This PR was merged into the 3.4 branch.
Discussion
----------
[HttpKernel] Uses cookies to track the requests redirection
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #25698
| License | MIT
| Doc PR | ø
In order to track the redirections across requests, we need to have some state. So far, we've been using the session but some users have complained about it (#24774, #24730). The idea is that we don't actually need the session, we can use cookies.
It's a tradeoff: using a cookie would mean that both the redirection and the target page will not be cachable (because of the Set-Cookie to set the sf_redirect and the one to clear it).
As it's only on dev, it seems fair to say that having no cache (because of `Set-Cookie`s) is a better side effect than starting the session.
Commits
-------
83f257943f Uses cookies to track the requests redirection
This PR was merged into the 3.3 branch.
Discussion
----------
[FrameworkBundle] Fix using "annotations.cached_reader" in after-removing passes
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #25695
| License | MIT
| Doc PR | -
When `annotation_reader` is instantiated in an after-removing pass, it gets the real cache provider, instead of the dummy one that should be provided during compilation of the container.
This situation is found in e.g. `JMS\AopBundle\DependencyInjection\Compiler\PointcutMatchingPass`.
A workaround before next release could be to "get" the `annotation_reader` service somewhere before (like in a regular compiler pass of your own.)
Commits
-------
f66f9a7b37 [FrameworkBundle] Fix using "annotations.cached_reader" in after-removing passes
This PR was merged into the 2.7 branch.
Discussion
----------
[Security] Fail gracefully if the security token cannot be unserialized from the session
| Q | A
| ------------- | ---
| Branch? | 2.7
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR |
If the security token in the session can't be unserialized, an `E_NOTICE` is issued. This prevents it (and provides a better log message if it's not even a `__PHP_Incomplete_Class`).
This is similar to #24731, but I saw it triggered when changing OAuth library (https://github.com/elifesciences/journal/pull/824), so the token class itself no longer exists. (I want to avoid having to manually invalidate all sessions, as not all sessions use that token class.)
Commits
-------
053fa43add [Security] Fail gracefully if the security token cannot be unserialized from the session
This PR was submitted for the 3.4 branch but it was squashed and merged into the 3.3 branch instead (closes#25585).
Discussion
----------
Add type string to docblock for Process::setInput()
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | none
| License | MIT
| Doc PR | none
Add `string` as valid `$input` for `Process::setInput()`. Since `getInput()` will also return as string and the internal method `ProcessUtils::validateInput()` will accept a string, this should be a viable input type.
Commits
-------
e3de68f2 Add type string to docblock for Process::setInput()
This PR was merged into the 3.3 branch.
Discussion
----------
Run simple-phpunit with --no-suggest option
| Q | A
| ------------- | ---
| Branch? | 3.3
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes/no
| Fixed tickets | #... <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->
This should reduce the output on CI a bit :) (see https://travis-ci.org/msgphp/msgphp/jobs/325750064#L865)
Not really tested.. so i hope someone can confirm. AFAIK it happens from here.
Commits
-------
7c9a6c3864 Run simple-phpunit with --no-suggest option
This PR was squashed before being merged into the 3.4 branch (closes#25685).
Discussion
----------
Use triggering file to determine weak vendors if when the test is run in a separate process
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md files -->
| Tests pass? | I think so
| Fixed tickets | #25684
| License | MIT
| Doc PR | symfony/symfony-docs#... <!--highly recommended for new features-->
<!--
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
- Replace this comment by a description of what your PR is solving.
-->
Commits
-------
3830577 Use triggering file to determine weak vendors if when the test is run in a separate process
* 3.4:
Remove randomness from dumped containers
fixed messages to be explicit about the package needed to be installed
[FrameworkBundle] Fix recommended composer command (add vendor)
[WebProfilerBundle] set the var in the right scope
[TwigBundle] fix lowest dep
[HttpKernel] Disable CSP header on exception pages
Use the default host even if context is empty and fallback to relative URL if empty host
Proposing Flex-specific error messages in the controller shortcuts
This PR was merged into the 3.4 branch.
Discussion
----------
Remove randomness from dumped containers
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
With this PR, the generated container is immutable by cache clearing: it doesn't contain any random string anymore (well, third party bundles can add random things back, but at least core doesn't).
Since the class+file name of the container is based on a hash of its content, it means that they are now stable also. This should help fix some edge cases/race conditions during cache clears/rebuilds.
(fabbot failure is false positive)
Commits
-------
14dd5d1dbd Remove randomness from dumped containers