users with the good username case
[DoctrineBridge] Fixed invalid unique value as composite key
[Doctrine Bridge] fix UniqueEntityValidator for composite object primary keys
[TwigBundle] do not lose already set method calls
#20411 fix Yaml parsing for very long quoted strings
...
* 2.8: (26 commits)
fixed CS
fixed CS
fixed CS fixer config
fixed typo
Revert "fixed typo"
fixed typo
fixed CS
Avoid setting request attributes from signature arguments in AnnotationClassLoader
[DependencyInjection] Add some missing typehints in YamlFileLoader
[DependencyInjection] minor: Fix a DocBlock
[HttpKernel] Give higher priority to adding request formats
[PropertyInfo] Don't try to access a property thru a static method
[PropertyInfo] Exclude static methods form properties guessing
[FrameworkBundle] Fix third level headers for MarkdownDescriptor
[TwigBundle] do not lose already set method calls
#20411 fix Yaml parsing for very long quoted strings
CS: apply is_null
DX: remove invalid inheritdoc
bumped Symfony version to 2.8.17
updated VERSION for 2.8.16
...
* 2.7:
fixed typo
Revert "fixed typo"
fixed typo
fixed CS
Avoid setting request attributes from signature arguments in AnnotationClassLoader
[DependencyInjection] Add some missing typehints in YamlFileLoader
[DependencyInjection] minor: Fix a DocBlock
[HttpKernel] Give higher priority to adding request formats
[FrameworkBundle] Fix third level headers for MarkdownDescriptor
[TwigBundle] do not lose already set method calls
#20411 fix Yaml parsing for very long quoted strings
CS: apply is_null
DX: remove invalid inheritdoc
bumped Symfony version to 2.7.24
updated VERSION for 2.7.23
update CONTRIBUTORS for 2.7.23
updated CHANGELOG for 2.7.23
[FrameworkBundle] Skip test if xdebug.file_link_format is defined.
* 3.2:
[DI] Add missing legacy group on testLegacy
Minor tweaks
Fix merge
[DI] Dont share service when no id provided
Fix Container and PhpDumper test inaccuracies
[DI] Fix missing new line after private alias
[ClassLoader] Throw an exception if the cache is not writeable
Fixing regression in TwigEngine exception handling.
* 3.1:
Fix merge
[DI] Dont share service when no id provided
Fix Container and PhpDumper test inaccuracies
[DI] Fix missing new line after private alias
[ClassLoader] Throw an exception if the cache is not writeable
Fixing regression in TwigEngine exception handling.
* 2.8:
Fix merge
[DI] Dont share service when no id provided
Fix Container and PhpDumper test inaccuracies
[DI] Fix missing new line after private alias
[ClassLoader] Throw an exception if the cache is not writeable
Fixing regression in TwigEngine exception handling.
* 2.7:
[DI] Dont share service when no id provided
Fix Container and PhpDumper test inaccuracies
[DI] Fix missing new line after private alias
[ClassLoader] Throw an exception if the cache is not writeable
Fixing regression in TwigEngine exception handling.
* 3.2:
[TwigBundle] fixed usage when Templating is not installed
[Validator] Check cascasdedGroups for being countable
[Cache] Add changelog for 3.2
[Cache] Add changelog
[Filesystem] Check that the directory is writable after created it in dumpFile()
[HttpFoundation] Improved set cookie header tests
[Serializer] int is valid when float is expected when deserializing JSON
[Console] increased code coverage of Output classes
Added missing headers in fixture files
[Profiler][VarDumper] Fix minor color issue & duplicated selector
* 3.1:
[TwigBundle] fixed usage when Templating is not installed
[Validator] Check cascasdedGroups for being countable
[Cache] Add changelog
[Filesystem] Check that the directory is writable after created it in dumpFile()
[HttpFoundation] Improved set cookie header tests
[Serializer] int is valid when float is expected when deserializing JSON
[Console] increased code coverage of Output classes
Added missing headers in fixture files
[Profiler][VarDumper] Fix minor color issue & duplicated selector
This PR was merged into the 3.3-dev branch.
Discussion
----------
Deprecate ClassCollectionLoader and Kernel::loadClassCache
| Q | A
| ------------- | ---
| Branch? | "master"
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets | #20668
| License | MIT
As suggested by @nicolas-grekas in #20668 I added deprecation notices to ClassCollectionLoader and Kernel::loadClassCache.
Commits
-------
660d79a186 Deprecates ClassCache-cache warmer.
This PR was merged into the 3.3-dev branch.
