Commit Graph

1036 Commits

Author SHA1 Message Date
Fabien Potencier
c37b6beb73 updated version to 4.1 2017-11-21 18:31:29 +01:00
Nicolas Grekas
595a5b947f Merge branch '3.4'
* 3.4:
  fixed CS
  fixed CS
  [Security] Namespace generated CSRF tokens depending of the current scheme
  ensure that submitted data are uploaded files
  [Console] remove dead code
  bumped Symfony version to 3.3.13
  updated VERSION for 3.3.12
  updated CHANGELOG for 3.3.12
  bumped Symfony version to 2.8.31
  updated VERSION for 2.8.30
  updated CHANGELOG for 2.8.30
  bumped Symfony version to 2.7.38
  updated VERSION for 2.7.37
  updated CHANGELOG for 2.7.37
  [Security] Validate redirect targets using the session cookie domain
  prevent bundle readers from breaking out of paths
2017-11-16 17:25:49 +02:00
Nicolas Grekas
caa10ae038 Merge branch '3.3' into 3.4
* 3.3:
  fixed CS
  fixed CS
  [Security] Namespace generated CSRF tokens depending of the current scheme
  ensure that submitted data are uploaded files
  [Console] remove dead code
  bumped Symfony version to 3.3.13
  updated VERSION for 3.3.12
  updated CHANGELOG for 3.3.12
  bumped Symfony version to 2.8.31
  updated VERSION for 2.8.30
  updated CHANGELOG for 2.8.30
  bumped Symfony version to 2.7.38
  updated VERSION for 2.7.37
  updated CHANGELOG for 2.7.37
  [Security] Validate redirect targets using the session cookie domain
  prevent bundle readers from breaking out of paths
2017-11-16 17:25:26 +02:00
Nicolas Grekas
ea2447f0b8 Merge branch '2.8' into 3.3
* 2.8:
  fixed CS
  fixed CS
  [Security] Namespace generated CSRF tokens depending of the current scheme
  ensure that submitted data are uploaded files
  [Console] remove dead code
  bumped Symfony version to 2.8.31
  updated VERSION for 2.8.30
  updated CHANGELOG for 2.8.30
  bumped Symfony version to 2.7.38
  updated VERSION for 2.7.37
  updated CHANGELOG for 2.7.37
  [Security] Validate redirect targets using the session cookie domain
  prevent bundle readers from breaking out of paths
2017-11-16 17:24:32 +02:00
Nicolas Grekas
44c5d7f405 Merge branch '2.7' into 2.8
* 2.7:
  fixed CS
  fixed CS
  [Security] Namespace generated CSRF tokens depending of the current scheme
  ensure that submitted data are uploaded files
  [Console] remove dead code
  bumped Symfony version to 2.7.38
  updated VERSION for 2.7.37
  updated CHANGELOG for 2.7.37
  [Security] Validate redirect targets using the session cookie domain
  prevent bundle readers from breaking out of paths
2017-11-16 17:20:19 +02:00
Fabien Potencier
4d288439bc security #24995 Validate redirect targets using the session cookie domain (nicolas-grekas)
This PR was merged into the 2.7 branch.

Discussion
----------

Validate redirect targets using the session cookie domain

| Q             | A
| ------------- | ---
| Branch?       | 2.7
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | n/a
| License       | MIT
| Doc PR        | n/a

<!--
- Bug fixes must be submitted against the lowest branch where they apply
  (lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
- Please fill in this template according to the PR you're about to submit.
- Replace this comment by a description of what your PR is solving.
-->

