This PR was squashed before being merged into the 2.3 branch (closes#14670).
Discussion
----------
[Security] TokenBasedRememberMeServices test to show why encoding username is required
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #14577
| License | MIT
| Doc PR | no
241538d shows that it's not actually tested, 257b796 reimplements it with test.
I can remove the POC commit if it's not needed.
Commits
-------
63a9736 [Security] TokenBasedRememberMeServices test to show why encoding username is required
This PR was squashed before being merged into the 2.3 branch (closes#14678).
Discussion
----------
[Security] AbstractRememberMeServices::encodeCookie() validates cookie parts
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #14577
| License | MIT
| Doc PR | no
`AbstractRememberMeServices::encodeCookie()` guards against `COOKIE_DELIMITER` in `$cookieParts`.
* it would make `AbstractRememberMeServices::cookieDecode()` broken
* all current extending classes do it anyway (see #14670 )
* added tests – it's not a public method, but it is expected to be used by user implementations – as such, it's good to know that it works properly
Commits
-------
464c39a [Security] AbstractRememberMeServices::encodeCookie() validates cookie parts
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpKernel] Handle an array vary header in the http cache store
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #12118
| License | MIT
| Doc PR | -
Commits
-------
5930800 [HttpKernel] Handle an array vary header in the http cache store
This PR was submitted for the 2.7 branch but it was merged into the 2.3 branch instead (closes#14513).
Discussion
----------
[console][formater] allow format toString object.
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Fixed tickets | ~
| Tests pass? | yes
| License | MIT
reported by @micayael ( https://twitter.com/juanardissone/status/593859683502325761 )
Commits
-------
70b4964 [console][formater] allow format toString object.
This PR was squashed before being merged into the 2.3 branch (closes#14335).
Discussion
----------
[HttpFoundation] Fix baseUrl when script filename is contained in pathInfo
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #13617
| License | MIT
| Doc PR |
When the script filename is just /index.php, dirname() returns '/' for it. In Request::prepareBaseUrl() we append '/' to it (as introduced in #13039), which is wrong in this scenario as the resulting string is '//'.
When we rtrim('/') the output of dirname() then '/' would be constructed in this case, and in all other cases it makes no difference as dirname() already trims the right forward slash if there are path segments.
The test-cases should clarify the exact scenario.
Commits
-------
f24a6dd [HttpFoundation] Fix baseUrl when script filename is contained in pathInfo
This PR was submitted for the 2.7 branch but it was merged into the 2.3 branch instead (closes#14593).
Discussion
----------
[Security][Firewall] Avoid redirection to XHR URIs
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
If `security.firewalls.main.form_login.always_use_default_target_path` is false, an user could be redirected to an URL called by an AJAX request after the login.
Commits
-------
9ee74ea Avoid redirection to XHR URIs
This PR was merged into the 2.3 branch.
Discussion
----------
[DomCrawler] Throw an exception if a form field path is incomplete
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11807
| License | MIT
| Doc PR | -
Commits
-------
991e65c [DomCrawler] Throw an exception if a form field path is incomplete.
This PR was merged into the 2.3 branch.
Discussion
----------
[Console] Delete duplicate test in CommandTest
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
The __get method is not implemented in the Command class, and the deleted test was duplicated with the preceding one.
Commits
-------
4a4eda9 [Console] Delete duplicate test in CommandTest
This PR was merged into the 2.3 branch.
Discussion
----------
[2.3] Fix HTML escaping of to-source links
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Commits
-------
385a6b7 Fix HTML escaping of to-source links
This PR was submitted for the master branch but it was merged into the 2.3 branch instead (closes#14690).
Discussion
----------
[HttpFoundation] IpUtils::checkIp4() should allow `/0` networks
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | yes
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #14674
| License | MIT
Technically it's a breaking change, since the result of the
IpUtils::checkIp4('1.2.3.4', '0.0.0.0/0')
call was `false` now `true`.
Practically - no one should ever relied on this since it's simply wrong
Commits
-------
921ecff [HttpFoundation] IpUtils::checkIp4() should allow networks
This PR was submitted for the 2.7 branch but it was merged into the 2.3 branch instead (closes#14681).
Discussion
----------
[FrameworkBundle] Removed unnecessary parameter in TemplateController
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | They should
| License | MIT
`Response::setPublic()` doesn't have any parameters, so this parameter call is not needed.
Commits
-------
7a4394e [FrameworkBundle] Removed unnecessary parameter in TemplateController
This PR was submitted for the 2.7 branch but it was merged into the 2.3 branch instead (closes#14262).