Discussion
----------
No fallback to REQUEST_TIME in TimeDataCollector
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no (?)
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ~
| License | MIT
| Doc PR | ~
As of PHP 5.4 the `REQUEST_TIME_FLOAT` is available and the minimum version of PHP is 5.5 in Symfony. I think it's safe to use as I can't find cases where this is _not_ defined.
Commits
-------
ba00543 No fallback to REQUEST_TIME in TimeDataCollector
* 3.2:
[FrameworkBundle] Ignore AnnotationException exceptions in the AnnotationsCacheWarmer
fixed @return when returning this or static
override property constraints in child class
removed unneeded comment
[Console] improved code coverage of Command class
[FrameworkBundle] Make TemplateController working without the Templating component
[FrameworkBundle] Allow multiple transactions with the same name
Only count on arrays or countables to avoid warnings in PHP 7.2
* 3.1:
fixed @return when returning this or static
override property constraints in child class
removed unneeded comment
[Console] improved code coverage of Command class
[FrameworkBundle] Make TemplateController working without the Templating component
Only count on arrays or countables to avoid warnings in PHP 7.2
* 2.8:
fixed @return when returning this or static
override property constraints in child class
removed unneeded comment
[Console] improved code coverage of Command class
[FrameworkBundle] Make TemplateController working without the Templating component
Only count on arrays or countables to avoid warnings in PHP 7.2
* 2.7:
fixed @return when returning this or static
override property constraints in child class
[Console] improved code coverage of Command class
Only count on arrays or countables to avoid warnings in PHP 7.2
* 3.1:
fixed obsolete getMock() usage
fixed obsolete getMock() usage
fixed obsolete getMock() usage
[WebProfilerBundle] Display multiple HTTP headers in WDT
do not remove the Twig ExceptionController service
removed obsolete condition
do not try to register incomplete definitions
* 2.8:
fixed obsolete getMock() usage
fixed obsolete getMock() usage
[WebProfilerBundle] Display multiple HTTP headers in WDT
do not remove the Twig ExceptionController service
removed obsolete condition
do not try to register incomplete definitions
This PR was merged into the 3.3-dev branch.
Discussion
----------
[WebProfilerBundle] Split PHP version if needed
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes/no
| Fixed tickets | https://github.com/symfony/symfony/pull/20697#issuecomment-263966015
| License | MIT
| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->
Commits
-------
1241a00 [WebProfilerBundle] Split PHP version if needed
This PR was merged into the 3.3-dev branch.
Discussion
----------
Request exceptions
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #20389, #20615, #20662
| License | MIT
| Doc PR | n/a
Replaces #20389 and #20662. The idea is to generically manage 400 responses when an exception implements `RequestExceptionInterface`.
The "weird" caches on the request for the host and the clients IPs allows to correctly manage exceptions in an exception listener/controller (as we are duplicating the request there, but we don't want to throw an exception there).
Commits
-------
32ec288 [HttpFoundation] refactored Request exceptions
d876809 Return a 400 response for suspicious operations
This PR was merged into the 3.3-dev branch.
Discussion
----------
[HttpKernel] Fix Bundle name regression
| Q | A
| ------------- | ---
| Branch? | 3.2
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #20117
| License | MIT
| Doc PR | N/A
The bundle name can be set manually instead of being guessed from the class name, as the property is protected.
However, a regression prevents this name to be used, as calling `Bundle::getNamespace()` recomputes the bundle name from class instead.
The ability to name explicitly bundles is appreciable when dealing with "virtual" ones, or when providing bundles in a library under a `Vendor\MyPackage\Bridge\Symfony\Bundle` namespace. No need to rename the bundle class `VendorMyPackageBundle` which will make the instantiation in `Kernel::registerBundle()` quite ugly:
```diff
- new Vendor\MyPackage\Bridge\Symfony\Bundle\VendorMyPackageBundle()
+ new Vendor\MyPackage\Bridge\Symfony\Bundle\Bundle()
```
What about removing `Bundle::parseClassName()` and processing the namespace and bundle name separately, but keeping the `namespace` property introduced in #20117?
Commits
-------
3b5127d [HttpKernel] Fix Bundle name regression
This PR was squashed before being merged into the 3.3-dev branch (closes#20697).
