This PR was merged into the 4.4 branch.
Discussion
----------
[Mailer] Fix SMTP Authentication when using STARTTLS
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34522
| License | MIT
When the mail server uses STARTTLS, the SMTP Authentication is not performed because the AUTH capabilities are not send during the first EHLO call, but during the second one.
Example of problematic exchange solved by this PR:
```
< 220 mydomain.tld ESMTP Postcow
> EHLO [127.0.0.1]
< 250-mydomain.tld
< 250-PIPELINING
< 250-SIZE 104857600
< 250-ETRN
< 250-STARTTLS
< 250-ENHANCEDSTATUSCODES
< 250-8BITMIME
< 250-DSN
< 250 CHUNKING
> STARTTLS
< 220 2.0.0 Ready to start TLS
> EHLO [127.0.0.1]
< 250-mydomain.tld
< 250-PIPELINING
< 250-SIZE 104857600
< 250-ETRN
< 250-AUTH PLAIN LOGIN
< 250-AUTH=PLAIN LOGIN
< 250-ENHANCEDSTATUSCODES
< 250-8BITMIME
< 250-DSN
< 250 CHUNKING
> MAIL FROM:<noreply@XXX>
< 250 2.1.0 Ok
> RCPT TO:<XXX>
< 554 5.7.1 <XXX>: Client host rejected: Access denied
```
Commits
-------
75b54542ab [Mailer] Fix SMTP Authentication when using STARTTLS
This PR was merged into the 4.4 branch.
Discussion
----------
[DependencyInjection] Handle env var placeholders in CheckTypeDeclarationsPass
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
A case we forgot to handle.
Commits
-------
c3574858b5 [DependencyInjection] Handle env var placeholders in CheckTypeDeclarationsPass
This PR was squashed before being merged into the 4.4 branch (closes#34802).
Discussion
----------
[Security] Check UserInterface::getPassword is not null before calling needsRehash
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
`Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface::needsRehash()` expects a string as the input argument. In some cases `Symfony\Component\Security\Core\User\UserInterface::getPassword()` is used as the input argument, but this function can return `null` resulting in a potential type error.
Commits
-------
8e4cf497cd [Security] Check UserInterface::getPassword is not null before calling needsRehash
This PR was merged into the 4.4 branch.
Discussion
----------
[SecurityBundle] Fix TokenStorage::reset not called in stateless firewall
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | NA
| License | MIT
| Doc PR | NA
By default, the service `security.token_storage` is resetable. https://github.com/symfony/symfony/blob/master/src/Symfony/Bundle/SecurityBundle/Resources/config/security.xml#L22-L24
But when using a stateless application without session, the `RegisterTokenUsageTrackingPass` replace the service `security.token_storage` by an alias to `security.untracked_token_storage` (which is not tagged as resetable.
Commits
-------
616c30f185 Fix TokenStorage::reset not called in stateless firewall
* 4.3:
[DotEnv] Remove `usePutEnv` property default value
Set up typo fix
[Validator] Allow underscore character "_" in URL username and password
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
do not validate passwords when the hash is null
[DI] fix resolving bindings for named TypedReference
[DI] Fix making the container path-independent when the app is in /app
Allow copy instead of symlink for ./link script
[FrameworkBundle] resolve service locators in `debug:*` commands
bumped Symfony version to 4.3.10
updated VERSION for 4.3.9
updated CHANGELOG for 4.3.9
bumped Symfony version to 3.4.37
updated VERSION for 3.4.36
update CONTRIBUTORS for 3.4.36
updated CHANGELOG for 3.4.36
Add test on ServerLogHandler
* 3.4:
[Validator] Allow underscore character "_" in URL username and password
[SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
do not validate passwords when the hash is null
[DI] Fix making the container path-independent when the app is in /app
Allow copy instead of symlink for ./link script
[FrameworkBundle] resolve service locators in `debug:*` commands
bumped Symfony version to 3.4.37
updated VERSION for 3.4.36
update CONTRIBUTORS for 3.4.36
updated CHANGELOG for 3.4.36
This PR was merged into the 4.3 branch.
Discussion
----------
[DotEnv] Remove `usePutEnv` property default value
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | n/a
| License | MIT
| Doc PR | n/a
The default value is already set in the constructor (and changes in 5.0, see https://github.com/symfony/symfony/pull/31957/files#diff-3dc82e6e990428b0c71cf2112d02269fR44) and the class is final.
