When event listeners for certain events are removed from the event
dispatcher, empty arrays are not being removed. Therefore, counting
on empty arrays leads to wrong results of the hasListeners() method.
wait() throws an exception when the process was terminated by a signal.
This should not happen when the termination was requested by calling
either the stop() or the signal() method (for example, inside a callback
which is passed to wait()).
This PR was merged into the 2.3 branch.
Discussion
----------
[BrowserKit] Fixed server HTTP_HOST port uri conversion
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11356
| License | MIT
| Doc PR | n/a
See #11356
Commits
-------
103fd88 [BrowserKit] refactor code and fix unquoted regex
f401ab9 Fixed server HTTP_HOST port uri conversion
This PR was merged into the 2.3 branch.
Discussion
----------
Fix issue described in #11421
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11421
| License | MIT
| Doc PR | NA
This pull request fixes the issue described in #11421. It also adds a test for the issue. The issue is present in 2.0 forward, but I decided to fix it on the 2.3 branch so that I could also write a test for it (2.0 had no tests for the Process component, and 2.1 and 2.2 didn't have tests for the `ExecutableFinder` class).
Commits
-------
4cf50e8 Bring code into standard
9f4313c [Process] Add test to verify fix for issue #1142102eb765 [Process] Fixes issue #11421
This PR was merged into the 2.3 branch.
Discussion
----------
Pass a Scope instance instead of a scope name when cloning a container in the GrahpvizDumper
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11055
| License | MIT
| Doc PR | -
Commits
-------
6787669 [DependencyInjection] Pass a Scope instance instead of a scope name.
If null is passed to denormalize(), no property values can be set on
the denormalized object. Additionally, this fixes passing values to
the denormalized object's constructor if the incoming data is an object.
This PR was merged into the 2.3 branch.
Discussion
----------
[2.3][Process] Reduce I/O load on Windows platform
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
When using file handles, no `stream_select` call is done.
On linux platforms, `stream_select` introduce a sleep as it has 0.2s timeout, there is no such pause on Windows, producing lot's of disk I/Os when reading file handles
Commits
-------
ff0bb01 [Process] Reduce I/O load on Windows platform
This PR was merged into the 2.3 branch.
Discussion
----------
[2.3][Form] Check if IntlDateFormatter constructor returned a valid object before using it
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
`IntlDateFormatter` constructor [may return false](http://www.php.net/manual/en/intldateformatter.create.php#refsect1-intldateformatter.create-returnvalues). This patches avoids fatal errors in these cases
This PR replaces #11334
Commits
-------
ebf967d [Form] Check if IntlDateFormatter constructor returned a valid object before using it
This PR was merged into the 2.3 branch.
Discussion
----------
[Validator] Backported #11410 to 2.3: Object initializers are called only once per object
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Before, object initializers were called multiple times if an object was validated in different groups in the same validation run. The initializers, however, are not aware of the current validation group, so calling them more than once does not make sense.
Now, object initializers are called exactly once per validated object.
See #11410
Commits
-------
291cbf9 [Validator] Backported #11410 to 2.3: Object initializers are called only once per object
This PR was merged into the 2.3 branch.
Discussion
----------
[2.3] [Process] Use correct test for empty string in UnixPipes
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
This PR supersedes #11264 : 2.3 compatibility + Windows compatibility + CS fix
Commits
-------
cec0a45 [Process] Adjust PR #11264, make it Windows compatible and fix CS
9e1ea4a [Process] Use correct test for empty string in UnixPipes
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpFoundation] Fix to prevent magic bytes injection in JSONP responses... (CVE-2014-4671)
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no*
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
| Doc PR | N/A
| CVE Ticket | [CVE-2014-4671](http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4671)
| See Also | [Rosetta Flash](http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/)
\* Unless you are parsing the response string manually, which you really shouldn't do anyway
**THIS IS A SECURITY FIX AND SHOULD BE MERGED SHORTLY**
This fix prevents attacks vectors where third-party browser plugins depends on ASCII magic bytes in order to execute a plugin. This is currently exploited with Flash using a carefully crafted JSONP response, allowing the execution of random SWF data from a domain with a vulnerable JSONP endpoint.
This security issue is mitigated by adding an empty comment right before the callback parameter. This does not affect the execution of the JSONP callback.
Commits
-------
6af3d05 [HttpFoundation] Fix to prevent magic bytes injection in JSONP responses (Prevents CVE-2014-4671)
This PR was merged into the 2.3 branch.
Discussion
----------
[2.3] [Validator] Fix UserPassword validator translation
| Q | A
| ------------- | ---
| Fixed tickets | None
| License | MIT
Fixes the UserPassword translation message only for 2.3 as discussed in symfony/symfony#11383.
Commits
-------
73d50ed Fix UserPassword validator translation
This PR was merged into the 2.3 branch.
