* 3.0:
[HttpKernel] Add listener that checks when request has both Forwarded and X-Forwarded-For
[HttpKernel] Move conflicting origin IPs handling to catch block
[travis] Fix deps=low/high patching
* 2.8:
[HttpKernel] Add listener that checks when request has both Forwarded and X-Forwarded-For
[HttpKernel] Move conflicting origin IPs handling to catch block
[travis] Fix deps=low/high patching
* 2.7:
[HttpKernel] Add listener that checks when request has both Forwarded and X-Forwarded-For
[HttpKernel] Move conflicting origin IPs handling to catch block
[travis] Fix deps=low/high patching
This PR was squashed before being merged into the 2.7 branch (closes#18688).
Discussion
----------
[HttpFoundation] Warning when request has both Forwarded and X-Forwarded-For
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | symfony/symfony-docs#6526
Emit a warning when a request has both a trusted Forwarded header and a trusted X-Forwarded-For header, as this is most likely a misconfiguration which causes security issues.
Commits
-------
ee8842f [HttpFoundation] Warning when request has both Forwarded and X-Forwarded-For
* 3.0:
fixed CS
fixed CS
fixed form tests
[Console] Fix formatting of SymfonyStyle::comment()
[Form] fix post max size translation type extension for >= 2.8
removed dots at the end of @param and @return
fixed typo
* 2.8:
fixed CS
fixed form tests
[Console] Fix formatting of SymfonyStyle::comment()
[Form] fix post max size translation type extension for >= 2.8
removed dots at the end of @param and @return
fixed typo
* 3.0:
[CS] Respect PSR2 4.2
[Form] fix `empty_data` option in expanded `ChoiceType`
[Console] removed unneeded private methods
[Security] [Guard] Improve comment with working example
sync min email validator version
[TwigBridge] Fix inconsistency in LintCommand help
explicitly forbid e-mail validator 2.0 or higher
Fixed SymfonyQuestionHelper multi-choice with defaults
[DoctrineBridge] Don't use object IDs in DoctrineChoiceLoader when passing a value closure
Differentiate between the first time a progress bar is displayed and subsequent times
finished previous commit
No more exception for malformed input name
fix post_max_size_message translation
[Process] Fix pipes cleaning on Windows
Avoid phpunit 5.4 warnings on getMock
[Form] Add exception to FormRenderer about non-unique block names
[Form] Consider a violation even if the form is not submitted
* 2.8:
[CS] Respect PSR2 4.2
[Form] fix `empty_data` option in expanded `ChoiceType`
[Console] removed unneeded private methods
[Security] [Guard] Improve comment with working example
sync min email validator version
[TwigBridge] Fix inconsistency in LintCommand help
explicitly forbid e-mail validator 2.0 or higher
Fixed SymfonyQuestionHelper multi-choice with defaults
[DoctrineBridge] Don't use object IDs in DoctrineChoiceLoader when passing a value closure
Differentiate between the first time a progress bar is displayed and subsequent times
finished previous commit
No more exception for malformed input name
fix post_max_size_message translation
[Process] Fix pipes cleaning on Windows
Avoid phpunit 5.4 warnings on getMock
[Form] Add exception to FormRenderer about non-unique block names
[Form] Consider a violation even if the form is not submitted
* 2.7:
[CS] Respect PSR2 4.2
[Form] fix `empty_data` option in expanded `ChoiceType`
[Console] removed unneeded private methods
sync min email validator version
[TwigBridge] Fix inconsistency in LintCommand help
explicitly forbid e-mail validator 2.0 or higher
Fixed SymfonyQuestionHelper multi-choice with defaults
[DoctrineBridge] Don't use object IDs in DoctrineChoiceLoader when passing a value closure
Differentiate between the first time a progress bar is displayed and subsequent times
finished previous commit
No more exception for malformed input name
fix post_max_size_message translation
[Process] Fix pipes cleaning on Windows
Avoid phpunit 5.4 warnings on getMock
[Form] Add exception to FormRenderer about non-unique block names
[Form] Consider a violation even if the form is not submitted
This PR was merged into the 3.1-dev branch.
Discussion
----------
[FrameworkBundle][Serializer] Fix a deprecation triggered by the ClassMetadataFactory
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | yes
| Tests pass? | yes
| Fixed tickets |
| License | MIT
Without apparent reasons, [FOSRestBundle's tests fail](https://travis-ci.org/FriendsOfSymfony/FOSRestBundle/jobs/124384888) since https://github.com/symfony/symfony/pull/18561.