Discussion
----------
[TwigBundle] Refresh twig paths when resources change.
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Fixed tickets | ~
| Tests pass? | yes
| License | MIT
Commits
-------
cafb0d7 [TwigBundle] Refresh twig paths when resources change.
This PR was merged into the 2.3 branch.
Discussion
----------
[ServerBag] Handled bearer authorization header in REDIRECT_ form
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
Apache rewrite module renames client request
header (`HTTP_`) by prepending `REDIRECT_` to
it. http basic authentication and http digest
authentication are properly processed in
REDIRECT_ form, while bearer is processed in
HTTP_ form, but dropped in REDIRECT_ form.
Example:
The following auth headers are handled in ServerBag,
```
HTTP_AUTHORIZATION => Basic aGVsbG86d29ybGQ=
REDIREDCT_HTTP_AUTHOIZATION => Basic aGVsbG86d29ybGQ=
HTTP_AUTHORIZATION => Digest blah
REDIRECT_HTTP_AUTHORIZATION => Digest blah
HTTP_AUTHORIZATION => Bearer mF_9.B5f-4.1JqM
```
while
```
REDIRECT_HTTP_AUTHORIZATION => Bearer mF_9.B5f-4.1JqM
```
is dropped.
Commits
-------
7b2e2df Handled bearer authorization header in REDIRECT_ form
This PR was submitted for the 2.7 branch but it was merged into the 2.3 branch instead (closes#13637).
Discussion
----------
[CSS] WebProfiler break words
WebProfiler CSS word-break: break-all;
Do you need more description ?
Commits
-------
7259d72 WebProfiler break words
This PR was merged into the 2.3 branch.
Discussion
----------
[Framework] added test for router commands.
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Fixed tickets | ~
| Tests pass? | yes
| License | MIT
- [x] router:debug
- [x] router:match
Commits
-------
6d403a7 [Framework] added test for Router commands.
This PR was merged into the 2.3 branch.
Discussion
----------
[Security][Translation] fixes#14584
| Q | A
| ------------- | ---
| Fixed tickets | #14584
| License | MIT
Some french translations are wrong in the security component.
As #14587 has been closed here's my fix.
Commits
-------
34c780f [Security][Translation] fixes#14584
This PR was merged into the 2.3 branch.
Discussion
----------
CS: Pre incrementation/decrementation should be used if possible
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Fixes provided by new fixer: https://github.com/FriendsOfPHP/PHP-CS-Fixer/pull/1113
If this pr is merged I would change the level of the fixer to `symfony`.
Commits
-------
c5123d6 CS: Pre incrementation/decrementation should be used if possible
This PR was merged into the 2.3 branch.
Discussion
----------
[Security] Fix tests in HHVM
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| License | MIT
This PR fixes the tests in the Security components when run in HHVM. The failing tests are related to sebastianbergmann/phpunit-mock-objects#207
Commits
-------
139bae7 Fix tests in HHVM
This PR was merged into the 2.3 branch.
Discussion
----------
Add PHP7 compatible versions for the Null/True/False constraints as they are reserved words in PHP7
| Q | A
| ------------- | ---
| Bug fix? | PHP7 compatibility
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | N/A
| Fixed tickets | N/A - helps towards https://github.com/symfony/symfony/issues/14086
| License | MIT
Null, True and False are reserved words in PHP7:
https://wiki.php.net/rfc/reserve_more_types_in_php_7
Commits
-------
44edbdf Fixed compatibility with PHP7 and up by introducing new constraints (IsNull, IsTrue, IsFalse) and related validators (IsNullValidator, IsTrueValidator, IsFalseValidator)
This PR was merged into the 2.3 branch.
Discussion
----------
[2.3][EventDispatcher] make listeners removable from an executed listener
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #13972
| License | MIT
| Doc PR |
This fixes#13972 for Symfony 2.3. On Symfony 2.6 and higher, this has already been fixed with #14355.
Commits
-------
54bb399 [EventDispatcher] make listeners removable from an executed listener
This PR was merged into the 2.3 branch.
Discussion
----------
[travis] Don't use the cache
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
The composer cache breaks per components builds (deps=low/high)
Commits
-------
103c0df [travis] Don't use the cache
This PR was merged into the 2.3 branch.
Discussion
----------
[travis] Use container-based infrastructure
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Let's see if this works...
Commits
-------
2aea3aa [travis] Use container-based infrastructure