Discussion
----------
[2.3][HttpFoundation] Fix wrong assertion in Response test
| Q | A
| ------------- | ---
| Bug fix? | kinda
| New feature? | no
| BC breaks? | no
| Tests pass? | yes
| License | MIT
Commits
-------
3d63f80 [HttpFoundation] Fix wrong assertion in Response test
This PR was merged into the 2.3 branch.
Discussion
----------
remove defaults from PHPUnit configuration
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | --
| License | MIT
| Doc PR | --
Follow-up to #11329.
Commits
-------
afc4930 removed defaults from PHPUnit configuration
This PR was squashed before being merged into the 2.3 branch (closes#11194).
Discussion
----------
[DomCrawler] Remove the query string and the anchor of the uri of a link
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ~
| License | MIT
| Doc PR | ~
Commits
-------
fe5d2d1 [DomCrawler] Remove the query string and the anchor of the uri of a link
The parent constructor will create a new formatter if the $formatter parameter is null
This fix avoids that the formatter becomes 2 different instances in $this and $this->stderr
This PR was squashed before being merged into the 2.3 branch (closes#11179).
Discussion
----------
[Process] Fix ExecutableFinder with open basedir
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This fixes the `ExecutableFinder` object to properly fetch the `open_basedir` setting, also added a bunch of tests for the `find()` method.
Commits
-------
b8f8c0e [Process] Fix ExecutableFinder with open basedir
This PR was merged into the 2.3 branch.
Discussion
----------
[CssSelector] Refactored the CssSelector to remove the circular object graph
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #10879, replaces #11221
| License | MIT
| Doc PR | n/a
This allows the translator and its extensions to be garbage collected based on the refcount rather than requiring the garbage collector run, making it much more likely to happen at the end of the ``CssSelector::toXPath`` call.
Node translators now receive the Translator as second argument, instead of requiring to inject it in the extension to keep a reference to it. This way, the Translator is referenced nowhere inside it, only by the caller, and so will be destructed at the end of the usage (and extensions will then be destructed after it when not used anymore).
Commits
-------
994f81f Refactored the CssSelector to remove the circular object graph
This allows the translator and its extensions to be garbage collected
based on the refcount rather than requiring the garbage collector run,
making it much more likely to happen at the end of the
CssSelector::toXPath call.
This PR was merged into the 2.3 branch.
Discussion
----------
[DomCrawler] properly handle buttons with single and double quotes insid...
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11151
| License | MIT
| Doc PR |
Commits
-------
cbbdbe4 [DomCrawler] properly handle buttons with single and double quotes inside the name attribute
This PR was merged into the 2.3 branch.
Discussion
----------
[Tests] don't disable constructor calls to mockups of classes that extend intern...
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Fixes the tests for the 2.3 branch as reported by @stof in #11176.
Commits
-------
2c726b8 don't disable constructor calls to mockups of classes that extend internal PHP classes
See [PSR-2](http://www.php-fig.org/psr/psr-2/) paragraph 5.2
> There MUST be a comment such as `// no break` when fall-through is intentional in a non-empty case body.
Related to #11181
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpFoundation] Fixed Request::getPort returns incorrect value under IPv6
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Commits
-------
2a0e8e3 [HttpFoundation] Fixed Request::getPort returns incorrect value under IPv6
This PR was merged into the 2.3 branch.
Discussion
----------
[Filesystem] Fix test suite on OSX
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
Reviewing PR's, I realized the filesystem test suite fails on my setup (OSX, PHP 5.5.13 with posix ext). `posix_getgrgid` returns false, so some tests are failing.
This solves this issue.
Be aware that the patched method has been moved in FilesystemTestCase in recent branches
Commits
-------
e26f08e [Filesystem] Fix test suite on OSX
This PR was squashed before being merged into the 2.3 branch (closes#10966).
Discussion
----------
PHP Fatal error when getContainer method of ContainerAwareCommand has be...
PHP Fatal error when getContainer method of ContainerAwareCommand has been called within the configure method of a Command (application property is not been set yet at that time)
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Commits
-------
8ea5c4c PHP Fatal error when getContainer method of ContainerAwareCommand has be...
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpFoundation] Fix basic authentication in url with PHP-FPM
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | dispute
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
`getUser()` and `getPassword()` from `Request` are broken when using PHP-FPM because of the lack of `$_SERVER['PHP_AUTH_USER']` and `$_SERVER['PHP_AUTH_PW']`. This PR fixes the issue.
However, now an empty password will return an empty string (which is the expected behavior of `ServerBag`) instead of `NULL`. The test is updated accordingly, but should we consider this as a breakage?
This issue was spotted by using basic auth via the Illuminate component of Laravel and is present from v2.1.0 to master.
Commits
-------
7a75adf [HttpFoundation] Basic auth in url is broken when using PHP CGI/FPM
Request#getUser() and Request#getPassword() introduced in
aecfd0a891 do not handle the lack of
PHP_AUTH_USER and PHP_AUTH_PW in $this->server when using PHP-FPM. Use
$this->headers instead.
Furthermore, the test of empty password now expects an empty string
instead of NULL according to a450d002f2.
