* 3.3:
[2.7] Fix issues found by PHPStan
Add php_unit_dedicate_assert to PHPCS
[WebProfilerBundle] Let fetch() cast URL to string
improve FormType::getType exception message details
[Intl] Update ICU data to 60.2
[Console] fix a bug when you are passing a default value and passing -n would ouput the index
This PR was merged into the 3.4 branch.
Discussion
----------
[TwigBundle][FrameworkBundle] Remove the internals from debug autowiring
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? |no <!-- don't forget to update UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | #24986
| License | MIT
| Doc PR |
#SymfonyConHackday2017
@nicolas-grekas @weaverryan @fabpot @stof It should be OK to review and to merge.
Commits
-------
491839b [TwigBundle][FrameworkBundle] Remove the internals from debug autowiring
* 3.3:
[Bridge\PhpUnit] Disable broken auto-require mechanism of phpunit
[SecurityBundle] Fix syntax error in test
[Console] Remove remaining dead code
bumped Symfony version to 3.3.14
bumped Symfony version to 2.8.32
bumped Symfony version to 2.7.39
updated VERSION for 3.3.13
updated CHANGELOG for 3.3.13
updated VERSION for 2.8.31
updated CHANGELOG for 2.8.31
updated VERSION for 2.7.38
updated CHANGELOG for 2.7.38
Replace array|\Traversable by iterable
Fix ambiguous pattern
* 2.8:
[SecurityBundle] Fix syntax error in test
[Console] Remove remaining dead code
bumped Symfony version to 2.8.32
bumped Symfony version to 2.7.39
updated VERSION for 2.8.31
updated CHANGELOG for 2.8.31
updated VERSION for 2.7.38
updated CHANGELOG for 2.7.38
Replace array|\Traversable by iterable
Fix ambiguous pattern
* 2.7:
[SecurityBundle] Fix syntax error in test
[Console] Remove remaining dead code
bumped Symfony version to 2.7.39
updated VERSION for 2.7.38
updated CHANGELOG for 2.7.38
Replace array|\Traversable by iterable
Fix ambiguous pattern
* 3.3:
fixed CS
fixed CS
[Security] Namespace generated CSRF tokens depending of the current scheme
ensure that submitted data are uploaded files
[Console] remove dead code
bumped Symfony version to 3.3.13
updated VERSION for 3.3.12
updated CHANGELOG for 3.3.12
bumped Symfony version to 2.8.31
updated VERSION for 2.8.30
updated CHANGELOG for 2.8.30
bumped Symfony version to 2.7.38
updated VERSION for 2.7.37
updated CHANGELOG for 2.7.37
[Security] Validate redirect targets using the session cookie domain
prevent bundle readers from breaking out of paths
* 2.8:
fixed CS
fixed CS
[Security] Namespace generated CSRF tokens depending of the current scheme
ensure that submitted data are uploaded files
[Console] remove dead code
bumped Symfony version to 2.8.31
updated VERSION for 2.8.30
updated CHANGELOG for 2.8.30
bumped Symfony version to 2.7.38
updated VERSION for 2.7.37
updated CHANGELOG for 2.7.37
[Security] Validate redirect targets using the session cookie domain
prevent bundle readers from breaking out of paths
* 2.7:
fixed CS
fixed CS
[Security] Namespace generated CSRF tokens depending of the current scheme
ensure that submitted data are uploaded files
[Console] remove dead code
bumped Symfony version to 2.7.38
updated VERSION for 2.7.37
updated CHANGELOG for 2.7.37
[Security] Validate redirect targets using the session cookie domain
prevent bundle readers from breaking out of paths
This PR was merged into the 3.4 branch.
Discussion
----------
[SecurityBundle] Deprecate auto picking the first provider
when no provider is explicitly configured on a firewall
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see comment below -->
| Bug fix? | no
| New feature? | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | yes <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass? | yes
| Fixed tickets | https://symfony-devs.slack.com/archives/C3A2XAQ20/p1506626210000345 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | N/A
From @Pierstoval on Slack:
> Hey, guys, I learnt a few days ago that if you don't specify a user provider in a firewall configuration, the security will use the first one in the list. Don't anyone think specifying the user provider should be mandatory ? Or at least mandatory if we have more than one provider registered?
- [x] UPGRADE files
- [x] CHANGELOG
- [x] Fix other tests
- [x] Removal PR #24380
Commits
-------
2d1e3347a6 [SecurityBundle] Deprecate auto picking the first provider
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Argon2i Password Encoder
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | WIP
Since the [libsodium RFC](https://wiki.php.net/rfc/libsodium) passed with flying colours, I'd like to kick start a discussion about adding Argon2i as a password encoder to the security component. The initial code proposal in this PR supports both the upcoming public API confirmed for PHP 7.2, and the [libsodium PECL extension](https://pecl.php.net/package/libsodium) for those below 7.2 (available for PHP 5.4+).
#### Concerns
- Should the test cover hash length? At the moment the result of Argon2i is 96 characters, but because the hashing parameters are included in the result (`$argon2i$v=19$m=32768,t=4,p=1$...`) this is not guaranteed.
- I've used one password encoder class because the result *should* be the same whether running natively in 7.2 or from the PECL extension, but should the logic be split out into separate private methods (like `Argon2iPasswordEncoder::encodePassword()`) or not (like in `Argon2iPasswordEncoder::isPasswordValid()`)? Since I can't really find anything concrete on Symfony choosing one way over another I'm assuming it's down to personal preference?
#### The Future
Whilst the libsodium RFC has been approved and the public API confirmed, there has been no confirmation of Argon2i becoming an official algorithm for `passhword_hash()`. If that is confirmed, then the implementation should *absolutely* use the native `password_*` functions since the `sodium_*` functions do not have an equivalent to the `password_needs_rehash()` function.
Any feedback would be greatly appreciated 😃
Commits
-------
be093dd79a Argon2i Password Encoder
Add the Argon2i hashing algorithm provided by libsodium as a core encoder in the Security component, and enable it in the SecurityBundle.
Credit to @chalasr for help with unit tests.
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Saltless Encoder Interface
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
A new interface for encoders that do not require a user-generated salt (generate their own built-in) as suggested by @stof ([comment](https://github.com/symfony/symfony/pull/21604/files#r101225470)), this will become useful as more password encoders are added in the future (such as symfony/symfony#21604).
Commits
-------
7c4aa0bccb Saltless Encoder Interface
* 2.8:
[CS][2.7] yoda_style, no_unneeded_curly_braces, no_unneeded_final_method, semicolon_after_instruction
[Filesystem] mirror - fix copying content with same name as source/target.
.php_cs.dist - simplify config
[WebProfilerBundle] fixed TemplateManager when using Twig 2 without compat interfaces
