* 3.4:
[php_cs] disable fopen_flags
[DI] fix error in dumped container
[CS] Remove unused variables passed to closures
[DI] fix dumping setters before their inlined instances
[CS] Remove empty comment
[CS] Enforces null type hint on last position in phpDocs
[CS] Use combined assignment operators when possible
Fix a typo in error messages
Don't return early as this bypasses the auto exit feature
[Console] Add missing null to input values allowed types
[PHPUnitBridge] Fix microtime() format
bumped Symfony version to 3.4.17
updated VERSION for 3.4.16
updated CHANGELOG for 3.4.16
bumped Symfony version to 2.8.47
update CONTRIBUTORS for 2.8.46
updated VERSION for 2.8.46
updated CHANGELOG for 2.8.46
* 2.8:
[php_cs] disable fopen_flags
[CS] Remove unused variables passed to closures
[CS] Remove empty comment
[CS] Enforces null type hint on last position in phpDocs
[CS] Use combined assignment operators when possible
Fix a typo in error messages
[Console] Add missing null to input values allowed types
[PHPUnitBridge] Fix microtime() format
bumped Symfony version to 2.8.47
update CONTRIBUTORS for 2.8.46
updated VERSION for 2.8.46
updated CHANGELOG for 2.8.46
* 4.0:
Fix Clidumper tests
Enable the fixer enforcing fully-qualified calls for compiler-optimized functions
Apply fixers
Disable the native_constant_invocation fixer until it can be scoped
Update the list of excluded files for the CS fixer
* 3.4:
Fix Clidumper tests
Enable the fixer enforcing fully-qualified calls for compiler-optimized functions
Apply fixers
Disable the native_constant_invocation fixer until it can be scoped
Update the list of excluded files for the CS fixer
* 2.8:
Fix Clidumper tests
Enable the fixer enforcing fully-qualified calls for compiler-optimized functions
Apply fixers
Disable the native_constant_invocation fixer until it can be scoped
Update the list of excluded files for the CS fixer
* 3.4:
PHP CS Fixer: clean up repo and adjust config
use interface_exists instead of class_exists
[DX] [DI] Improve exception for invalid setter injection arguments
Dumper shouldn't use html format for phpdbg
[Validator] Fix access to root object when using composite constraint
* 2.8:
PHP CS Fixer: clean up repo and adjust config
Dumper shouldn't use html format for phpdbg
[Validator] Fix access to root object when using composite constraint
* 2.8: (22 commits)
Tests and fix for issue in array model data in EntityType field with multiple=true
[Form] Fixed PercentToLocalizedStringTransformer to accept both comma and dot as decimal separator, if possible
removed useless PHPDoc
[Form] Fix FormInterface::submit() annotation
PdoSessionHandler: fix advisory lock for pgsql when session.sid_bits_per_character > 4
HttpCache does not consider ESI resources in HEAD requests
Fix translation for "This field was not expected"
[Routing] Enhance Route(Collection) docblocks
Added improvement for accuracy in MoneyToLocalizedStringTransformer.
Removed unused private property
Use correct verb form in the pull request template
Use PHP_MAXPATHLEN in Filesystem.
Added null as explicit return type (?TokenInterface)
[FrameworkBundle] Fix Routing\DelegatingLoader
Render all line breaks according to the exception message
[Form] Fix phpdoc
[DI] remove confusing code
[Form] Fixed GroupSequence with "constraints" option
[Validator] Clarify UUID validator behavior
[Filesystem] Fixed makePathRelative
...
* 3.2:
Fix optional cache warmers are always instantiated whereas they should be lazy-loaded
add some \ on PHP_VERSION_ID for 2.8
[PropertyInfo][DoctrineBridge] The bigint Doctrine's type must be converted to string
This PR was merged into the 3.3-dev branch.
Discussion
----------
Secure unserialize by restricting allowed classes when using PHP 7
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ---
| License | MIT
| Doc PR | ---
While playing around with Symfony in a PHP 7.1 application I noticed a warning in how EnvParameterResoure uses unserialize. Since PHP 7.0 introduced the options argument which allows to restrict which classes can be unserialized for better security, it might make sense to use it here. As far as I can tell this is no BC break, it only provides an additional safety mechanism.
Commits
-------
b4201810b9 Conditionally add options to unserialize in PHP 7.0+.
