This PR was squashed before being merged into the 4.3-dev branch (closes#30901).
Discussion
----------
Renamed NotPwned to NotCompromisedPassword
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | -
| License | MIT
| Doc PR | -
<!--
Write a short README entry for your feature/bugfix here (replace this comment block.)
This will help people understand your PR and can be used as a start of the Doc PR.
Additionally:
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
-->
Commits
-------
2f648b04ae Renamed NotPwned to NotCompromisedPassword
* 4.2: (45 commits)
[Form] various minor fixes
Ensure the parent process is always killed
bugfix: the terminal state was wrong and not reseted
[Console] Fix inconsistent result for choice questions in non-interactive mode
Define null return type for Constraint::getDefaultOption()
[Routing] Fix: annotation loader ignores method's default values
[HttpKernel] Fix DebugHandlersListener constructor docblock
Skip Glob brace test when GLOB_BRACE is unavailable
bumped Symfony version to 4.2.6
updated VERSION for 4.2.5
updated CHANGELOG for 4.2.5
bumped Symfony version to 3.4.25
updated VERSION for 3.4.24
update CONTRIBUTORS for 3.4.24
updated CHANGELOG for 3.4.24
[EventDispatcher] cleanup
fix testIgnoredAttributesInContext
Re-generate icu 64.1 data
Improve PHPdoc / IDE autocomplete for config tree builder
[Bridge][Twig] DebugCommand - fix escaping and filter
...
This PR was squashed before being merged into the 4.3-dev branch (closes#27738).
Discussion
----------
[Validator] Add a HaveIBeenPwned password validator
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | n/a <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | todo
This PR adds a new `Pwned` validation constraint to prevent users to choose passwords that have been leaked in public data breaches.
The validator uses the https://haveibeenpwned.com/ API. The implementation is similar to the one used by [Firefox Monitor](https://blog.mozilla.org/futurereleases/2018/06/25/testing-firefox-monitor-a-new-security-tool/). It allows to not expose the password hash using a k-anonymity model. The specific implementation for HaveIBeenPwned has been [described in depth by Cloudflare](https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/).
Usage:
```php
// Rejects the password if is present in any number of times in any data breach
class User
{
/** @Pwned */
public $plainPassword;
}
// Rejects the password if is present more than 5 times in data breaches
class User
{
/** @Pwned(maxCount=5) */
public $plainPassword;
}
// Customize the error message
class User
{
/** @Pwned(message='Please select another password, this one has already been hacked.') */
public $plainPassword;
}
```
Commits
-------
ec1ded898a [Validator] Add a HaveIBeenPwned password validator
* 4.2: (26 commits)
Apply php-cs-fixer rule for array_key_exists()
[Cache] fix warming up cache.system and apcu
[Security] Change FormAuthenticator if condition
handles multi-byte characters in autocomplete
speed up tests running them without debug flag
[Translations] added missing Croatian validators
Fix getItems() performance issue with RedisCluster (php-redis)
[VarDumper] Keep a ref to objects to ensure their handle cannot be reused while cloning
IntegerType: reject submitted non-integer numbers
be keen to newcomers
[HttpKernel] Fix possible infinite loop of exceptions
fixed CS
[Validator] Added missing translations for Afrikaans
do not validate non-submitted form fields in PATCH requests
Update usage example in ArrayInput doc block.
[Console] Prevent ArgvInput::getFirstArgument() from returning an option value
[Validator] Fixed duplicate UUID
fixed CS
[EventDispatcher] Fix unknown priority
Avoid mutating the Finder when building the iterator
...
* 3.4: (24 commits)
Apply php-cs-fixer rule for array_key_exists()
[Security] Change FormAuthenticator if condition
handles multi-byte characters in autocomplete
speed up tests running them without debug flag
[Translations] added missing Croatian validators
Fix getItems() performance issue with RedisCluster (php-redis)
[VarDumper] Keep a ref to objects to ensure their handle cannot be reused while cloning
IntegerType: reject submitted non-integer numbers
be keen to newcomers
[HttpKernel] Fix possible infinite loop of exceptions
fixed CS
[Validator] Added missing translations for Afrikaans
do not validate non-submitted form fields in PATCH requests
Update usage example in ArrayInput doc block.
