This PR was merged into the 2.3 branch.
Discussion
----------
[DependencyInjection] remove `service` parameter type from XSD
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | symfony/symfony-docs#4222
Referencing a service in a parameter doesn't work and will lead to an error when the configuration is loaded (see symfony/symfony-docs#4211).
Commits
-------
7333c2d remove `service` parameter type from XSD
This PR was merged into the 2.3 branch.
Discussion
----------
[Intl] Updated icu.ini up to ICU 53
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
Extracted from #9206.
Commits
-------
260e2fe [Intl] Updated icu.ini up to ICU 53
This PR was merged into the 2.3 branch.
Discussion
----------
[Intl] Removed non-working $fallback argument from ArrayAccessibleResourceBundle
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
The code in question didn't actually work. This was extracted from #9206.
Commits
-------
5feda5e [Intl] Removed non-working $fallback argument from ArrayAccessibleResourceBundle
This PR was merged into the 2.3 branch.
Discussion
----------
[Security] Use hash_equals for constant-time string comparison (again)
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | n/a
| License | MIT
| Doc PR | n/a
Use the `hash_equals` function (introduced in PHP 5.6) for timing attack safe string comparison when available.
Add in the DocBlock that length will leak (https://github.com/symfony/symfony/pull/11797#issuecomment-53990712).
Commits
-------
3071557 [Security] Add more tests for StringUtils::equals
03bd74b [Security] Use hash_equals for constant-time string comparison
This PR was merged into the 2.3 branch.
Discussion
----------
[DI] Added safeguards against invalid config in the YamlFileLoader
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11333
| License | MIT
| Doc PR | n/a
Exceptions explaining the mistake are better than fatal errors or weird notices appearing when trying to deal with such invalid data.
The XML file loader is not affected by this because the data are validated with the XSD before being processed
Commits
-------
5183501 [DI] Added safeguards against invalid config in the YamlFileLoader
We didn't have this tag yet when this component was first written. The code in that
namespace is only used for resource bundle generation and was never meant for public
use.
This PR was merged into the 2.3 branch.
Discussion
----------
[HttpKernel] Escape ESI url in generated response
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets |
| License | MIT
| Doc PR | NA
If a template with an `<esi>` tag is configured with an URL containing a `'` (in `src` or `alt`) ; the HttpCache will generate invalide php code.
It's not a security issue, given the template and the `<esi>` tag is written by the developper, but, as the character quote is allowed in URL (https://tools.ietf.org/html/rfc3986) it coud be a potential bug.
Commits
-------
b044c45 Escape parameter on generated response
This PR was merged into the 2.3 branch.
Discussion
----------
[Yaml] improve error message when detecting unquoted asterisks
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11835
| License | MIT
| Doc PR |
Asterisks in unquoted strings are used in YAML to reference variables. Before Symfony 2.3.19, Symfony 2.4.9 and Symfony 2.5.4, unquoted asterisks in inlined YAML code were treated as regular strings. This was fixed for the inline parser in #11677. However, an unquoted * character now led to an error message like this:
```
PHP Warning: array_key_exists(): The first argument should be either a string or an integer in vendor/symfony/symfony/src/Symfony/Component/Yaml/Inline.php on line 409
[Symfony\Component\Yaml\Exception\ParseException]
Reference "" does not exist at line 171 (near "- { foo: * }").
```
Commits
-------
854e07b improve error when detecting unquoted asterisks
Asterisks in unquoted strings are used in YAML to reference
variables. Before Symfony 2.3.19, Symfony 2.4.9 and Symfony 2.5.4,
unquoted asterisks in inlined YAML code were treated as regular
strings. This was fixed for the inline parser in #11677. However, an
unquoted * character now led to an error message like this:
```
PHP Warning: array_key_exists(): The first argument should be either a string or an integer in vendor/symfony/symfony/src/Symfony/Component/Yaml/Inline.php on line 409
[Symfony\Component\Yaml\Exception\ParseException]
Reference "" does not exist at line 171 (near "- { foo: * }").
```
This PR was merged into the 2.3 branch.
Discussion
----------
n/a
n/a
Commits
-------
9e1bc22 Add tests and more assertions
101a3b7 [FrameworkBundle][Translator] Validate locales.
This PR was merged into the 2.3 branch.
Discussion
----------
n/a
n/a
Commits
-------
3b4046e [HttpFoundation] added some missing tests
cefe237 fix parsing of Authorization header
This PR was merged into the 2.3 branch.
Discussion
----------
n/a
n/a
Commits
-------
1ee96a8 Test examples from Drupal SA-CORE-2014-003
5506ee8 Fix potential DoS when parsing HOST
This PR was merged into the 2.3 branch.
Discussion
----------
[Security] fixing typo in a comment
| Q | A
| ------------- | ---
| Fixed tickets |
| License | MIT
As reported [here](https://github.com/symfony/symfony/pull/11574/files#r16934052).
Commits
-------
faefd66 fixing typo in a comment
This PR was merged into the 2.3 branch.
Discussion
----------
[Security] Made optimization on constant-time algorithm removing modulus operator
| Q | A
| ------------- | ---
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | -
| License | MIT
| Doc PR | -
This fix improves the constant-time algorithm used to compare strings, as it removes the `%` operator inside the loop.
Commits
-------
000bd0d Made optimization deprecating modulus operator
This PR was merged into the 2.3 branch.
Discussion
----------
[Yaml] fixed mapping keys containing a quoted #
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11700, #11723
| License | MIT
| Doc PR | n/a
Commits
-------
110f999 [Yaml] fixed mapping keys containing a quoted #
8ba3b28 Added fixture to test parsing of hash keys ending with a space and #
This PR was squashed before being merged into the 2.3 branch (closes#11768).
Discussion
----------
[ClassLoader] Add a __call() method to XcacheClassLoader
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11733
| License | MIT
| Doc PR |
Commits
-------
dd0d6af [ClassLoader] Add a __call() method to XcacheClassLoader
This PR was merged into the 2.3 branch.
Discussion
----------
[YAML] resolve variables in inlined YAML
| Q | A
| ------------- | ---
| Bug fix? | yes
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #11665
| License | MIT
| Doc PR |
#11569 does not resolve variables in inline YAML.
Commits
-------
45a5863 [YAML] resolve variables in inlined YAML