Commits
-------

52b06f1c21 [Security] Validate redirect targets using the session cookie domain
2017-11-16 17:16:56 +02:00
Nicolas Grekas
aaf2265203 Replace more docblocks by type-hints 2017-11-07 15:45:01 +01:00
Nicolas Grekas
d7547f2e95 Merge branch '3.4'
* 3.4:
  [3.4] Remove useless docblocks
  [3.3] More docblock fixes
  [2.7] More docblock fixes
  [TwigBridge] Fix BC break due required twig environment
  Random fixes
  Docblock fixes
  [DI] Fix cannot bind env var
  Fix some signatures in PHP-DSLs
  [HttpKernel] Enhance deprecation message
  bumped Symfony version to 3.4.0
  updated VERSION for 3.4.0-BETA3
  updated CHANGELOG for 3.4.0-BETA3
  [SecurityBundle] Fix the datacollector to properly support decision.object being null
2017-11-07 15:34:02 +01:00
Nicolas Grekas
629895c3ef Merge branch '3.3' into 3.4
* 3.3:
  [3.3] More docblock fixes
  [2.7] More docblock fixes
2017-11-07 15:20:24 +01:00
Nicolas Grekas
d3d32d9deb Merge branch '2.8' into 3.3
* 2.8:
  [2.7] More docblock fixes
2017-11-07 15:12:55 +01:00
Nicolas Grekas
72b92c351e Merge branch '2.7' into 2.8
* 2.7:
  [2.7] More docblock fixes
2017-11-07 15:08:47 +01:00
Nicolas Grekas
ac671ac68c [2.7] More docblock fixes 2017-11-07 15:04:08 +01:00
Nicolas Grekas
52b06f1c21 [Security] Validate redirect targets using the session cookie domain 2017-11-06 18:06:45 +01:00
Nicolas Grekas
4c1de3fbff Merge branch '3.4'
* 3.4:
  [HttpFoundation] refactoring: calculate when need
  [Serializer] Fix extra attributes when no group specified
  [Intl] Make intl-data tests pass and save language aliases again
  [FrameworkBundle][Config] fix: do not add resource checkers for debug=false
  [DI] Fix "almost-circular" dependencies handling
  [Console] Fix CommandTester::setInputs() docblock
  Only enabling validation if it is present
  Fix displaying errors for bootstrap 4
  [Serializer] readd default argument value
  Fix reference dump for deprecated nodes
  [PhpUnitBridge] Fixed fatal error in CoverageListener when something goes wrong in Test::setUpBeforeClass
  [HttpKernel] Let the storage manage the session starts
  [VarDumper] fix trailling comma when dumping an exception
  [Validator] Fix TraceableValidator is reset on data collector instantiation
  Remove useless docblocks
  [FrameworkBundle] Fix docblocks
  [PropertyInfo] Remove useless docblocks
2017-11-05 17:26:21 +01:00
Nicolas Grekas
73982760f7 Merge branch '3.3' into 3.4
* 3.3:
  [Serializer] Fix extra attributes when no group specified
  [Intl] Make intl-data tests pass and save language aliases again
  [Console] Fix CommandTester::setInputs() docblock
  [Serializer] readd default argument value
  [VarDumper] fix trailling comma when dumping an exception
  Remove useless docblocks
  [FrameworkBundle] Fix docblocks
  [PropertyInfo] Remove useless docblocks
2017-11-05 17:10:10 +01:00
Nicolas Grekas
b354d6ca84 Merge branch '2.8' into 3.3
* 2.8:
  [Intl] Make intl-data tests pass and save language aliases again
  Remove useless docblocks
  [PropertyInfo] Remove useless docblocks
2017-11-05 16:47:03 +01:00
Nicolas Grekas
9bc9474ff0 Merge branch '2.7' into 2.8
* 2.7:
  [Intl] Make intl-data tests pass and save language aliases again
  Remove useless docblocks
2017-11-05 16:25:56 +01:00
Nicolas Grekas
2443511324 Remove useless docblocks 2017-10-29 10:49:53 +01:00
Nicolas Grekas
4058f2f284 Merge branch '3.4'
* 3.4:
  [DI] minor docblock fixes
2017-10-24 16:16:56 +02:00
Nicolas Grekas
1e1b37753c Merge branch '3.3' into 3.4
* 3.3:
  [DI] minor docblock fixes
2017-10-24 16:12:06 +02:00
Nicolas Grekas
7fb9f614ee Merge branch '2.8' into 3.3
* 2.8:
  [DI] minor docblock fixes
2017-10-24 16:05:06 +02:00
Nicolas Grekas
2b95ba3299 Merge branch '2.7' into 2.8
* 2.7:
  [DI] minor docblock fixes
2017-10-24 15:48:52 +02:00
Nicolas Grekas
0c9edaf336 [DI] minor docblock fixes 2017-10-24 13:40:19 +02:00
Christian Flothmann
45dd40cde8 remove deprecated features 2017-10-06 14:47:08 +02:00
Christian Flothmann
0ab92ece1f Merge branch '3.4'
* 3.4: (26 commits)
  bumped Symfony version to 3.3.11
  updated VERSION for 3.3.10
  updated CHANGELOG for 3.3.10
  bumped Symfony version to 2.8.29
  updated VERSION for 2.8.28
  updated CHANGELOG for 2.8.28
  bumped Symfony version to 2.7.36
  updated VERSION for 2.7.35
  update CONTRIBUTORS for 2.7.35
  updated CHANGELOG for 2.7.35
  Added deprecation to cwd not existing Fixes #18249
  [Session] fix MongoDb session handler to gc all expired sessions
  Add changelog for deprecated DbalSessionHandler
  [Security] Look at headers for switch user username parameter
  Updated Test name and exception name to be more accurate
  newline at end of file
  changed exception message
  Ahh, I see.  It actually wants a newline!
  Removed newline
  Created new Exception to throw and modified tests.
  ...
2017-10-06 11:34:09 +02:00
Fabien Potencier
0c8043a7d6 feature #24388 [Security] Look at headers for switch_user username (chalasr)
This PR was merged into the 3.4 branch.