[Console] Prevent ArgvInput::getFirstArgument() from returning an option value
[Validator] Fixed duplicate UUID
fixed CS
[EventDispatcher] Fix unknown priority
Avoid mutating the Finder when building the iterator
[Validator] Add the missing translations for the Greek (el) locale
...
* 4.2:
[Console] Fix command testing with missing inputs
[Validator] Sync no/nb translation files
[Translation] Added a script to display the status of translations
[Validator] Added missing translations for Norwegian (\"no\") locale #30179
[Security\Guard] bump lowest version of security-core
[TwigBridge] Fix test
Remove unnecessary ProgressBar stdout writes (fixes flickering)
[Validator] improve translations for albanian ("sq") locale
[VarDumper] fix serializing Stub instances
[Validator] Added missing use statement for UnexpectedTypeException
Don't resolve the Deprecation error handler mode until a deprecation is triggered
bug #30245 fix lost namespace in eval (fizzka)
fix lost namespace in eval
[Twig] removed usage of non-namespaced classes
added missing dot
Update validators.lt.xlf
#30172 Add the missing validation translations for the Luxembourgish …
[Debug][ErrorHandler] Preserve next error handler
This PR was squashed before being merged into the 4.3-dev branch (closes#28477).
Discussion
----------
[Validator] Add new json Validator
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/10351
Hi,
in so many cases we want to test if a value is a valid json or not, so I propose this new ~~NotJson~~ `Json` constraint for this need.
cordially,
Commits
-------
131febc7be [Validator] Add new json Validator
* 4.2: (25 commits)
Add missing ID_id validators translation
fixed CS
Added missing translations in validators.tr.xlf
Update validators.es.xlf
Update validators.hu.xlf
[Validator] Add the missing translations for the Welsh (cy) locale
[Validator] Add missing DE validator translations
[Validator] Add the missing translations for the Dutch (nl) locale
Add missing PL translation
Add missing translations.
Add missing translations for IT to Validator
minor #30184 [Validator] Add the missing translations for the Russian (ru) locale (antonch1989)
[Validator] Add the missing translations for the Arabic (ar) locale
add_missing_translations_for_portuguese : [Validator] Add the missing translations for the Portuguese ("pt") locale
[Validator] Add the missing translations for the French (fr) locale
[Validator] Add some missing contents to the English translation
use PropertyAccessorInterface instead of PropertyAccessor
Fix KernelTestCase compatibility for PhpUnit 8 (bis)
add xabbuh as code owner of the Form component
[Validator] Added a missing translation
...
* 3.4: (25 commits)
Add missing ID_id validators translation
fixed CS
Added missing translations in validators.tr.xlf
Update validators.es.xlf
Update validators.hu.xlf
[Validator] Add the missing translations for the Welsh (cy) locale
[Validator] Add missing DE validator translations
[Validator] Add the missing translations for the Dutch (nl) locale
Add missing PL translation
Add missing translations.
Add missing translations for IT to Validator
minor #30184 [Validator] Add the missing translations for the Russian (ru) locale (antonch1989)
[Validator] Add the missing translations for the Arabic (ar) locale
add_missing_translations_for_portuguese : [Validator] Add the missing translations for the Portuguese ("pt") locale
[Validator] Add the missing translations for the French (fr) locale
[Validator] Add some missing contents to the English translation
use PropertyAccessorInterface instead of PropertyAccessor
Fix KernelTestCase compatibility for PhpUnit 8 (bis)
add xabbuh as code owner of the Form component
[Validator] Added a missing translation
...
* 3.4:
fixed CS
fixed short array CS in comments
fixed CS in ExpressionLanguage fixtures
fixed CS in generated files
fixed CS on generated container files
fixed CS on Form PHP templates
fixed CS on YAML fixtures
fixed fixtures
switched array() to []
* 4.2: (27 commits)
[VarExporter] dont call userland code with uninitialized objects
Fix typos in doc blocks
[Debug] ignore underscore vs backslash namespaces in DebugClassLoader
[TwigBridge][Form] Prevent multiple rendering of form collection prototypes
[FrameworkBundle] fix describing routes with no controllers
[DI] move RegisterServiceSubscribersPass before DecoratorServicePass
Update ValidationListener.php
[Yaml] ensures that the mb_internal_encoding is reset to its initial value
[Messenger] Restore message handlers laziness
[WebLink] Fixed documentation link
[Security] getTargetPath of TargetPathTrait must return string or null
[Hackday][Serializer] Deserialization ignores argument type hint from phpdoc for array in constructor argument
Optimize perf by replacing call_user_func with dynamic vars
[Cache] Fix dsn parsing
[Routing] fix dumping same-path routes with placeholders
[WebProfilerBundle][TwigBundle] CSS fixes
Add a docblock for FormFactoryInterface
[Security] defer log message in guard authenticator
[Validator] Added IBAN format for Vatican City State
merge conflicts
...