* 3.1:
fixed @return when returning this or static
override property constraints in child class
removed unneeded comment
[Console] improved code coverage of Command class
[FrameworkBundle] Make TemplateController working without the Templating component
Only count on arrays or countables to avoid warnings in PHP 7.2
* 2.8:
fixed @return when returning this or static
override property constraints in child class
removed unneeded comment
[Console] improved code coverage of Command class
[FrameworkBundle] Make TemplateController working without the Templating component
Only count on arrays or countables to avoid warnings in PHP 7.2
* 2.3:
Configure firewall's kernel exception listener with configured entry point or a default entry point
PSR-2 fixes
[DependencyInjection] make paths relative to __DIR__ in the generated container
Fixed the syntax of a composer.json file
Fixed the symfony/config version constraint
Tweaked the password-compat version constraint
Docblock fixes
define constant only if it wasn't defined before
Fix incorrect spanish translation
Fixed typos
Conflicts:
composer.json
src/Symfony/Bridge/Twig/TwigEngine.php
src/Symfony/Bundle/FrameworkBundle/Controller/Controller.php
src/Symfony/Bundle/FrameworkBundle/Templating/Loader/FilesystemLoader.php
src/Symfony/Bundle/FrameworkBundle/composer.json
src/Symfony/Component/Console/Descriptor/MarkdownDescriptor.php
src/Symfony/Component/Console/Helper/TableHelper.php
src/Symfony/Component/Console/Tests/Helper/HelperSetTest.php
src/Symfony/Component/Debug/ErrorHandler.php
src/Symfony/Component/DependencyInjection/Dumper/PhpDumper.php
src/Symfony/Component/Finder/Tests/Iterator/RecursiveDirectoryIteratorTest.php
src/Symfony/Component/Form/Tests/Extension/Core/DataMapper/PropertyPathMapperTest.php
src/Symfony/Component/HttpFoundation/Response.php
src/Symfony/Component/HttpFoundation/StreamedResponse.php
src/Symfony/Component/HttpKernel/Controller/ControllerResolver.php
src/Symfony/Component/HttpKernel/Controller/ControllerResolverInterface.php
src/Symfony/Component/HttpKernel/Debug/TraceableEventDispatcher.php
src/Symfony/Component/HttpKernel/Fragment/RoutableFragmentRenderer.php
src/Symfony/Component/HttpKernel/Tests/DataCollector/RequestDataCollectorTest.php
src/Symfony/Component/Intl/NumberFormatter/NumberFormatter.php
src/Symfony/Component/Process/Process.php
src/Symfony/Component/Process/Tests/AbstractProcessTest.php
src/Symfony/Component/PropertyAccess/PropertyAccessorBuilder.php
src/Symfony/Component/Routing/Tests/Fixtures/validpattern.php
src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php
src/Symfony/Component/Security/composer.json
src/Symfony/Component/Serializer/Encoder/XmlEncoder.php
src/Symfony/Component/Serializer/Normalizer/GetSetMethodNormalizer.php
src/Symfony/Component/Stopwatch/StopwatchEvent.php
src/Symfony/Component/Stopwatch/StopwatchPeriod.php
src/Symfony/Component/Templating/PhpEngine.php
src/Symfony/Component/Templating/TemplateReference.php
src/Symfony/Component/Templating/TemplateReferenceInterface.php
src/Symfony/Component/Translation/TranslatorInterface.php
src/Symfony/Component/Validator/ConstraintViolation.php
src/Symfony/Component/Validator/ExecutionContextInterface.php
src/Symfony/Component/Validator/Mapping/ClassMetadata.php
src/Symfony/Component/Validator/MetadataFactoryInterface.php
* 2.3:
added missing files
[TwigBundle] added a test
Indicate which file was being parsed if an exception is thrown while running translation:debug
[ClassLoader] Cast $useIncludePath property to boolean
[HttpFoundation] Minor spelling fix in PHPDocs
improve error message for multiple documents
[Session] remove invalid workaround in session regenerate
[Kernel] ensure session is saved before sending response
[Routing] serialize the compiled route to speed things up
[Validator] Fixed Regex::getHtmlPattern() to work with complex and negated patterns
[DependencyInjection] use inheritdoc for loaders
[Config] fix filelocator with empty name
[Form] fix form handling with unconventional request methods like OPTIONS
CSRF warning docs on Request::enableHttpMethodParameterOverride()
Conflicts:
src/Symfony/Component/Routing/Route.php
This also makes the CompiledRoute implement Serializable in order to:
1. make the serialization format shorter
2. have no null bytes in there, which the native serializer add for private properties, and thus would complicate saving in databases etc.
3. We should add to our symfony BC promise, that only classes that implement Serializable are ensured to be deserializable correctly with serialized representations of the class in previous symfony versions.