```
Passing a Doctrine Cache instance as 2nd parameter of the "Symfony\Component\Serializer\Mapping\Factory\ClassMetadataFactory" constructor is deprecated. This parameter will be removed in Symfony 4.0. Use the "Symfony\Component\Serializer\Mapping\Factory\CacheClassMetadataFactory" class instead: 6x
1x in ErrorWithTemplatingFormatTest::testSerializeExceptionHtml from FOS\RestBundle\Tests\Functional
1x in SerializerErrorTest::testSerializeExceptionJson from FOS\RestBundle\Tests\Functional
1x in SerializerErrorTest::testSerializeExceptionJsonWithoutDebug from FOS\RestBundle\Tests\Functional
1x in SerializerErrorTest::testSerializeExceptionXml from FOS\RestBundle\Tests\Functional
1x in SerializerErrorTest::testSerializeInvalidFormJson from FOS\RestBundle\Tests\Functional
1x in SerializerErrorTest::testSerializeInvalidFormXml from FOS\RestBundle\Tests\Functional
```
We don't use cache in our tests but some of them are not in ``debug`` mode (will change soon) so the cache is automatically used.
This PR fixes this deprecation by detecting if the cache used by the serializer is psr6 compliant or not (if it is, then it replaces the default metadata factory by an instance of the new class ``CacheClassMetadataFactory``, otherwise the second parameter of the ``ClassMetadataFactory`` is used).
Commits
-------
15579d5 [FrameworkBundle] Deprecate framework.serializer.cache
eccbffb [Serializer] Improve a deprecation message
96e418a Revert "[FrameworkBundle] Fallback to default cache system in production for serializer"
This PR was merged into the 3.1-dev branch.
Discussion
----------
[FrameworkBundle] Fallback to default cache system in production for serializer
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
In the same idea as https://github.com/symfony/symfony/pull/18544, this PR proposes a default fallback to filesystem cache for the serializer if the APC cache is not enabled in production. In other words, if the following part of `config_prod.yml` file is not uncommented, the filesystem will be used:
``` yaml
#framework:
# serializer:
# cache: serializer.mapping.cache.doctrine.apc
```
Commits
-------
4f0b8be [FrameworkBundle] Fallback to default cache system in production for serializer
This PR was merged into the 3.1-dev branch.
Discussion
----------
[FrameworkBundle] Fallback to default cache system in production for validation
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | WIP
| Fixed tickets | -
| License | MIT
| Doc PR | -
This PR proposes a default fallback to filesystem cache for some services if the APC cache is not enabled in production. In other words, if the following part of `config_prod.yml` file is not uncommented, the filesystem will be used:
``` yaml
#framework:
# validation:
# cache: validator.mapping.cache.doctrine.apc
# serializer:
# cache: serializer.mapping.cache.doctrine.apc
#
# ... other services
```
Commits
-------
1a65595 [FrameworkBundle] Fallback to default cache system in production for validation
This PR was merged into the 3.1-dev branch.
Discussion
----------
[3.1] [WebProfilerBundle] [DX] Feature allow forward and redirection detection in wdt
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #14358, #17501
| License | MIT
| Doc PR | ?
This PR allows to :
- track explicit forward from `\Symfony\Bundle\FrameWorkBundle\Controller\Controller` in the web debug toolbar.
- or pass a request attribute `_forwarded` with the current request attributes (an instance of `ParameterBag`) as value to your sub request before handling it.
- see if you've been redirected (require session enabled)
When redirected you will see the name of the route (if any) and a link to the profile of the original request.
In case of forwarding, the name of the controller is a file link and next to it there is a direct link to the profile of the sub request.
This works pretty well in __Silex__ too by registering `SessionServiceProvider()` for redirections or by providing this method for forwarding :
```php
class App extends \Silex\Application
// (php7 bootstrap) $app = new class extends \Silex\Application {
{
public function forward($controller, array $path = array(), array $query = array()
{
if (!$this->booted) {
throw new LogicException(sprintf('Method %s must be called from a controller.', __METHOD__));
}
$this->flush();
$request = $this['request_stack']->getCurrentRequest();
$path['_forwarded'] = $request->attributes;
$path['_controller'] = $controller;
$subRequest = $request->duplicate($query, null, $path);
return $this['kernel']->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
}
}
```
Commits
-------
0a0e8af [WebProfilerBundle] show the http method in wdt if not 'GET'
4f020b5 [FrameworkBundle] Extends the RequestDataCollector
227ac77 [WebProfilerBundle] [FrameworkBundle] profile forward controller action
0a1b284 [WebProfiler] [HttpKernel] profile redirections