* 4.1:
Fix typos in doc blocks
[Debug] ignore underscore vs backslash namespaces in DebugClassLoader
[TwigBridge][Form] Prevent multiple rendering of form collection prototypes
[FrameworkBundle] fix describing routes with no controllers
[DI] move RegisterServiceSubscribersPass before DecoratorServicePass
Update ValidationListener.php
[Yaml] ensures that the mb_internal_encoding is reset to its initial value
[WebLink] Fixed documentation link
[Security] getTargetPath of TargetPathTrait must return string or null
[Hackday][Serializer] Deserialization ignores argument type hint from phpdoc for array in constructor argument
Optimize perf by replacing call_user_func with dynamic vars
[Routing] fix dumping same-path routes with placeholders
[Security] defer log message in guard authenticator
[Validator] Added IBAN format for Vatican City State
merge conflicts
filter out invalid Intl values
filter out invalid language values
[Validator] Fixed grouped composite constraints
[Form] Filter arrays out of scalar form types
Fix HeaderBag::get phpdoc
This PR was merged into the 4.1 branch.
Discussion
----------
Optimize perf by replacing call_user_func with dynamic variables
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
This provides similar boost as in https://github.com/symfony/symfony/pull/29245, but on more places and without complexity increase. Check eg. https://github.com/fab2s/call_user_func for proof
Fabpot failure unrelated
Commits
-------
0c6ef01713 Optimize perf by replacing call_user_func with dynamic vars
* 3.4:
[Validator] Added IBAN format for Vatican City State
filter out invalid Intl values
[Validator] Fixed grouped composite constraints
[Form] Filter arrays out of scalar form types
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Validator] Checking a BIC along with an IBAN
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #28166
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/10349
A BIC comes usually with an IBAN so it's better to check that they are associated. This PR provides an `iban` option to `Symfony\Component\Validator\Constraints\Bic` to check the BIC against an IBAN.
It also provides an `ibanPropertyPath` to retrieves the IBAN using the property accessor like with comparison constraints.
Commits
-------
bb6be1534a [Validator] Checking a BIC along with an IBAN Fix#28166
This PR was squashed before being merged into the 4.2-dev branch (closes#26261).
Discussion
----------
[Validator] Improvement: provide file basename for constr. violation messages in FileValidator.
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see below -->
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | no
| License | MIT
| Doc PR | N/A
`\Symfony\Component\Validator\Constraints\FileValidator` provides absolute path to file on server when user, per example, uploads empty file, too large file, of wrong mime type, etc...
Absolute path to file on server does not have value to the end user, on top of that, exposing it can be a security issue - end user should not be aware of server filesystem.
Basename of file, however, has value (per example: MyAwesomeSheet.xlsx, MyCV.doc, etc..) - if something is wrong with file upload (size, mime, etc...).
If basename is exposed, we can construct messages like: "Your file 'MyCV.doc' is not allowed for upload due to....whatever"...
This PR provides basename of file so end user of `\Symfony\Component\Validator\Constraints\FileValidator` can construct error messages of higher value for end user.
Commits
-------
a77abadf06 [Validator] Improvement: provide file basename for constr. violation messages in FileValidator.