If you have a select with attribute name="foo[]", and you submit your form, http_build_query returns empty string as a result. In this case you get a form extra field validation error, because your field "foo" converts to
'' => bool(false)
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpFoundation] smaller fixes for PdoSessionHandler
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #10652
| License | MIT
For both the PdoSessionHandler and DbalSessionHandler
- https://github.com/symfony/symfony/pull/10652#issuecomment-42370425: Transactional DELETE + INSERT does not work as expected
- https://github.com/symfony/symfony/pull/10652#issuecomment-44359784: sqlsrv 2005 does not support the MERGE SQL, and if used it requires an HOLDLOCK
- missing time update for sqlsrv and oracle
Commits
-------
a0e1d4d [Doctrine Bridge] fix DBAL session handler according to PdoSessionHandler
00d707f [HttpFoundation] use different approach for duplicate keys in postgres, fix merge for sqlsrv and oracle
This PR was merged into the 2.3 branch.
Discussion
----------
[Validator] Fix a parameter name in a test
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | none
| License | MIT
| Doc PR | not required
Commits
-------
069e925 Fix a parameter name in a test
At the moment both constraints can only be defined on other annotations (specifically, the Collection annotation). Defining the required or optional annotation directly on a field or method throws a ClassNotFoundException, since the constraint validator factory tries to load the validator (which does not exist).
This PR was squashed before being merged into the 2.3 branch (closes#10983).
Discussion
----------
[DomCrawler] Fixed charset detection in html5 meta charset tag
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | N/A
| License | MIT
It may be minor to folks with ascii-charactered language, but is critical for us Japanese.
Many Japanese websites with SJIS encoding have "Shift_JIS" as their encoding declaration.
Commits
-------
172e752 [DomCrawler] Fixed charset detection in html5 meta charset tag
This PR was merged into the 2.3 branch.
Discussion
----------
[2.3][Process] Add validation on Process input
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
This adds validation on Process input. For the moment, passing a stream would result in a PHP error.
I propose to deprecate values that are not strictly string in 2.6 (see upcoming PR)
Commits
-------
583092b [Process] Add validation on Process input
This PR was merged into the 2.3 branch.
Discussion
----------
[Validator] Fixed StaticMethodLoaderTest on systems that don't have E_STRICT enabled by default
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Commits
-------
a470ae2 [Validator] Fixed StaticMethodLoader on systems that don't have E_STRICT enabled by default
This PR was merged into the 2.3 branch.
Discussion
----------
[DomCrawler] Fixed the coding standards to use strict comparisons
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Many places in DomCrawler are using loose comparison instead of strict comparison. I saw them while checking the whole component for DOMNode vs DOMElement usage whe working on #10927. However, I submitted this change to 2.3 instead, to ease merging between branches (applying the change only in master would likely create conflicts regularly when merging changes in DomCrawler between branches later)
Commits
-------
77b446c [DomCrawler] Fixed the coding standards to use strict comparisons
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpFoundation] implement session locking for PDO
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #4976 for PDO
| License | MIT
This is probably the first Session Handler for databases that actually works with locking. I've seen many implementations of session handlers (mostly only for one database vendor) while researching and none used locking. Not even the [PHPs SQLite session handler](https://github.com/php/php-src/blob/PHP-5.3/ext/sqlite/sess_sqlite.c) or [PECL Postgres Handler](http://svn.php.net/viewvc/pecl/session_pgsql/trunk/session_pgsql.c?revision=326806&view=markup) implemented locking correctly which is probably the reason why they have been discontinued. [Zend Session](https://github.com/zendframework/zf2/blob/master/library/Zend/Session/SaveHandler/DbTableGateway.php) seems not to use locking either. But it saves the lifetime together with the session which seems like a good idea because you could have different lifetimes for different sessions.
- Implements session locking for MySQL, Postgres, Oracle, SQL Server and SQLite.
Only tested it for MySQL. So would be good if someone can confirm it works as intended on the other databases as well.
- Also removed the custom RuntimeException which is not useful and a PDOException extends RuntimeException anyway, so no BC break.
- I added a default for the table name to be in line with the DoctrineSessionHandler.
- Check session.gc_maxlifetime in read(). Imagine we have only ever one user on an app. If maxlifetime is not checked in read, his session would never expire! What I don't get is why PHP calls gc() after read() instead of calling it before... Strange decision. For this reason I also had to do the following to improve performance.
- I delay gc() to close() so that it is executed outside the transactional and blocking read-write process. This way, pruning expired sessions does not block them from being started while the current session is used.
- Fixed time update for Oracle and SQL Server.
Commits
-------
50ec828 [HttpFoundation] implement session locking for PDO
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpKernel] removed absolute paths from the generated container
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | first step to resolve#6484, #3079, and #9238
| License | MIT
| Doc PR | n/a
This PR converts absolute paths to relative ones in the dumped container. The code is a bit "ugly", but it gets the job done and I'm not sure that there is a more elegant way without breaking everything.
Commits
-------
c1450b4 [HttpKernel] removed absolute paths from the generated container