Discussion
----------
Updated the "PHP config" panel in the profiler
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
I propose to update this panel taking some of the ideas introduced by @ro0NL in #20126:
* Adding more info that helps debugging problems (like 32/64 bits, the locale and the timezone)
* Removing anything related to PHP acceleration that is not OPcache or APC
### Before
### After
Commits
-------
531053b Updated the "PHP config" panel in the profiler
* 3.2:
[WebProfilerBundle] Fix whitespace control in layout.html.twig
[HttpKernel] Fix open_basedir compat in DataCollector
[Validator] Fix init of YamlFileLoader::$classes for empty files
* 3.2: (51 commits)
[FrameworkBundle] [Workflow] Fix service marking store configuration
Fix merge
[Validator] add class name to the cache key
[Serializer] Remove AbstractObjectNormalizer::isAttributeToNormalize
Throw less misleading exception when property access not found
[Twig] Fix deprecations with Twig 1.29
[FrameworkBundle] Fix validation cache warmer with failing or missing classes
Fixed typo
[FrameworkBundle] Removed the kernel.debug parameter from the cache pool namespace seed
Fix email address
fix the docblock in regard to the role argument
[Bridge\Twig] Trigger deprecation when using FormExtension::$renderer
Don't use the "app" global variable in the profiler
[VarDumper] fix tests when xdebug is enabled
Fix merge
FIXED NON EXISTING TYPE DECLARATION
[Form] Add failing test for data collector bug
[Cache] Fix dumping SplDoublyLinkedList iter mode
[Form] Fix FormDataCollector
Ignore missing 'debug.file_link_formatter' service in Debug and Twig bundles
...
* 3.1: (28 commits)
Fix merge
[Validator] add class name to the cache key
[Serializer] Remove AbstractObjectNormalizer::isAttributeToNormalize
Throw less misleading exception when property access not found
[Twig] Fix deprecations with Twig 1.29
Fixed typo
[FrameworkBundle] Removed the kernel.debug parameter from the cache pool namespace seed
Fix email address
fix the docblock in regard to the role argument
Don't use the "app" global variable in the profiler
[VarDumper] fix tests when xdebug is enabled
Fix merge
FIXED NON EXISTING TYPE DECLARATION
[Cache] Fix dumping SplDoublyLinkedList iter mode
[Console] fixed PHP7 Errors when not using Dispatcher
Regression test for missing controller arguments (3.1)
Regression test for missing controller arguments
fix a test checking for a value
[Form][DX] FileType "multiple" fixes
fixed CS
...
* 2.8:
[Twig] Fix deprecations with Twig 1.29
Fixed typo
Fix email address
fix the docblock in regard to the role argument
[VarDumper] fix tests when xdebug is enabled
Fix merge
[Cache] Fix dumping SplDoublyLinkedList iter mode
[Console] fixed PHP7 Errors when not using Dispatcher
Regression test for missing controller arguments
fix a test checking for a value
[Form][DX] FileType "multiple" fixes
fixed CS
[TwigBundle] Fix twig loader registered twice
[WebProfilerBundle] Fix dump block is unfairly restrained
[Console] Fix wrong handling of multiline arg/opt descriptions
[DependencyInjection] PhpDumper.php: hasReference() should not search references in lazy service arguments.
[Form] fixed "empty_value" option deprecation
Cast result to int before adding to it
* 2.7:
Regression test for missing controller arguments
fix a test checking for a value
[Form][DX] FileType "multiple" fixes
fixed CS
[TwigBundle] Fix twig loader registered twice
[Console] Fix wrong handling of multiline arg/opt descriptions
[DependencyInjection] PhpDumper.php: hasReference() should not search references in lazy service arguments.
[Form] fixed "empty_value" option deprecation
* 3.2:
[ClassLoader] Use only forward slashes in generated class map
[VarDumper][HttpKernel] Enhance perf of ExceptionCaster & DataCollector
ensure the proper context for nested validations
bug #20653 [WebProfilerBundle] Profiler includes ghost panels
Fixed getRouteParams() when no parameters are available
bumped Symfony version to 3.2.0
updated VERSION for 3.2.0-RC2
updated CHANGELOG for 3.2.0-RC2
* 3.2: (24 commits)
[Filesystem] Remove extra argv in dumpFile() tests
[DI] minor FileLoaders tests update
[FrameworkBundle] Add framework.cache.prefix_seed for predictible cache key prefixes
[SecurityBundle] Remove FirewallContext mandatory FirewallConfig argument deprecation
[HttpKernel] Revert BC breaking change of Request::isMethodSafe()
[DI] Allow null as default env value
[WebProfilerBundle] Fix deprecated uses of profiler_dump
[SecurityBundle] Fix FirewallConfig nullable arguments
[FrameworkBundle] Avoid warming up the validator cache for non-existent classes
[DOMCrawler] Bug fixed
[FrameworkBundle] Mark cache.default_*_provider services private
[Process] Do feat test before enabling TTY mode
bumped Symfony version to 3.1.8
updated VERSION for 3.1.7
updated CHANGELOG for 3.1.7
bumped Symfony version to 2.8.15
updated VERSION for 2.8.14
updated CHANGELOG for 2.8.14
bumped Symfony version to 2.7.22
updated VERSION for 2.7.21
...