* 4.1:
[DI] configure inlined services before injecting them when dumping the container
Consistently throw exceptions on a single line
fix fopen calls
Update .editorconfig
* 3.4:
[DI] configure inlined services before injecting them when dumping the container
Consistently throw exceptions on a single line
fix fopen calls
Update .editorconfig
* 4.1:
[appveyor] fix
[DI] Fix dumping some complex service graphs
Revert "minor #28321 [Routing] Fixed the interface description of the url generator interface (Toflar)"
Fixed caching of templates in default path on cache warmup
added missing LICENSE file
remove cache warmers when Twig cache is disabled
[Workflow] Make sure we do not run the next transition on an updated state
change baseUrl to basePath to fix wrong profiler url
[HttpKernel][FrameworkBundle] Fix escaping of serialized payloads passed to test clients
chore: rename Appveyor filename
Fixed the interface description of the url generator interface
Format file size in validation message according to binaryFormat option
* 3.4:
[appveyor] fix
Revert "minor #28321 [Routing] Fixed the interface description of the url generator interface (Toflar)"
Fixed caching of templates in default path on cache warmup
remove cache warmers when Twig cache is disabled
[HttpKernel][FrameworkBundle] Fix escaping of serialized payloads passed to test clients
chore: rename Appveyor filename
Fixed the interface description of the url generator interface
Format file size in validation message according to binaryFormat option
* 2.8:
[appveyor] fix
Revert "minor #28321 [Routing] Fixed the interface description of the url generator interface (Toflar)"
remove cache warmers when Twig cache is disabled
[HttpKernel][FrameworkBundle] Fix escaping of serialized payloads passed to test clients
chore: rename Appveyor filename
Fixed the interface description of the url generator interface
Format file size in validation message according to binaryFormat option
* 4.0:
Fix Clidumper tests
Enable the fixer enforcing fully-qualified calls for compiler-optimized functions
Apply fixers
Disable the native_constant_invocation fixer until it can be scoped
Update the list of excluded files for the CS fixer
* 3.4:
Fix Clidumper tests
Enable the fixer enforcing fully-qualified calls for compiler-optimized functions
Apply fixers
Disable the native_constant_invocation fixer until it can be scoped
Update the list of excluded files for the CS fixer
* 2.8:
Fix Clidumper tests
Enable the fixer enforcing fully-qualified calls for compiler-optimized functions
Apply fixers
Disable the native_constant_invocation fixer until it can be scoped
Update the list of excluded files for the CS fixer
* 4.0:
do not mock the session in token storage tests
[DependencyInjection] resolve array env vars
Add Occitan plural rule
Fix security/* cross-dependencies
[Lock] Skip test if posix extension is not installed
[DI] Allow defining bindings on ChildDefinition
use strict compare in url validator
Disallow illegal characters like "." in session.name
[HttpKernel] do file_exists() check instead of silent notice
fix rounding from string
* 3.4:
do not mock the session in token storage tests
[DependencyInjection] resolve array env vars
Add Occitan plural rule
Fix security/* cross-dependencies
[Lock] Skip test if posix extension is not installed
[DI] Allow defining bindings on ChildDefinition
use strict compare in url validator
Disallow illegal characters like "." in session.name
[HttpKernel] do file_exists() check instead of silent notice
fix rounding from string
* 4.0:
fix merge
fixed wrong description in a phpdoc
19 digits VISA card numbers are valid
Add missing @ in phpdoc return statement
Don't right trim the deprecation message
[HttpKernel] Fixed test name
[Debug] prevent infinite loop with faulty exception handlers
[FrameworkBundle] fix tests
Prefer composer install instead for using Symfony Installer
Add the missing `enabled` session attribute
[HttpKernel] Turn bad hosts into 400 instead of 500
* 3.4:
fix merge
fixed wrong description in a phpdoc
19 digits VISA card numbers are valid
Add missing @ in phpdoc return statement
Don't right trim the deprecation message
[HttpKernel] Fixed test name
[Debug] prevent infinite loop with faulty exception handlers
[FrameworkBundle] fix tests
Prefer composer install instead for using Symfony Installer
Add the missing `enabled` session attribute
[HttpKernel] Turn bad hosts into 400 instead of 500
* 3.3:
fix merge
fixed wrong description in a phpdoc
19 digits VISA card numbers are valid
Add missing @ in phpdoc return statement
Don't right trim the deprecation message
[HttpKernel] Fixed test name
[Debug] prevent infinite loop with faulty exception handlers
Add the missing `enabled` session attribute
[HttpKernel] Turn bad hosts into 400 instead of 500
* 2.8:
fixed wrong description in a phpdoc
19 digits VISA card numbers are valid
[HttpKernel] Fixed test name
[Debug] prevent infinite loop with faulty exception handlers
Add the missing `enabled` session attribute
[HttpKernel] Turn bad hosts into 400 instead of 500
* 2.7:
fixed wrong description in a phpdoc
19 digits VISA card numbers are valid
[HttpKernel] Fixed test name
[Debug] prevent infinite loop with faulty exception handlers
Add the missing `enabled` session attribute
[HttpKernel] Turn bad hosts into 400 instead of 500