Commits
-------
362c339fa6 [DotEnv] Remove `usePutEnv` property default value
This PR was submitted for the master branch but it was squashed and merged into the 4.4 branch instead.
Discussion
----------
[HttpFoundation] get currently session.gc_maxlifetime if ttl doesnt exists
| Q | A
| ------------- | ---
| Branch? | master / 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34659
| License | MIT
If option `ttl` was not defined in RedisSessionHandler, this got the default `session.gc_maxlifetime`. With this fixed, RedisSessionHandler get the currently `session.gc_maxlifetime`.
Commits
-------
b6253e2336 [HttpFoundation] get currently session.gc_maxlifetime if ttl doesnt exists
This PR was submitted for the 4.4 branch but it was merged into the 4.3 branch instead.
Discussion
----------
[Messenger] "set up" typo fix
| Q | A
| ------------- | ---
| Branch? | master for features / 3.4, 4.3, 4.4 or 5.0 for bug fixes <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| License | MIT
![image](https://user-images.githubusercontent.com/13940752/70231803-1b4a9180-176c-11ea-9faf-b7addf81190a.png)
There's a typo, `setup` is a noun, but it should be a verb `set up`.
Commits
-------
b0daf020de Set up typo fix
This PR was merged into the 3.4 branch.
Discussion
----------
[FrameworkBundle] resolve service locators in `debug:*` commands
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34470
| License | MIT
| Doc PR | -
Because of the way ServiceClosureArgument are dumped, we need to resolve locators after loading the xml dump of the container:
https://github.com/symfony/symfony/blob/3.4/src/Symfony/Component/DependencyInjection/Dumper/XmlDumper.php#L273
Commits
-------
820da66346 [FrameworkBundle] resolve service locators in `debug:*` commands
This PR was merged into the 3.4 branch.
Discussion
----------
[3.4][Validator] Allow underscore character "_" in URL username and password
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| License | MIT
Hello!
It's been a long time since my last push on Symfony :)
Here's a bug fix. I think URL usernames and password may contain an underscore. Let me know!
Commits
-------
869518bc7e [Validator] Allow underscore character "_" in URL username and password
This PR was submitted for the master branch but it was merged into the 4.4 branch instead (closes#34811).
Discussion
----------
[TwigBridge] Update bootstrap_4_layout.html.twig missing switch-custom label
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | yes
| New feature? | no
| License | MIT
Missing .custom-control-label for bootstrap custom-switch when using .switch-custom class in label_attr
Commits
-------
9347b2ea2f [TwigBridge] Update bootstrap_4_layout.html.twig
This PR was merged into the 4.4 branch.
Discussion
----------
[FrameworkBundle][SodiumVault] Create secrets directory only when it is used
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
FWB `secrets` is enabled by default. After upgrading an app to 4.4, a directory is created (and checked on every request) even if I don't use this feature. Can't we just disable it by default btw?
Commits
-------
c86157040a [FrameworkBundle][SodiumVault] Create secrets directory only when needed
This PR was merged into the 4.3 branch.
Discussion
----------
[DI] fix resolving bindings for named TypedReference
| Q | A
| ------------- | ---
| Branch? | 4.3
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
As spotted in https://github.com/symfony/symfony/pull/34769#issuecomment-561064156
Commits
-------
62c227e368 [DI] fix resolving bindings for named TypedReference
This PR was merged into the 4.4 branch.
Discussion
----------
[DependencyInjection] Resolve expressions in CheckTypeDeclarationsPass
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | https://github.com/symfony/symfony/issues/34752
| License | MIT
| Doc PR | -
One more case we forgot 😅
Commits
-------
b6c5a54cfd [DependencyInjection] Resolve expressions in CheckTypeDeclarationsPass
This PR was merged into the 4.4 branch.
Discussion
----------
[Translation] Fix FileDumper behavior
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34713
| License | MIT
| Doc PR | -
Execute `bin/console translation:update --force en` command:
## Before
See related issue for details #34713
## After
The default translation file name will depend on whether the intl (or polyfill) extension is installed or not.