Discussion
----------

[Security] Look at headers for switch_user username

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | no
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #24260
| License       | MIT
| Doc PR        | n/a

Allowing `switch_user.parameter` config node to be a header name.
It's supported by SwitchUserStatelessBundle and I think it makes sense.
Forgotten in #24260 so targets 3.4 but not a blocker.

Commits
-------

3c801951c8 [Security] Look at headers for switch user username parameter
2017-10-05 16:07:43 -07:00
Nicolas Grekas
d3f3721715 Merge branch '3.4'
* 3.4: (33 commits)
  Remove remaining `@experimental` annotations
  Tests and fix for issue in array model data in EntityType field with multiple=true
  [Validator] Add unique entity violation cause
  [Lock] Automaticaly release lock when user forget it
  [Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
  fixed CS
  [FrameworkBundle] Don't clear app pools on cache:clear
  Hide label button when its setted to false
  removed useless PHPDoc
  [HttpFoundation] Return instance in StreamedResponse
  [Form] Fix FormInterface::submit() annotation
  [PHPUnitBridge] don't remove when set to  empty string
  PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
  HttpCache does not consider ESI resources in HEAD requests
  Fix translation for "This field was not expected"
  [Routing] Enhance Route(Collection) docblocks
  Added improvement for accuracy in MoneyToLocalizedStringTransformer.
  Removed unused private property
  Use correct verb form in the pull request template
  Use PHP_MAXPATHLEN in Filesystem.
  ...
2017-10-02 08:59:24 +02:00
Nicolas Grekas
fedcc91c8d Merge branch '3.3' into 3.4
* 3.3: (23 commits)
  Tests and fix for issue in array model data in EntityType field with multiple=true
  [Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
  removed useless PHPDoc
  [Form] Fix FormInterface::submit() annotation
  [PHPUnitBridge] don't remove when set to  empty string
  PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
  HttpCache does not consider ESI resources in HEAD requests
  Fix translation for "This field was not expected"
  [Routing] Enhance Route(Collection) docblocks
  Added improvement for accuracy in MoneyToLocalizedStringTransformer.
  Removed unused private property
  Use correct verb form in the pull request template
  Use PHP_MAXPATHLEN in Filesystem.
  Added null as explicit return type (?TokenInterface)
  [FrameworkBundle] Fix Routing\DelegatingLoader
  Render all line breaks according to the exception message
  [Form] Fix phpdoc
  [DI] remove confusing code
  [Form] Fixed GroupSequence with "constraints" option
  [Validator] Clarify UUID validator behavior
  ...
2017-10-02 08:49:52 +02:00
Nicolas Grekas
a707bbf090 Merge branch '2.8' into 3.3
* 2.8: (22 commits)
  Tests and fix for issue in array model data in EntityType field with multiple=true
  [Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
  removed useless PHPDoc
  [Form] Fix FormInterface::submit() annotation
  PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
  HttpCache does not consider ESI resources in HEAD requests
  Fix translation for "This field was not expected"
  [Routing] Enhance Route(Collection) docblocks
  Added improvement for accuracy in MoneyToLocalizedStringTransformer.
  Removed unused private property
  Use correct verb form in the pull request template
  Use PHP_MAXPATHLEN in Filesystem.
  Added null as explicit return type (?TokenInterface)
  [FrameworkBundle] Fix Routing\DelegatingLoader
  Render all line breaks according to the exception message
  [Form] Fix phpdoc
  [DI] remove confusing code
  [Form] Fixed GroupSequence with "constraints" option
  [Validator] Clarify UUID validator behavior
  [Filesystem] Fixed makePathRelative
  ...
2017-10-02 08:42:24 +02:00
Nicolas Grekas
d4cbc70c50 Merge branch '2.7' into 2.8
* 2.7: (22 commits)
  Tests and fix for issue in array model data in EntityType field with multiple=true
  [Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
  removed useless PHPDoc
  [Form] Fix FormInterface::submit() annotation
  PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
  HttpCache does not consider ESI resources in HEAD requests
  Fix translation for "This field was not expected"
  [Routing] Enhance Route(Collection) docblocks
  Added improvement for accuracy in MoneyToLocalizedStringTransformer.
  Removed unused private property
  Use correct verb form in the pull request template
  Use PHP_MAXPATHLEN in Filesystem.
  Added null as explicit return type (?TokenInterface)
  [FrameworkBundle] Fix Routing\DelegatingLoader
  Render all line breaks according to the exception message
  [Form] Fix phpdoc
  [DI] remove confusing code
  [Form] Fixed GroupSequence with "constraints" option
  [Validator] Clarify UUID validator behavior
  [Filesystem] Fixed makePathRelative
  ...
2017-10-01 23:00:16 +02:00
Nicolas Grekas
17a413876a Remove remaining @experimental annotations 2017-10-01 22:19:08 +02:00
Robin Chalas
3c801951c8 [Security] Look at headers for switch user username parameter 2017-10-01 13:42:23 +02:00
Fabien Potencier
72cc5df5fc minor #24342 removed useless PHPDoc (OskarStark)
This PR was squashed before being merged into the 2.7 branch (closes #24342).