* 3.1:
[Filesystem] Remove extra argv in dumpFile() tests
[DI] minor FileLoaders tests update
[HttpKernel] Revert BC breaking change of Request::isMethodSafe()
[DOMCrawler] Bug fixed
[FrameworkBundle] Mark cache.default_*_provider services private
[Process] Do feat test before enabling TTY mode
bumped Symfony version to 3.1.8
updated VERSION for 3.1.7
updated CHANGELOG for 3.1.7
bumped Symfony version to 2.8.15
updated VERSION for 2.8.14
updated CHANGELOG for 2.8.14
bumped Symfony version to 2.7.22
updated VERSION for 2.7.21
update CONTRIBUTORS for 2.7.21
updated CHANGELOG for 2.7.21
Fix annotation type for $context
[Doctrine][Form] support large integers
* 2.8:
[DI] minor FileLoaders tests update
[HttpKernel] Revert BC breaking change of Request::isMethodSafe()
[DOMCrawler] Bug fixed
[Process] Do feat test before enabling TTY mode
bumped Symfony version to 2.8.15
updated VERSION for 2.8.14
updated CHANGELOG for 2.8.14
bumped Symfony version to 2.7.22
updated VERSION for 2.7.21
update CONTRIBUTORS for 2.7.21
updated CHANGELOG for 2.7.21
Fix annotation type for $context
[Doctrine][Form] support large integers
* 2.7:
[DI] minor FileLoaders tests update
[HttpKernel] Revert BC breaking change of Request::isMethodSafe()
[DOMCrawler] Bug fixed
[Process] Do feat test before enabling TTY mode
bumped Symfony version to 2.7.22
updated VERSION for 2.7.21
update CONTRIBUTORS for 2.7.21
updated CHANGELOG for 2.7.21
[Doctrine][Form] support large integers
This PR was merged into the 3.2-dev branch.
Discussion
----------
[HttpKernel] Base DataCollector throws warning on unsupported scheme strings
| Q | A |
| --- | --- |
| Branch? | master |
| Bug fix? | yes |
| New feature? | no |
| BC breaks? | no |
| Deprecations? | no |
| Tests pass? | yes |
| Fixed tickets | N/A |
| License | MIT |
| Doc PR | N/A |
The issue concerns any collector based on the abstract `Symfony\Component\HttpKernel\DataCollector\DataCollector` class using `cloneVar` on a string containing a unsupported scheme.
The easiest way to reproduce the issue is to add a simple query parameter like `?uri=foo://bar` on any url of your application:
> ContextErrorException in DataCollector.php line 134:
> Warning: file_exists(): Unable to find the wrapper "foo" - did you forget to enable it when you configured PHP?
This PR simply fixes the issue by muting the warning on `file_exists`. But maybe there is a better strategy.
Commits
-------
52faa00 Fix base DataCollector throws warning on unsupported scheme strings
* 3.1:
[PhpUnitBridge] Fix undefined variable
Compatibility with Twig 1.27
Remove extra line in doc-block comment
[VarDumper] Fix dumping Twig source in stack traces
Enhance GAE compat by removing some realpath()
[DependencyInjection] Remove old code in XML loader
bumped Symfony version to 3.1.7
updated VERSION for 3.1.6
updated CHANGELOG for 3.1.6
bumped Symfony version to 2.8.14
updated VERSION for 2.8.13
updated CHANGELOG for 2.8.13
bumped Symfony version to 2.7.21
updated VERSION for 2.7.20
update CONTRIBUTORS for 2.7.20
updated CHANGELOG for 2.7.20
[SecurityBundle] Fix twig-bridge lowest dep
* 2.8:
Compatibility with Twig 1.27
[VarDumper] Fix dumping Twig source in stack traces
Enhance GAE compat by removing some realpath()
bumped Symfony version to 2.8.14
updated VERSION for 2.8.13
updated CHANGELOG for 2.8.13
bumped Symfony version to 2.7.21
updated VERSION for 2.7.20
update CONTRIBUTORS for 2.7.20
updated CHANGELOG for 2.7.20
[SecurityBundle] Fix twig-bridge lowest dep