For exmaple:
| Intl extension (or polyfill) installed | translation file created |
| --- | --- |
| no | messages.en.xlf |
| yes | messages+intl-icu.en.xlf |
However, if you are currently updating a single file, that file name will be used regardless of whether the Intl extension is installed, i.e. if you have this translation file: `messages.en.xlf`, new translation keys will be stored in it, even if you have installed the intl extension.
Last, if both translation files (`messages.es.xlf` and `messages+intl-icu.en.xlf`) coexist in the same path, rare but possible, we will use the default filename guessed earlier to store all current messages and the another file will be emptied.
Commits
-------
1c41ae7631 Fixed translations file dumper behavior
This PR was merged into the 3.4 branch.
Discussion
----------
[SecurityBundle] Passwords are not encoded when algorithm set to "true"
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34725
| License | MIT
| Doc PR | -
If the algorithm is set to `true`, password will be encode as plain password.
```
security:
encoders:
App\User\User:
algorithm: true
```
The reason for this is the not strict comparison of php switches.
```
switch ($config['algorithm']) {
case 'plaintext':
}
```
`true == 'plaintext'` is `true`, so the first case is hit. My first solution was to cast the algorithm to a string, to prevent this. After some feedback I have catch this problem earlier and does not allow true as valid value to the algorithm option.
Ps. This is my first PR for Symfony, any feedback is welcome :-)!
Commits
-------
83a5517c01 [SecurityBundle] Passwords are not encoded when algorithm set to \"true\"
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] do not validate passwords when the hash is null
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34775
| License | MIT
| Doc PR |
Commits
-------
5699cb22bb do not validate passwords when the hash is null
This PR was merged into the 4.4 branch.
Discussion
----------
[SecurityBundle] Use config variable in AnonymousFactory
| Q | A
| ------------- | ---
| Branch? | 4.4 and 5.0
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
It looks like the `AnonymousFactory` was copied incorrectly in https://github.com/symfony/symfony/pull/33503 as it uses the old `$firewall` variable available in `SecurityExtension.php`. Changing this to `$config` yields the desired results
Commits
-------
8d850d2da4 When set, get secret from config variable
This PR was merged into the 4.4 branch.
Discussion
----------
[FrameworkBundle] Set the parameter bag as resolved in ContainerLintCommand
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix https://github.com/symfony/symfony/issues/34526, Closes#34767
| License | MIT
| Doc PR | -
Alternative to https://github.com/symfony/symfony/pull/34767, idea by @nicolas-grekas.
Commits
-------
e8d3c2b969 [FrameworkBundle] Set the parameter bag as resolved in ContainerLintCommand
This PR was merged into the 4.3 branch.
Discussion
----------
[MonologBridge] Add test on ServerLogHandler
| Q | A
| ------------- | ---
| Branch? | 5.0
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | /
| License | MIT
| Doc PR | /
After writing https://github.com/symfony/symfony/pull/34697#issuecomment-559840469 I realized that ServerLogHandler wasn't tested.
Tell me if it's a BugFix and should be rebased on 4.3
Commits
-------
8c7947f827 Add test on ServerLogHandler
This PR was merged into the 3.4 branch.
Discussion
----------
Allow copy instead of symlink for ./link script
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | N/A <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | N/A
Not the most efficient way to work, but sometimes it helps to test a bug fix/feature within an existing project for which symlinks can't be resolved due to the dev environment (e.g: a Vagrant where only the current project directory is mounted).
Commits
-------
b28fe66363 Allow copy instead of symlink for ./link script
This PR was merged into the 4.4 branch.
Discussion
----------
[Security/Core] Fix checking for SHA256/SHA512 passwords
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix #... <!-- prefix each issue number with "Fix #", if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
<!--
The code to validate bcrypt passwords (#31763) needs to include SHA256 and SHA512-hashed passwords. These are used on RedHat (and derived) systems.
Since SHA256/512 don't appear to have a limit of 72 characters, I simply created a new if() block.
-->
Commits
-------
799c85b67c [Security/Core] Fix checking for SHA256/SHA512 passwords
This PR was merged into the 3.4 branch.
Discussion
----------
[DI] Fix making the container path-independent when the app is in /app
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#34750, Fix#34611
| License | MIT
| Doc PR | -
Right now, we mandate the app to be nested in a directory of level 2 minimum. This means apps cannot be made path-independent if they are built in e.g. `/app`.
Commits
-------
b33b9a6ad9 [DI] Fix making the container path-independent when the app is in /app