Discussion
----------

removed useless PHPDoc

| Q             | A
| ------------- | ---
| Branch?       | 2.7
| Bug fix?      | no
| New feature?  | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks?    | no
| Deprecations? | no <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass?   | yes
| Fixed tickets |
| License       | MIT
| Doc PR        | n/a

Commits
-------

5ee9043d8b removed useless PHPDoc
2017-09-30 07:00:25 -07:00
Oskar Stark
5ee9043d8b removed useless PHPDoc 2017-09-30 07:00:23 -07:00
Fabien Potencier
bc4a69225f Merge branch '3.4'
* 3.4:
  [FrameworkBundle] Register a NullLogger from test kernels
  [SecurityBundle] Deprecate auto picking the first provider
  [Security] Add user impersonation support for stateless authentication
2017-09-30 06:47:08 -07:00
Robin Chalas
e7a5803e2e [Security] Add user impersonation support for stateless authentication 2017-09-30 13:13:18 +02:00
Christian Flothmann
1e46891f55 Merge branch '3.4'
* 3.4:
  [DI] Fix missing use + minor tweaks
  [Routing] Enhance PHP DSL traits docblocks
  Fix AclSchemaListener deprecation
  Set a NullLogger in ApcuAdapter when Apcu is disabled in CLI
  Minor reword
  [HttpKernel] Make array vs "::" controller definitions consistent
  Fix tests
  [TwigBundle] Remove profiler related scripting
  [TwigBundle][WebProfilerBundle] Switch to DOMContentLoaded event
  [WebProfilerBundle] Hide inactive tabs from CSS
  [TwigBundle] Make deprecations scream in logs
  [TwigBundle] Hide logs if unavailable, i.e. webprofiler
  [TwigBundle] Break long lines in exceptions
  [WebProfilerBundle] Added missing link to profile token
  [DI] Fix decorated service merge in ResolveInstanceofConditionalsPass
  Preserve URI fragment in HttpUtils::generateUri()
  [PhpUnitBridge] do not require an error context
2017-09-28 15:19:12 +02:00
Christian Flothmann
b7d0b09f31 Merge branch '3.3' into 3.4
* 3.3:
  Set a NullLogger in ApcuAdapter when Apcu is disabled in CLI
  Minor reword
  [HttpKernel] Make array vs "::" controller definitions consistent
  Fix tests
  [TwigBundle] Remove profiler related scripting
  [TwigBundle][WebProfilerBundle] Switch to DOMContentLoaded event
  [WebProfilerBundle] Hide inactive tabs from CSS
  [TwigBundle] Make deprecations scream in logs
  [TwigBundle] Hide logs if unavailable, i.e. webprofiler
  [TwigBundle] Break long lines in exceptions
  [WebProfilerBundle] Added missing link to profile token
  [DI] Fix decorated service merge in ResolveInstanceofConditionalsPass
  Preserve URI fragment in HttpUtils::generateUri()
  [PhpUnitBridge] do not require an error context
2017-09-28 15:03:46 +02:00
Fabien Potencier
4cdfebdc4a Merge branch 'pull/24336'
* pull/24336:
  [Security][SecurityBundle] Remove the HTTP digest auth
2017-09-26 15:55:38 -07:00
Maxime Steinhausser
8ff716b1f3 [Security][SecurityBundle] Remove the HTTP digest auth 2017-09-26 15:54:19 -07:00
Fabien Potencier
5d57a42985 Merge branch '3.4'
* 3.4:
  Passing the newly generated security token to the event during user switching.
  Fix changelog and minor tweak for #23485
  [Config] extracted the xml parsing from XmlUtils::loadFile into XmlUtils::parse
  [Security][SecurityBundle] Deprecate the HTTP digest auth
  add ability to configure catching exceptions
  Extract method refactoring for ResourceCheckerConfigCache
2017-09-26 15:53:13 -07:00
Fabien Potencier
b5103a261f feature #24335 [Security][SecurityBundle] Deprecate the HTTP digest auth (ogizanagi)
This PR was merged into the 3.4 branch.

Discussion
----------

[Security][SecurityBundle] Deprecate the HTTP digest auth

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | no
| New feature?  | no <!-- don't forget updating src/**/CHANGELOG.md files -->
| BC breaks?    | no
| Deprecations? | yes <!-- don't forget updating UPGRADE-*.md files -->
| Tests pass?   | yes
| Fixed tickets | #24325  <!-- #-prefixed issue number(s), if any -->
| License       | MIT
| Doc PR        | N/A

See https://github.com/symfony/symfony/pull/24336 for the removal PR on master.

Commits
-------

11fe79d77f [Security][SecurityBundle] Deprecate the HTTP digest auth
2017-09-26 15:51:56 -07:00
Robin Chalas
084e49f2ef feature #21951 [Security][Firewall] Passing the newly generated security token to the event during user switching (klandaika)
This PR was merged into the 3.4 branch.

Discussion
----------

[Security][Firewall] Passing the newly generated security token to the event during user switching

Event allows listeners to easily switch out the token if custom token updates are required

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets |
| License       | MIT
| Doc PR        |

Updated SwitchUserEvent to include the generated security Token. Allows the listeners to replace the token with their own (in case an application has some custom logic for token generation). The SwitchUserListener will now use the token returned by the event, so if token was not changed the self generated token will be used. If token was changed in the event then the new token would get used.

Reasons for this feature
--------------------------

In our current project users can have different Role sets depending on which organization they switch to. Our `User->getRoles()` always returns ["ROLE_USER"] and after login user is presented with choice of organizations they want to work in. Based on selected organization roles get updated with then stored token.

Without the change proposed in this PR. The only way we can setup the proper roles during user switch is by replacing `security.authentication.switchuser_listener` service with our own implementation of the listener.

With the proposed change, we can replace the security token with the one having all the roles we require directly inside our listener for `security.switch_user` event that gets thrown by Symfony's `SwitchUserListener`

Commits
-------

4205f1b Passing the newly generated security token to the event during user switching.
2017-09-26 22:15:35 +02:00
VJ
4205f1bc68 Passing the newly generated security token to the event during user switching.
Event allows listeners to easily switch out the token if custom token updates are required
2017-09-26 16:04:50 -04:00
Maxime Steinhausser
11fe79d77f [Security][SecurityBundle] Deprecate the HTTP digest auth 2017-09-26 20:29:06 +02:00
Tobias Schultze
d40820b32f Merge branch '3.4' 2017-09-26 14:31:37 +02:00
Iltar van der Berg
22f525b01f [Security] Deprecated not being logged out after user change 2017-09-26 13:05:21 +02:00
Iltar van der Berg
6522c05876 Removed unused private property 2017-09-26 12:02:43 +02:00
Iltar van der Berg
1ba4dd9b44 Added null as explicit return type (?TokenInterface) 2017-09-25 09:46:32 +02:00
Robin Chalas
f049dd0fba bug #24203 [Security] Preserve URI fragment in HttpUtils::generateUri() (chalasr)
This PR was merged into the 3.3 branch.

Discussion
----------

[Security] Preserve URI fragment in HttpUtils::generateUri()

| Q             | A
| ------------- | ---
| Branch?       | 3.3
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | https://github.com/symfony/symfony/issues/23675
| License       | MIT
| Doc PR        | n/a

Commits
-------

4dd2e3e Preserve URI fragment in HttpUtils::generateUri()
2017-09-17 15:45:14 +02:00